KB Sections:
Overview of Enterprise Data Protection
Microsoft 365 Copilot follows the same data protection standards and privacy commitments as other Microsoft 365 services. These commitments are part of Microsoft’s Data Protection Addendum (DPA) and ensure customer data is protected at all times. Microsoft acts as a data processor, following strict controls to secure prompts and responses generated by Copilot.
For more detailed information, visit Enterprise Data Protection in Microsoft 365 Copilot.
Key Data Protection Features
-
Encryption & Security Controls:
Data is encrypted at rest and in transit, with robust physical security and data isolation between tenants.
-
Privacy Compliance:
Copilot supports compliance frameworks like GDPR and ISO/IEC 27018. Microsoft ensures that user data is only processed as instructed and never used to train AI models.
-
Permissions & Retention Policies:
Copilot respects identity models, sensitivity labels, retention policies, and access controls from your organization’s Microsoft 365 setup. It logs interactions for auditing to align with organizational policies.
-
Protection from AI Risks:
Microsoft protects against AI-based risks like prompt injections and ensures copyright detection to safeguard content used in responses.
-
Foundation Model Usage:
Microsoft ensures that user data and prompts are not used to train large language models (LLMs), providing further privacy assurance.
Web Queries and Data Privacy
When Copilot performs web searches, it leverages Bing to provide accurate, up-to-date responses.
-
Secure Queries:
Queries are processed with user and tenant identifiers removed, ensuring that they are not used for ads or shared with advertisers.
-
Separate Data Handling:
Bing searches follow Microsoft’s Services Agreement and operate under independent privacy terms from Microsoft 365. Queries are transmitted securely and are not used for AI training.