Microsoft 365 Copilot compliance: GDPR, AI Act, DPA, training, transfers

TL;DR. Strong contractual no-training position for the paid Copilot product. EU Data Boundary default weakened on 2026-04-17 — "flex routing" allows EU tenant data to process outside the EU during peak demand, on by default. Anthropic enabled as subprocessor 2026-01-07 — Anthropic processing is explicitly out of EU Data Boundary scope. Two products share the Copilot name (Microsoft 365 Copilot vs Copilot Chat / consumer Copilot) with very different data models.

DPO action: review your tenant's flex routing setting and Anthropic models toggle now. If you have not reviewed since 2026-03-25, your data is processing outside the EU Data Boundary by default.

What the tool does

Microsoft 365 Copilot is an AI assistant embedded in Word, Excel, PowerPoint, Outlook, Teams, and the wider M365 stack. It draws on the user's tenant data (emails, files, chats) via Microsoft Graph and combines that with large language models to generate text, summaries, action items, and draft documents. There is also a separate Microsoft 365 Copilot Chat product, which has a different data model. Buyers must distinguish them in any DPIA. Copilot Studio (the agent platform) is a separate compliance evaluation again.

Data processed

The hard part of this profile is that Copilot processes a lot:

• Email content (Outlook)
• Document content (OneDrive, SharePoint)
• Chat and meeting transcripts (Teams)
• Calendar data
• User identity and permissions
• Anything else accessible via the user's M365 Graph permissions

Special-category likelihood: Very high. Copilot reads anything the signed-in user can read. In a typical SME, that includes HR records, performance reviews, financial data, and customer correspondence. DPIA is not optional for any deployment.

Default geographic processing: EU Data Boundary applies for EU tenants — but with significant caveats (see EU/UK transfer position below). The "flex routing" change effective 2026-04-17 materially weakens the default.

DPA availability

Microsoft 365 Copilot is governed by the Microsoft Product Terms and Data Protection Addendum (DPA), both publicly available and incorporated by reference into all M365 commercial agreements.

• DPA URL: Microsoft publishes the current Product Terms and DPA at aka.ms/DPA
• Sign-up requirement: applies automatically to all M365 commercial customers
• Updated regularly; check version date on each review

The DPA establishes Microsoft as processor for tenant content and includes SCCs and the UK Addendum.

Subprocessor list

Microsoft maintains a list of "Subprocessors and Data Locations" for online services. Notable subprocessors / sub-models for Copilot specifically:

• OpenAI — historical core model provider
• Anthropic — added as a subprocessor effective 2026-01-07; Anthropic models default-enabled for most commercial tenants
• Various support, analytics, and infrastructure subprocessors

Crucial nuance: when Copilot uses Anthropic models, the processing falls outside the Microsoft EU Data Boundary. Microsoft documentation states verbatim:

"Anthropic models deployed in Microsoft offerings (including Microsoft 365 Copilot, Researcher, Copilot Studio, Power Platform, Agent Mode in Excel, and Word, Excel, and PowerPoint agents) are currently excluded from the EU Data Boundary, and when applicable, in-country processing commitments."

This is not optional behaviour — by default, EU tenants now have Copilot inferencing happening with a subprocessor that does not honour the boundary, and the exclusion applies across the broader Microsoft product surface, not just the Copilot chat experience.

Buyers can disable Anthropic models in Microsoft 365 admin centre, but the default is on.

Training-on-customer-data position

Microsoft 365 Copilot does not use prompts, responses, or data accessed through Microsoft Graph to train foundation LLMs, including those used by M365 Copilot itself. This is a contractual commitment in the Product Terms.

Source: Microsoft Learn — "Data, Privacy, and Security for Microsoft 365 Copilot."

This is a meaningful difference from consumer Copilot products and is one of the strongest commercial-tier no-training commitments in the market.

EU / UK transfer position

This is the most important section of this profile and where buyers most often have an outdated mental model.

Historical position (pre-April 2026): Microsoft committed to processing EU tenant data within the EU Data Boundary. This was a strong selling point.

Current position (effective 2026-04-17): Microsoft has enabled "flex routing" by default. Flex routing allows Copilot LLM inferencing to occur outside the EU Data Boundary during peak demand — your tenant's prompts and Graph-derived content can be processed in non-EU infrastructure when EU capacity is constrained.

