Module 10 — Security & Good Habits

🎯 Goal: Use Claude Code in a way that keeps your job, your company's data, and your sanity safe. ⏱️ Time: ~45 min. Don't skip this one.

If your work touches sensitive personal data — names, financial details, possibly health and identity information — this module is the difference between "helpful automation" and "compliance incident."

The five rules of company data

Process locally, don't transmit. Having Claude Code rename or read a file on your laptop is the low-risk pattern. Copy-pasting the contents of a sensitive document into a chat — any chat, including AI chat boxes on websites — is not. The file staying on your machine is the safe path you've been taught all course. (One caveat: in regulated industries, even local AI-assisted work can need sign-off. If your company has an AI or data policy, follow it.)
Never paste secrets into a conversation. Passwords, API tokens, client SSNs, full personal records — these don't go into prompts. If a task seems to need a secret, that's your signal to stop and check Module 10's "handling secrets" section below.
When unsure, ask before automating. "Can I use an AI tool to process these files locally on my laptop?" is a fair question for your manager or compliance team. Asking protects you. Most companies will say yes to local processing and have a clear process for anything involving live systems.
Keep work data on work machines. Don't move company files to a personal laptop, personal cloud, or personal email "to work on them at home."
Mind the data rule from Module 01. No connecting Claude Code to your company's SaaS tools or any live company system without explicit IT/security approval.

Handling secrets (for the day you get API access)

You won't need this yet (we're local-files-only), but learn the principle now so you never hardcode a password:

Never type a password or token directly into a code file. If Claude Code ever writes password = "abc123" into a file, stop it.
The correct pattern is an environment variable or a .env file that is kept out of Git. Claude Code knows this pattern — if you ever set up an API, say: "store the token securely as an environment variable, never in the code, and make sure it's excluded from Git."
A password manager (1Password, or whatever your company provides) is the right place to keep tokens. Ask IT what they recommend.

Good habits that prevent disasters

Habit	Why
Work on copies, never originals	A buggy automation can't destroy what it can't touch.
Dry-run before executing	Preview changes before they happen (Module 08).
Commit before big changes	Git lets you rewind anything (Module 05).
Keep a log when renaming/moving in bulk	Your undo trail.
Read permission prompts	Claude Code asks before changing things — actually read it.
Spot-check outputs by hand	AI is fast but not infallible. Verify a few rows.
One task per project folder	Keeps things tidy and prevents cross-contamination.

You're never one mistake from disaster, because four habits sit between any automation and your real files: work on copies, dry-run before executing, commit so you can rewind, and spot-check the output. Each one is a net.

How to sanity-check Claude Code's work

Trust, but verify. For any automation that matters:

Run it on a tiny sample first (3 files, not 300).
Compare a few outputs to the source by hand. Open one PDF, open the spreadsheet row — do they match?
Ask Claude Code to explain its own logic: "How did you decide which date was the effective date? What happens if a PDF is missing that field?"
Check the edges: empty files, weird names, missing fields. Ask "what does your program do if a file is missing the name field?"

What to do when something goes wrong

An automation messed up files: If you worked on copies (you did, right?), just delete the copies and start over. If you committed to Git, run git restore . to rewind to your last save point (as shown in Module 05).
You're not sure if something is safe: Stop. Ask Claude Code "is this safe and reversible?" Or ask a human.
You think you may have shared sensitive data somewhere you shouldn't have: Tell your manager/compliance team promptly. Early honesty beats late discovery, every time.

A healthy relationship with the tool

Claude Code is an assistant, not an oracle. It's brilliant and occasionally confidently wrong. Your judgment is the final check — especially on anything touching real people's records.
You don't have to automate everything. Automate the boring, repetitive, high-volume stuff. Keep human judgment on the sensitive, one-off, high-stakes decisions.
Learning is iterative. You'll get more ambitious over months. That's the point. Start small, build trust, expand.

✅ You're done with this module when

You can recite the five rules of company data.
You understand "process locally, don't transmit."
You have the verify-before-trust habits down.
You know that asking "is this allowed/safe?" is a strength, not a weakness.

🎉 That's the core program — you can now set up, build, and run automations safely. When you're ready to get faster and make it stick, the Level Up section is next.

Next: Module 11 — Using Claude Code Well.

See also: Recipe Cookbook · Cheat Sheet · Glossary · Troubleshooting