AI Vendor Security & Compliance Brief

Microsoft 365 Copilot logo Microsoft 365 Copilot

Independent due-diligence summary · every fact links to the vendor's official source
8 source-cited facts
0 independently verified certs
9 legal documents tracked
Generated 2026-07-03
93/100
AI Governance Readiness

Enterprise-Ready

This vendor is rated Enterprise-Ready with a score of 93 out of 100. Strong evidence includes confirmed SOC 2 and ISO 27001 certifications available via the vendor's trust portal, and a commitment not to train on customer data under enterprise terms. A recent critical change is the substantial rewrite of the Privacy Policy, which affects privacy, data sharing, or retention. The most useful next step is to review the current Privacy Policy to assess its impact on your obligations or risk.

Summarized strictly from the source-cited facts below — no outside information. Verify each point against its linked source.

Readiness Breakdown deterministic · evidence-only

  • Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
  • Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
  • Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
  • Data Processing Agreement A Data Processing Agreement is published and tracked.
  • Breach History No known breaches in Have I Been Pwned.
  • Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
  • Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
  • Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
  • Web TLS Certificate Valid TLS certificate in place.
  • Legal Transparency 9 legal/policy documents publicly tracked.
Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Ask This in Your Security Review 1 open items

  • Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).

Compliance Posture vendor-stated · cited

FrameworkStatusSource
BAA Available (HIPAA) Stated by vendor https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech
GDPR Stated by vendor https://learn.microsoft.com/en-us/compliance/regulatory/gdpr
HIPAA Stated by vendor https://learn.microsoft.com/en-us/microsoft-365/compliance/offering-hipaa-hitech
ISO 27001 Stated by vendor https://learn.microsoft.com/en-us/compliance/regulatory/offering-iso-27001
SOC 2 Stated by vendor https://learn.microsoft.com/en-us/compliance/regulatory/offering-soc
As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

AttributeValueSource
Data Processing Agreement (DPA) View document →
“Microsoft Products and Services Data Protection Addendum (DPA)”vendor's exact wording
https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Sub-processors (published list) View document → https://aka.ms/online-services-subprocessors
Trains on Customer Data key clause
Free / Pro: trains on data The consumer Copilot app trains on conversation activity by default (opt-out) — this is NOT the M365 commercial product. cited →
Enterprise: does not train Microsoft 365 Copilot (commercial): prompts, responses and Microsoft Graph data aren't used to train foundation LLMs; no customer data is shared with OpenAI. cited →
see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Not applicable
No CVE/CPE software identity is mapped to this hosted service; known-vulnerability tracking does not apply to the service identity assessed here.
Vulnerability Disclosure Policy (security.txt) Found 1
Email Spoofing Protection (DMARC) Protected
DMARC enforced and SPF present — spoofing well mitigated.
Web TLS Certificate Valid
Data Breach History None found
Queried the authoritative source; no records.
Supply-Chain Security (OpenSSF Scorecard) Not applicable
Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.
OFAC Sanctions Screening None found
Queried the authoritative source; no records.
SEC Cyber Incident Disclosures (8-K 1.05) Found 1
Historical disclosure — likely remediated; verify current status.

Security & Compliance Timeline authoritative · dated

Dated, source-cited history from authoritative records (NVD, SEC, CISA KEV). Subscribe to get alerted the moment a new event lands.

Certifications Available Under NDA / Trust Center attested · report gated

CertificationStatusTrust Center
ISO 27001 Available via Trust Center https://servicetrust.microsoft.com/
SOC2 TYPE2 Available via Trust Center https://servicetrust.microsoft.com/
An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.

Vendor-Claimed, Not Independently Verified treat as unconfirmed

FEDRAMP LOW Claimed — not independently verified https://servicetrust.microsoft.com/
PEN TEST Claimed — not independently verified https://techcommunity.microsoft.com/blog/microsoft365copilotblog/staying-ahead-of-compliance-keep-up-with-key-insights-from-our-quarterly-complia/4448011
These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.

Common compliance questions

Each answer is grounded in the cited evidence above — with an honest "no evidence on file" where nothing is published.

