Microsoft Copilot
Enterprise-Ready
The vendor is rated 'Enterprise-Ready' with a score of 85 out of 100. Key strengths include independently verified SOC 2 Type 2 and ISO 27001 certifications, and a commitment not to train on customer data. However, a material security finding notes CVE-2026-26136 (MEDIUM) with no fix listed, and the Privacy Policy was recently substantially rewritten, impacting privacy, data sharing, or retention. Buyers should request the remediation timeline for the unpatched CVE and review the updated Privacy Policy to assess potential impacts on their obligations or risk.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, SOC2 TYPE2). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement A Data Processing Agreement is published and tracked.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure 3 known CVE(s); none currently in CISA KEV.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy No security.txt vulnerability disclosure policy found.
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 7 legal/policy documents publicly tracked.
Ask This in Your Security Review 1 open items
- Vulnerability Disclosure PolicyConfirm a coordinated vulnerability disclosure / security.txt contact.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech |
| GDPR | Stated by vendor | https://learn.microsoft.com/en-us/compliance/regulatory/gdpr |
| HIPAA | Stated by vendor | https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech |
| ISO 27001 | Stated by vendor | https://learn.microsoft.com/en-us/compliance/regulatory/offering-iso-27001 |
| SOC 2 | Stated by vendor | https://learn.microsoft.com/en-us/compliance/regulatory/offering-soc |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| Arbitration / Dispute Resolution key clause |
True
“IF YOU LIVE IN (OR YOUR PRINCIPAL PLACE OF BUSINESS IS IN) THE UNITED STATES, PLEASE READ THE BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER IN SECTION 15 OF THE MICROSOFT SERVICES AGREEMENT .”vendor's exact wording |
https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse |
| Base Price (USD) |
9.99
“Microsoft 365 Personal $9.99 /month Subscription automatically renews unless canceled in Microsoft account.”vendor's exact wording |
https://www.microsoft.com/en-us/microsoft-365-copilot/pricing/individuals |
| Data Residency |
['EU']
“Microsoft Cloud ermöglicht es Kunden, personenbezogene Daten innerhalb der europäischen Datengrenze aufzubewahren Die EU-Datengrenze von Microsoft ermöglicht es Kunden, ihre Daten innerhalb der EU zu speichern und zu verarbeiten.”vendor's exact wording |
https://www.microsoft.com/de-de/privacy |
| IP / Content Ownership key clause |
True
“We don’t own Your Content, but we may use Your Content to operate Copilot and improve it.”vendor's exact wording |
https://www.microsoft.com/en-us/microsoft-copilot/for-individuals/termsofuse |
| Sub-processors (published list) | View document → | https://aka.ms/online-services-subprocessors |
| Trains on Customer Data key clause |
Free / Pro:
trains on data
Consumer Copilot (signed-in personal account, eligible markets): conversation activity is used to train models by default — opt out via Privacy > Model Training. Uploaded files, EEA/UK users, minors and M365 Personal/Family are excluded.
cited →
Enterprise:
does not train
Microsoft 365 Copilot (commercial): prompts, responses and Microsoft Graph data are never used to train foundation models.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Security & Compliance Timeline authoritative · dated
- 2026-06-04 CVE CVE-2026-45497 disclosed (HIGH · no fix listed)
- 2026-06-04 CVE CVE-2026-42824 disclosed (MEDIUM · no fix listed)
- 2026-03-19 CVE CVE-2026-26136 disclosed (MEDIUM · no fix listed)
- 2024-01-19 SEC 8-K Material cybersecurity incident disclosed to SEC by MICROSOFT CORP
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://servicetrust.microsoft.com/ |
| SOC2 TYPE2 | Available via Trust Center | https://servicetrust.microsoft.com/ |
Common compliance questions
Tracked Legal & Policy Documents
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center → |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
4 legal & policy documents under change-monitoring since 2026-06-11. 5 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-27 | ToS Clause Change |
The Privacy Policy was substantially rewritten — 13 removed, 13 added. Review the current version.
What this means: This change to the Privacy Policy touches your privacy, data sharing or retention. Read 13 added and 13 removed passages in the current Privacy Policy to see whether it affects your obligations or risk.
