Share via

Verification of compliance for Azure Document Intelligence: processing of personal data in custom models

francesco.d 25 Reputation points
2025-01-17T10:44:08.48+00:00

Hi,

I am using the Azure Document Intelligence product, specifically the “Custom Extraction Model,” to process documents containing personal data, such as bills, through the OCR system. Also, as per the documentation, a container has been associated with this system through the Azure Blob Storage service. I need to verify the compliance of these products against specific requirements related to the protection and management of personal data and European regulations. We have found that some of the information available in the official documentation is not completely clear, particularly regarding custom templates. To enable me to do this, I ask for detail regarding the following points of interest:

- Data encryption:

Confirm that data is encrypted both during transfer to the cloud (in-transit) and during storage (at-rest).

- Server localization and compliance:

Assurance that the servers used are located within the European Economic Area (EEA) or in countries that provide an adequate level of data protection as required by the GDPR.

- Principle of retention limitation:

Ability to define a customized retention policy for documents, with automatic deletion of data at the end of the strictly necessary period. Assurance that data processing is limited to what is essential for operational purposes, avoiding the storage of unnecessary information.

- Audit and monitoring:

Clarification of the possibility of enabling audit systems to monitor access and changes to archived documents. Ways of securely storing access records and the possibility of limiting their visibility to authorized personnel only.

- Purpose:

Confirmation that any personal data contained in processed documents will not be used by the cloud service.

Thanking you in advance,

Francesco

Azure AI Document Intelligence
Azure AI Document Intelligence
An Azure service that turns documents into usable data. Previously known as Azure Form Recognizer.
1,888 questions
Accepted answer
  1. Sina Salam 16,766 Reputation points
    2025-01-18T13:13:21.68+00:00

    Hello francesco.d,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to verify the compliance for Azure Document Intelligence: processing of personal data in custom models as stated.

    - Data encryption: Confirm that data is encrypted both during transfer to the cloud (in-transit) and during storage (at-rest).

    Azure Document Intelligence ensures that data is encrypted both in-transit and at-rest. Data in-transit is protected using TLS (Transport Layer Security), and data at-rest can be encrypted using Microsoft-managed keys or customer-managed keys (CMK) for added security - https://learn.microsoft.com/en-us/azure/ai-services/document-intelligence/authentication/encrypt-data-at-rest?view=doc-intel-4.0.0

    - Server localization and compliance: Assurance that the servers used are located within the European Economic Area (EEA) or in countries that provide an adequate level of data protection as required by the GDPR.

    Azure services, including Document Intelligence, offer data residency options to ensure compliance with GDPR. You can choose to store and process data within the European Economic Area (EEA) or in countries that provide an adequate level of data protection as required by GDPR. - https://learn.microsoft.com/en-us/legal/cognitive-services/document-intelligence/data-privacy-security

    - Principle of retention limitation: Ability to define a customized retention policy for documents, with automatic deletion of data at the end of the strictly necessary period. Assurance that data processing is limited to what is essential for operational purposes, avoiding the storage of unnecessary information.

    Azure allows you to define customized retention policies for your data. You can set up automatic deletion of documents after a specified period, ensuring that data is only retained for as long as necessary for operational purposes. - https://learn.microsoft.com/en-us/azure/ai-services/document-intelligence/train/custom-model?view=doc-intel-4.0.0 This helps in avoiding the storage of unnecessary information.

    - Audit and monitoring: Clarification of the possibility of enabling audit systems to monitor access and changes to archived documents. Ways of securely storing access records and the possibility of limiting their visibility to authorized personnel only.

    Azure provides robust auditing and monitoring capabilities. You can enable audit logs to monitor access and changes to archived documents. These logs can be securely stored and access to them can be restricted to authorized personnel only. - https://learn.microsoft.com/en-us/azure/ai-services/document-intelligence/how-to-guides/build-a-custom-model?view=doc-intel-4.0.0

    - Purpose: Confirmation that any personal data contained in processed documents will not be used by the cloud service.

    Azure Document Intelligence ensures that any personal data contained in processed documents is used solely for the purpose of providing the service. Microsoft does not use your data for any other purposes. - https://learn.microsoft.com/en-us/azure/ai-services/document-intelligence/model-overview?view=doc-intel-4.0.0

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.