Enterprise data protection in Microsoft 365 Copilot and Microsoft 365 Copilot Chat (original) (raw)
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Enterprise data protection in Microsoft 365 Copilot and Microsoft 365 Copilot Chat
- Article
- 01/15/2025
In this article
What is enterprise data protection in Microsoft 365 Copilot and Microsoft 365 Copilot Chat?
The use of Microsoft 365 Copilot and Microsoft 365 Copilot Chat, as used by organizations, are covered by the terms of the Data Protection Addendum (DPA) and Product Terms, with Microsoft acting as a data processor.
Enterprise data protection (EDP) refers to controls[1] and commitments, under the Data Protection Addendum (DPA) and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft 365 Copilot Chat. The use of the term EDP isn't meant to limit the benefits offered under the DPA and Product Terms.
Enterprise data protection for prompts and responses
Microsoft 365 Copilot and Microsoft 365 Copilot Chat offer the same enterprise terms[2] available in our Microsoft 365 commercial offerings.
Use of Microsoft 365 Copilot and Microsoft 365 Copilot Chat involves prompts (entered by users) and responses (content generated by Copilot). With EDP, prompts and responses are protected by the same contractual terms and commitments widely trusted by our customers for their emails in Exchange and files in SharePoint.
- We secure your data: We help protect your data with encryption at rest and in transit, rigorous physical security controls, and data isolation between tenants.
- Your data is private: We won’t use your data except as you instruct. Our commitments to privacy include support for GDPR, ISO/IEC 27018, and our Data Protection Addendum.
- Your access controls and policies apply to Copilot: Copilot respects your identity model and permissions, inherits your sensitivity labels, applies your retention policies, supports audit of interactions, and follows your administrative settings. The specific controls and policies will vary depending on the underlying subscription plan.
- You're protected against AI security and copyright risks: We help safeguard against AI-focused risks such as harmful content and prompt injections. For content copyright concerns, we provide protected material detection and our Customer Copyright Commitment.
- Your data isn’t used to train foundation models: Microsoft 365 Copilot Chat uses the user’s context to create relevant responses. Microsoft 365 Copilot also uses Microsoft Graph data. Consistent with our other Copilot offers, prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation models.
Additional resources
- Learn more about data, security, and privacy for Microsoft 365 Copilot
- Learn more about data, security, and privacy in Microsoft 365 Copilot Chat
Privacy and security of web queries
Ground responses in latest data
In addition to prompts and responses, web search queries (different from Microsoft Graph queries) are also a part of Copilot interactions. Allowing Copilot to reference web content via these queries improves the quality of Copilot responses by grounding them in the latest information from the web via Bing search service.
Web queries have their own data handling practices
- Web queries sent to the Bing search service are handled identically by both Copilots. Queries are generated from the prompt into a few words. They're sent via a secure connection with user and tenant identifiers removed. They aren't shared with advertisers and aren’t used to train our foundation large language models (LLMs).
- The Bing search service operates separately from Microsoft 365 and has different data-handling practices covered by the Microsoft Services Agreement between each user and Microsoft, together with the Microsoft Privacy Statement. The means that Microsoft acts as an independent data controller responsible for complying with all applicable laws and controller obligations. This approach is consistent with other optional connected experiences that rely on Bing.
- Learn more about data, privacy, and security of web queries in Microsoft 365 Copilot and Microsoft 365 Copilot Chat
Agents in Microsoft 365 Copilot
When you’re using agents in Microsoft 365 Copilot, check the privacy statement and terms of use of the agents to determine how they'll handle your organization’s data.
[1] The specific controls will vary depending on a customer's Microsoft subscription plans.
[2] Microsoft 365 Copilot and Microsoft 365 Copilot Chat support HIPAA compliance for properly configured implementations.