Show exact changed textIn plain terms — verify against the exact changed text below: The document adds an introductory statement about refreshing the Privacy Statement to make it easier to read, navigate, and understand. It also changes a section title reference, updates several phrases and pronouns, adds a new section reference for data collected from children, and removes a paragraph detailing how pe @@ -1,4 +1,7 @@ Microsoft Privacy Statement -What's new? +What's New? +We’ve refreshed our Privacy Statement to make it easier to read, navigate, and understand, with clearer explanations of how we use data and the choices available to you. More detailed information is available in +What's New +. Print Expand All @@ -9,5 +12,5 @@ EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Frameworks Microsoft complies with the EU-U.S., UK Extension to the EU-U.S., and Swiss-U.S. Data Privacy Frameworks. To learn more, see the -Where we store and process personal data +Storage and processing of personal data section, and visit the U.S. Department of Commerce’s Data Privacy Framework website @@ -19,223 +22,200 @@ How to contact us section of this privacy statement. -Your privacy is important to us. This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes. -Microsoft offers a wide range of products, including server products used to help operate enterprises worldwide, devices you use in your home, software that students use at school, and services developers use to create and host what’s next. References to Microsoft products in this statement include Microsoft services, websites, apps, software, servers, and devices. +Your privacy is important to Microsoft. This privacy statement explains the personal data we process, how we process it, and for what purposes. +Microsoft offers a wide range of products, including server products used to help operate enterprises worldwide, devices customers use in their homes, software that students use at school, and services developers use to create and host new products. References to Microsoft products in this statement include Microsoft services, websites, apps, software, servers, and devices. Please read the product-specific details in this privacy statement, which provide additional relevant information. This statement applies to the interactions Microsoft has with you and the Microsoft products listed below, as well as other Microsoft products that display this statement. -Young people may prefer starting with the +You can find details about personal data collected from children in the +Collection of data from children +section. Young people may find it helpful to start with the Privacy for young people -page. That page highlights information that may be helpful for young people. +page. For individuals in the United States, please refer to our U.S. State Data Privacy Notice -and the +(including notice at collection details) and the Consumer Health Data Privacy Policy -for additional information about the processing of your personal data, and your rights under applicable U.S. state data privacy laws. -Personal data we collect -Microsoft collects data from you, through our interactions with you and through our products. You provide some of this data directly, and we get some of it by collecting data about your interactions, use, and experiences with our products. The data we collect depends on the context of your interactions with Microsoft and the choices you make, including your privacy settings and the products and features you use. We also obtain data about you from Microsoft affiliates, subsidiaries, and third parties. -If you represent an organization, such as a business or school, that utilizes Enterprise and Developer Products from Microsoft, please see the -Enterprise and developer products -section of this privacy statement to learn how we process your data. If you are an end user of a Microsoft product or a Microsoft account provided by your organization, please see the +for additional information about your rights and the processing of your personal data. +Please see the Enterprise and developer products section of this privacy statement for more information about how we process data from organizations that use our products and services, like businesses and schools. If you use a Microsoft product or a Microsoft |
| 2026-06-17 | CVE / Security Incident |
2 new CVEs (published from 2026-06-04): CVE-2026-42824, CVE-2026-45497. 2 of these have no vendor fix listed yet (CVE-2026-42824, CVE-2026-45497).
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-16 | CVE / Security Incident |
2 new CVEs (published from 2026-06-04): CVE-2026-42824, CVE-2026-45497. 2 of these have no vendor fix listed yet (CVE-2026-42824, CVE-2026-45497).
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-15 | CVE / Security Incident |
2 new CVEs (published from 2026-06-04): CVE-2026-42824, CVE-2026-45497. 2 of these have no vendor fix listed yet (CVE-2026-42824, CVE-2026-45497).
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
| 2026-06-08 | CVE / Security Incident |
1 new CVE (published from 2026-03-19): CVE-2026-26136. 1 of these have no vendor fix listed yet (CVE-2026-26136).
What this means: A newly disclosed vulnerability has no vendor fix listed yet — ask for the remediation timeline and confirm your exposure.
|
Search the Legal Documents verbatim · cited
Search Microsoft Copilot's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Microsoft Copilot — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Microsoft Copilot changes something that affects your risk. Built for procurement & security teams.