Microsoft 365 Copilot
Data Protection & Confidentiality Assurance Statement
1. Overview

Microsoft 365 Copilot is an enterprise-grade AI capability integrated into Microsoft 365 (including Outlook, Word, Excel, Teams and SharePoint). It operates entirely within the customer’s Microsoft 365 tenant and is governed by the same security, compliance, and contractual protections as all Microsoft 365 services.

2. Enterprise Security & Data Isolation

Microsoft 365 Copilot is designed for commercial and regulated environments and includes:

  • Processing within the organisation’s Microsoft 365 tenant
  • Logical data isolation between customers (no cross-tenant access)
  • Encryption of data both in transit and at rest
  • Enforcement of existing Microsoft 365 identity and access controls

Copilot only accesses information that a user already has permission to view. It does not grant or elevate access to data.

3. Use of Data & AI Model Training

Microsoft provides a contractual assurance that:

  • Customer data is not used to train foundation AI models
  • Prompts entered into Copilot are not used to improve external models
  • Responses generated by Copilot are treated as customer data

This ensures that all firm data, including sensitive and confidential legal information, remains private and is not incorporated into any shared or public AI system.

4. Confidentiality & Data Handling

All data processed by Copilot:

  • Remains within Microsoft’s secure cloud environment
  • Is governed by the same permissions, policies, and controls as existing Microsoft 365 data
  • Is subject to the organisation’s existing security configuration, including:
    • Role-based access control
    • Sensitivity labels
    • Data Loss Prevention (DLP) policies
    • Retention and compliance policies

Copilot operates as an extension of Microsoft 365 and does not introduce new data exposure pathways.

5. Data Processing Agreement (DPA)

The use of Microsoft 365 Copilot is covered under Microsoft’s standard contractual framework, including:

  • Microsoft Product Terms
  • Microsoft Data Protection Addendum (DPA)

Under these agreements:

  • Microsoft acts as a data processor
  • The customer retains full ownership and control of its data
  • Microsoft is contractually bound to use customer data only to provide the service

These terms align with globally recognised standards including GDPR and ISO 27018.

6. Compliance & Regulatory Alignment

Microsoft 365 Copilot inherits Microsoft 365’s compliance framework, including:

  • GDPR-aligned data protection commitments
  • Enterprise-grade audit logging and monitoring
  • Support for legal hold, eDiscovery, and retention requirements

This makes the platform suitable for use in regulated industries, including legal services, where confidentiality and privilege are critical.

7. Summary Assurance

Based on Microsoft’s published architecture and contractual commitments, we confirm:

  • ✅ Enterprise-grade AI platform within Microsoft 365
  • ✅ No use of customer data for AI model training
  • ✅ Strong data isolation and encryption controls
  • ✅ Full alignment with Microsoft 365 security and compliance policies
  • ✅ Covered by Microsoft’s Data Protection Addendum (DPA)
8. Disclaimer

This document is based on Microsoft’s published documentation and contractual commitments as of May 2026. Customers should ensure their own Microsoft 365 environment is appropriately configured (e.g. permissions, security policies) to meet internal compliance requirements.

9. Further Information

Microsoft Product Terms – https://www.microsoft.com/licensing/terms/productoffering

Microsoft Data Protection Addendum (DPA) – https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Data, Privacy, and Security for Microsoft 365 Copilot – https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy