Share via


Enterprise data protection in Microsoft 365 Copilot and Microsoft Copilot

Important

The following information applies to Microsoft 365 Copilot currently and will start rolling out to Microsoft Copilot in the second half of September 2024 for users signed in with a Microsoft Entra account.

What is enterprise data protection in Microsoft 365 Copilot and Microsoft Copilot?

The use of Microsoft 365 Copilot and Microsoft Copilot, as used by organizations, are covered by the terms of the Data Protection Addendum (DPA) and Product Terms, with Microsoft acting as a data processor.

Enterprise data protection (EDP) refers to controls[1] and commitments, under the Data Protection Addendum (DPA) and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft Copilot. The use of the term EDP isn't meant to limit the benefits offered under the DPA and Product Terms.

Enterprise data protection for prompts and responses

Microsoft 365 Copilot and Microsoft Copilot offer the same enterprise terms[2] available in our Microsoft 365 commercial offerings.

Use of Microsoft 365 Copilot and Microsoft Copilot involves prompts (entered by users) and responses (content generated by Copilot). With EDP, prompts and responses are protected by the same contractual terms and commitments widely trusted by our customers for their emails in Exchange and files in SharePoint.

  • We secure your data: We help protect your data with encryption at rest and in transit, rigorous physical security controls, and data isolation between tenants.

  • Your data is private: We won’t use your data except as you instruct. Our commitments to privacy include support for GDPR, ISO/IEC 27018[3], and our Data Protection Addendum.

  • Your access controls and policies apply to Copilot: Copilot respects your identity model and permissions, inherits your sensitivity labels, applies your retention policies, supports audit of interactions, and follows your administrative settings. The specific controls and policies will vary depending on the underlying subscription plan.

  • You're protected against AI security and copyright risks: We help safeguard against AI-focused risks such as harmful content and prompt injections. For content copyright concerns, we provide protected material detection and our Customer Copyright Commitment.

  • Your data isn’t used to train foundation models: Microsoft Copilot uses the user’s context to create relevant responses. Microsoft 365 Copilot also uses Microsoft Graph data. Consistent with our other Copilot offers, prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation models.

Additional resources

Privacy and security of web queries

Ground responses in latest data

In addition to prompts and responses, web search queries (different from Microsoft Graph queries) are also a part of Copilot interactions. Allowing Copilot to reference web content via these queries improves the quality of Copilot responses by grounding them in the latest information from the web via Bing search service.

Web queries have their own data handling practices

Plugins in Microsoft 365 Copilot

When you’re using plugins to help Microsoft 365 Copilot to provide more relevant information, check the privacy statement and terms of use of the plugin to determine how it will handle your organization’s data. For more information, see Extensibility of Microsoft 365 Copilot.

Footnotes

[1] The specific controls will vary depending on a customer's Microsoft subscription plans.

[2] Microsoft 365 Copilot supports HIPAA compliance for properly configured implementations. Microsoft Copilot is under review and doesn't support HIPAA compliance at this time.

[3] Microsoft 365 Copilot runs on the ISO 27018 certified Microsoft 365 platform. Microsoft Copilot will start rolling out to the same platform in the second half of September 2024, for users signed in with a Microsoft Entra account.