Tracked Legal & Policy Documents

DocumentURL
Ccpa Compliance https://microsoft.com/privacy/ccpa
Dpa https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Gdpr Compliance https://microsoft.com/gdpr
Privacy https://www.microsoft.com/en-us/privacy/privacystatement
Security https://www.microsoft.com/en-us/trust-center
Subprocessors https://download.microsoft.com/download/3/0/2/302E3E4F-7EEF-4DB7-8183-E9134254841F/Microsoft%20Commercial%20Support%20Subprocessors.pdf
Tos https://www.microsoft.com/licensing/docs/view/Online-Services-Terms
Trust https://servicetrust.microsoft.com/
Vuln Mgmt https://microsoft.com/.well-known/security.txt

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

DocumentAvailabilityHow to obtain
Business Associate Agreement (BAA) On request (HIPAA only) A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center →
Master Services Agreement (MSA) Negotiated per contract The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center →
Service Level Agreement (SLA) Enterprise tier A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Continuous Monitoring change-tracking active

4 legal & policy documents under change-monitoring since 2026-06-11. 1 tracked change detected since baseline.

DpaPrivacySubprocessorsTos
DetectedChangeDetail
2026-06-27 ToS Clause Change The Privacy Policy was substantially rewritten — 13 removed, 13 added. Review the current version.
What this means: This change to the Privacy Policy touches your privacy, data sharing or retention. Read 13 added and 13 removed passages in the current Privacy Policy to see whether it affects your obligations or risk.
Show exact changed text

In plain terms — verify against the exact changed text below: The document's "What's new?" heading was capitalized, and a new sentence was added explaining the Privacy Statement's refresh. The phrase "Where we store and process personal data" was changed to "Storage and processing of personal data", and several other phrases were updated, including a significant rephrasing and co

@@ -1,4 +1,7 @@ Microsoft Privacy Statement
-What's new?
+What's New?
+We’ve refreshed our Privacy Statement to make it easier to read, navigate, and understand, with clearer explanations of how we use data and the choices available to you. More detailed information is available in
+What's New
+.
 Print
 Expand All


@@ -9,5 +12,5 @@ EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks
 Microsoft complies with the EU-U.S., UK Extension to the EU-U.S., and Swiss-U.S. Data Privacy Frameworks. To learn more, see the
-Where we store and process personal data
+Storage and processing of personal data
 section, and
 visit the U.S. Department of Commerce’s Data Privacy Framework website


@@ -19,223 +22,200 @@ How to contact us
 section of this privacy statement.
-Your privacy is important to us. This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.
-Microsoft offers a wide range of products, including server products used to help operate enterprises worldwide, devices you use in your home, software that students use at school, and services developers use to create and host what’s next. References to Microsoft products in this statement include Microsoft services, websites, apps, software, servers, and devices.
+Your privacy is important to Microsoft. This privacy statement explains the personal data we process, how we process it, and for what purposes.
+Microsoft offers a wide range of products, including server products used to help operate enterprises worldwide, devices customers use in their homes, software that students use at school, and services developers use to create and host new products. References to Microsoft products in this statement include Microsoft services, websites, apps, software, servers, and devices.
 Please read the product-specific details in this privacy statement, which provide additional relevant information. This statement applies to the interactions Microsoft has with you and the Microsoft products listed below, as well as other Microsoft products that display this statement.
-Young people may prefer starting with the
+You can find details about personal data collected from children in the
+Collection of data from children
+section. Young people may find it helpful to start with the
 Privacy for young people
-page. That page highlights information that may be helpful for young people.
+page.
 For individuals in the United States, please refer to our
 U.S. State Data Privacy Notice
-and the
+(including notice at collection details) and the
 Consumer Health Data Privacy Policy
-for additional information about the processing of your personal data, and your rights under applicable U.S. state data privacy laws.
-Personal data we collect
-Microsoft collects data from you, through our interactions with you and through our products. You provide some of this data directly, and we get some of it by collecting data about your interactions, use, and experiences with our products. The data we collect depends on the context of your interactions with Microsoft and the choices you make, including your privacy settings and the products and features you use. We also obtain data about you from Microsoft affiliates, subsidiaries, and third parties.
-If you represent an organization, such as a business or school, that utilizes Enterprise and Developer Products from Microsoft, please see the
-Enterprise and developer products
-section of this privacy statement to learn how we process your data. If you are an end user of a Microsoft product or a Microsoft account provided by your organization, please see the
+for additional information about your rights and the processing of your personal data.
+Please see the Enterprise and developer products section of this privacy statement for more information about how we process data from organizations that use our products and services, like businesses and schools. If you use a Microsoft product or a Microsoft

View full Microsoft 365 Copilot change history →

Search the Legal Documents verbatim · cited

Search Microsoft 365 Copilot's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.

Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.

Monitor Microsoft 365 Copilot — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Microsoft 365 Copilot changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.
Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.