Services temporarily excluded from the EU Data Boundary

For some services, work is in progress to be included in the EU Data Boundary, but completion of this work is delayed. Services in this category are either temporarily excluded from the EU Data Boundary for all customers or are temporarily excluded from the EU Data Boundary for a particular subset of customers for a service (for example, based on a customer not yet having migrated to a service version in scope for the EU Data Boundary), as described in this documentation. The details in this documentation explain the Customer Data, pseudonymized personal data, or Professional Services Data that these services currently transfer out of the EU Data Boundary as part of their service operations.

Azure services

Azure non-regional services

Azure non-regional services (complete list available here: Azure Products by Region) are services that have no dependency on a specific Azure region and don't currently let customers specify a region for deployment. Non-regional services are being rearchitected to be included in the EU Data Boundary. For some services, this work is already complete. See Configuring Azure non-regional services for the EU Data Boundary for a list of these services, including information on how to configure them to store and process Customer Data, pseudonymized personal data, and Professional Services Data in the EU Data Boundary.

The following sections provide information about the other non-regional services for which rearchitecting is still in progress and explain what Customer Data, pseudonymized personal data, or Professional Services Data is transferred outside of the EU Data Boundary, why those transfers occur, and how the transferred data is protected while outside the EU.

Azure DevOps

Azure DevOps: Azure DevOps provides a suite of services to facilitate team development, planning, and collaboration. When Azure DevOps customers use the Token feature and issue Personal Access Tokens (PAT), or provide Secure Shell (SSH) Keys, this Customer Data is transferred from the EU Data Boundary to systems within the United States. PATs and SSH Keys are stored in the United States for as long as the Azure DevOps organization and/or project is active, or the customer decides to delete the PAT or SSH Keys. In addition to Customer Data transfer with PAT and SSH keys, user email addresses are globally stored in a US-based DevOps routing service for back-end compatibility with public APIs that support the way user descriptors were previously stored in Azure DevOps.

Azure Policy

Azure Policy enforces organizational standards and compliance by comparing the properties of Azure resources against configured business policies. Types of Customer Data that will be transferred globally include policy entities, compliance information, usernames, and email addresses. Pseudonymized personal data transferred globally includes object IDs.

Azure portal, Azure mobile app, Azure Resource Graph, Azure role-based access control (Azure RBAC)

Azure portal, Azure mobile app, Azure Resource Graph, Azure role-based access control (Azure RBAC): Azure portal provides a web-based interface that allows customers to manage Azure subscriptions and resources. Azure mobile app provides customers with a mobile application to manage Azure subscriptions and resources. Azure Resource Graph provides APIs to query Azure resources at scale. Azure role-based access control (Azure RBAC) provides Azure resource access management via the Azure portal. Customer Data that is transferred globally includes values like usernames, email addresses, IP addresses, and Microsoft Entra ID tokens. Pseudonymized personal data transferred globally includes user global unique ID (GUID), primary unique ID (PUID), and sessions IDs. In the case of Azure Resource Graph, pseudonymized personal data transferred globally includes object IDs, PUID, subscriptions, tenant IDs, and user queries in addition to customer-defined resource properties.

Microsoft 365 services

Watson Platform for Enterprise

Watson Platform for Enterprise: If a customer has enabled optional connected experiences for Microsoft 365 products or has configured Windows for enterprise to collect optional diagnostic data, crash data is sent to the United States. When a Microsoft 365 application or Windows for enterprise exits unexpectedly, crash data is collected and can include various information about the application state or device, such as in-memory data, processes running on the device, device configuration and other data depend on the crash scenario or application or service.

Whiteboard

Whiteboard: As of July 2022, Customer Data stored in whiteboards created in the standalone Whiteboard application and in Microsoft Teams meetings, chats, and channels defaults to OneDrive for Business storage in the EU Data Boundary for relevant customers. With the exception of Whiteboards created prior to July 2022, and those created from Surface Hubs and Microsoft Teams Room devices, all Whiteboard content is stored in the EU for EU customers. By the end of 2025, customers who created whiteboards from a Surface Hub or Microsoft Teams Room device will be moved to the EU for EU customers through a choice driven migration experience.