• Flex routing is enabled by default for all new tenants created after 2026-03-25
• For existing tenants, flex routing was enabled by default on 2026-04-17 unless the admin disabled it
• Admins can disable flex routing in the Microsoft 365 admin centre under Copilot settings

Combined with the Anthropic subprocessor change (out of EU Data Boundary by design), the realistic default for an EU Copilot tenant in 2026 is that some of their data processing happens outside the EU.

SCCs apply to non-EU processing under the Microsoft DPA. UK Addendum applies for UK customers.

The 2026-04-17 default change is a material risk that EU/UK DPOs need to evaluate immediately. "Copilot is EU Data Boundary by default" is no longer accurate. If you have not reviewed your tenant settings since March 2026, you may be processing personal data outside the EU without a current decision having been made. — My read

Security documentation

Microsoft's compliance posture is broad and well-documented. Relevant for Copilot:

• SOC 1 / 2 / 3 — yes, all
• ISO 27001 / 27017 / 27018 / 27701 — yes
• ISO/IEC 42001:2023 — yes, both Microsoft 365 Copilot and Microsoft 365 Copilot Chat are certified (issued by Mastermind, accredited by IAS). Microsoft also holds CSA STAR for AI 42001.
• FedRAMP — yes (US government)
• HIPAA / HITRUST — yes
• EU GDPR / UK GDPR — explicit compliance commitments in DPA
• Microsoft Service Trust Portal — exhaustive compliance documentation, gated access

Strong, well-evidenced security baseline. The compliance gaps are not in standards coverage; they are in defaults and configuration.

AI Act role + risk classification

• Role: Microsoft acts as both provider (of Copilot as a system) and a deployer-side enabler. The underlying LLMs (OpenAI, Anthropic) are GPAI providers.
• Your role as a buyer: deployer, with deployer obligations.
• Risk tier for typical use cases: depends entirely on what you let Copilot do. Generic productivity assistance sits at minimal/limited risk. If Copilot is making or substantially supporting decisions in HR, hiring, performance management, or other Annex III-adjacent areas, deployer high-risk obligations apply.

Microsoft publishes AI Act readiness materials. Useful evidence for your audit file but does not relieve your own obligations.

DPIA prompts (for your use case)

1. Have you reviewed your flex routing setting since 2026-03-25? If not, it is currently on by default and your tenant data may be inferencing outside the EU.
2. Have you decided whether to allow Anthropic models? They were enabled by default 2026-01-07 and process outside the EU Data Boundary.
3. Have you mapped which roles can access Copilot? Copilot reads anything the user can read. Over-permissioned mailboxes and SharePoint sites become AI-exposure points.
4. Have you implemented Microsoft Purview or equivalent DLP to control what Copilot can surface? Default deployments have minimal guard rails.
5. AI Act Annex III applicability: is Copilot being used in any HR, hiring, performance, or decision-support flow that touches Annex III? If so, deployer high-risk obligations engage.
6. Copilot Studio agents: if you've built or enabled agents, treat each as a separate AI system for AI Act purposes — risk-classify each independently.

Unresolved questions / red flags

• The flex routing default change (2026-04-17) is the single biggest active compliance risk for EU Copilot tenants right now. Many DPOs have not reviewed this setting. The "EU Data Boundary by default" assumption is outdated.
• Anthropic-as-subprocessor (2026-01-07) introduces an explicit EU Data Boundary exception. Decision required, not implicit.
• Copilot's data access scope is the user's full Graph permissions. Over-permissioning becomes a Copilot-magnified problem.
• The Copilot family confusion is rampant. Microsoft 365 Copilot (paid, tenant-data, no-training), Copilot Chat (consumer / different data model), Copilot Studio (agent platform), Copilot in GitHub (separate again). Each needs its own DPIA entry.
• Microsoft Service Trust Portal is gated — buyers need to register to pull primary compliance documents.

Related profiles

• OpenAI — model provider sub-route
• Anthropic — model provider sub-route, out of EU Data Boundary

Sources checked

• https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy — checked 2026-04-29
• Microsoft documentation on flex routing change effective 2026-04-17 — corroborated via multiple independent sources
• https://learn.microsoft.com/en-us/copilot/microsoft-365/connect-to-ai-subprocessor — Anthropic as subprocessor 2026-01-07
• Independent reporting on flex routing implications (windowsforum, changepilot, innfactory, office365itpros) — 2026-04-29

For ongoing AI compliance support, work with Janus DPO-as-a-Service. For other vendors, browse the full index.