AI tools

Approved AI tools

When using software that includes AI-powered features (e.g., writing assistants, smart search or automatic summarization), first confirm whether the tool is listed and approved below for the type of University data you intend to use. If the tool is not listed, or you are unsure, contact your IST Account Rep or Faculty IT support rep before using it with University data.

Tool name	Tool status	Approved for data made public by the source	Approved for University data — Confidential or Restricted	Approved for University data — Highly Restricted	Notes & Limitations
Copilot Chat (UW – login)	Approved	✅ Yes	✅ Yes	❌ No	All users licensed. Safe for internal use. Operates in UW’s secure environment.
Microsoft 365 Copilot Chat (UW - login)	Approved	✅ Yes	✅ Yes	❌ No	Requires additional license. Safe for internal use. Operates in UW’s secure environment.
Copilot Chat (Free)	Reviewed for Limited Use	✅ Yes	❌ No	❌ No	Use only with data made public by the source. Not approved for University-owned data which is not publicly available. Go to Copilot Chat
ChatGPT (Free/Plus)	Reviewed for Limited Use	✅ Yes	❌ No	❌ No	Use only with data made public by the source. Not approved for University-owned data which is not publicly available.

Important: Highly restricted data must not be used with any AI tool — even those that are approved — unless you have explicit, documented approval from the Information Steward for that specific use case.

Problematic tools

The following tools have been reviewed and identified as posing significant security or privacy risks. They are not approved for use with University data. The University of Waterloo may block or restrict access to tools that present unacceptable risks to institutional systems or data.

Tool name	Notes
Otter.ai + Firefies.ai	These tools can join meetings automatically and record without clear user control or consent, creating substantial privacy concerns. They are not approved for any University use.
DeepSeek (hosted versions): https://deepseek.com Mobile apps	The publicly hosted application is not approved. A self-hosted deployment may be evaluated by IST and considered only if it meets University security requirements.

Tool name

Notes

Otter.ai + Firefies.ai

These tools can join meetings automatically and record without clear user control or consent, creating substantial privacy concerns. They are not approved for any University use.

DeepSeek (hosted versions):

https://deepseek.com
Mobile apps

The publicly hosted application is not approved. A self-hosted deployment may be evaluated by IST and considered only if it meets University security requirements.

Understanding University data

University data refers to information that the University creates, collects, receives, or manages in the course of its operations. This includes student records, research data, internal documents, teaching materials, and administrative information.

All University data is subject to the classification framework outlined in Policy 46 – Information Management, which categorizes information into one of the following confidentiality levels:

Public
Confidential
Restricted
Highly Restricted

For support in understanding how to classify data, refer to the Guidance on Information Confidentiality Classification (Policy 46). Researchers using AI tools are advised to consult the Research data risk classification framework and guidelines to ensure appropriate handling of research information.

Quick links

Use of AI tools with University data

AI tools include:

Standalone AI applications (e.g., chatbots, coding assistants, data analysis tools, or tutoring/learning assistants)
AI capabilities embedded within existing institutional systems (e.g., AI-enabled search or recommendations, automated transcription, predictive analytics, or AI-assisted productivity features)

To use AI tools safely, it is important to understand the type of tool you are working with and how the tool relates to data. Consider the following four categories:

Approved

Reviewed by IST, including an Information Risk Assessment (IRA) and, when required, a Privacy Impact Assessment (PIA)
Supported by a formal contract with the vendor
Suitable for handling Confidential and Restricted data, with required permissions for data use obtained
Use with Highly Restricted data requires explicit, documented approval from the appropriate Information Steward

See table of Approved AI tools.

Reviewed for limited use

Reviewed by IST, with an Information Risk Assessment completed for limited use - appropriate only for the specific use case for which the tool was reviewed
No contract with the vendor
Appropriate for use with data that has been made public by the source
Not suitable for university-owned data that has not been made public (i.e. confidential, restricted, or highly restricted data)

Problematic

Reviewed and identified as presenting significant risks
Not appropriate for any University data
May store, retain or use information in ways that pose security or privacy concern

See table of Problematic AI tools.

Unreviewed

No assessment completed
Risks are unknown
No contract or formal oversight
Not suitable for university-owned data that has not been made public (i.e., confidential, restricted, or highly restricted data)