// Trust & Security Report

    Microsoft Corporation logo

    Microsoft Corporation

    Microsoft Teams / Microsoft 365 Copilot

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Office 365 (Commercial) in-scope services include: ... Microsoft Teams ... [listed explicitly in the SOC 2 Type 2 applicability table under Commercial, GCC, GCC High, and DoD environments]

    Verify on learn.microsoft.com
    ISO/IEC 27001:2022
    HELD

    Microsoft Teams [explicitly listed in-scope for Commercial, GCC, GCC High, and DoD environments]. Certificate: 'Microsoft 365 - ISO 27001:2022 Certificate (2024-2027)'

    Verify on learn.microsoft.com
    ISO/IEC 27018
    HELD

    Your control over your data is reinforced by Microsoft's commitment to comply with broadly applicable privacy laws, such as the GDPR, and privacy standards, such as ISO/IEC 27018, the world's first international code of practice for cloud privacy.

    Verify on learn.microsoft.com
    ISO/IEC 42001 (AI Management Systems)
    HELD

    Microsoft 365 Copilot provides broad compliance offerings and certifications, including GDPR, ISO 27001, HIPAA, and the ISO 42001 standard for AI management systems.

    Verify on learn.microsoft.com
    HIPAA BAA
    HELD

    Microsoft Teams is a HIPAA in-scope service under Microsoft 365 when used under the Microsoft HIPAA Business Associate Agreement (BAA) and configured with appropriate compliance controls.

    Verify on support.microsoft.com
    GDPR
    HELD

    Microsoft 365 Copilot, including Microsoft 365 Copilot Search, is compliant with our existing privacy, security, and compliance commitments to Microsoft 365 commercial customers, including the General Data Protection Regulation (GDPR) and European Union (EU) Data Boundary.

    Verify on learn.microsoft.com
    EU Data Boundary
    HELD

    For European Union (EU) users, we have additional safeguards to comply with the EU Data Boundary. EU traffic stays within the EU Data Boundary while worldwide traffic can be sent to the EU and other countries or regions for LLM processing.

    Verify on learn.microsoft.com
    FedRAMP
    HELD

    Microsoft Teams is listed in-scope for Office 365 GCC, GCC High, and DoD environments which are designed to Department of Defense Security Requirements Guidelines Level 4 and Level 5 controls.

    Verify on learn.microsoft.com
    CSA STAR
    HELD

    The Office 365 SOC 2 Type 2 audit incorporates the CCM controls assessment as required by the CSA STAR attestation.

    Verify on learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer can choose region; data stored within chosen geographic area. EU customers covered by EU Data Boundary. Advanced Data Residency (ADR) and Multi-Geo Capabilities available for enterprise. Copilot LLM calls may be routed to nearest data center or other regions during high utilization for non-EU customers.

    For enterprise/commercial Microsoft 365 subscribers: 'Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation LLMs, including those used by Microsoft 365 Copilot.' Optional feedback is not used to train foundation LLMs. Consumer (personal) accounts are governed separately and the consumer privacy statement states Microsoft 'may use your data to develop and train our AI models' with opt-out controls available via the Microsoft privacy dashboard. Enterprise customers have hard contractual guarantees via the DPA; consumer users should review and adjust settings.

    // Security controls

    Bug Bounty Program

    Microsoft runs its own MSRC (Microsoft Security Response Center) bug bounty program directly, not via HackerOne or Bugcrowd. M365 bounty awards range from $1,250 to $19,500 USD for qualified submissions. Payment processing via Intigriti.

    microsoft.com

    Penetration Testing

    Annual third-party audits for SOC 2 and ISO 27001 conducted by independent AICPA-accredited CPA firms. Microsoft also conducts internal red teaming and the Secure Future Initiative (SFI) mandates security-first engineering across all products.

    learn.microsoft.com

    Encryption at Rest and in Transit

    Microsoft 365 uses BitLocker, per-file encryption, TLS, and IPsec. 'Microsoft uses rigorous physical security, background screening, and a multi-layered encryption strategy to protect the confidentiality and integrity of customer content.'

    learn.microsoft.com

    Jailbreak and Prompt Injection Defenses

    Microsoft 365 Copilot uses jailbreak and cross-prompt injection attack (XPIA) classifiers. Content harm filters cover Hate & Fairness, Sexual, Violence, and Self-harm categories.

    learn.microsoft.com

    Zero Trust / Logical Isolation

    Logical isolation of customer content within each tenant achieved through Microsoft Entra authorization and role-based access control.

    learn.microsoft.com

    Vulnerability Disclosure

    Coordinated Vulnerability Disclosure (CVD) via MSRC Researcher Portal at msrc.microsoft.com/report/vulnerability

    microsoft.com

    Copilot Copyright Commitment

    Microsoft will defend commercial customers and pay adverse judgments for copyright infringement lawsuits arising from use of Microsoft Copilots, subject to guardrail compliance.

    learn.microsoft.com

    // Products & data scope

    Microsoft Teams (Free)Collaboration / Chat

    data: Consumer account terms apply. Microsoft may use data to improve services. AI features limited. Privacy governed by consumer privacy statement.

    Basic chat, meetings, file sharing. No Copilot AI. Consumer data terms, not enterprise DPA.

    Microsoft Teams (Microsoft 365 Business/Enterprise)Collaboration / Chat / Meetings

    data: Enterprise DPA applies. SOC 2 Type 2, ISO 27001 in-scope. HIPAA BAA available. Data not used for LLM training.

    Requires M365 Business or Enterprise subscription. Full compliance suite. Admin controls for data governance.

    Microsoft 365 Copilot (Teams AI features)AI Assistant / Generative AI

    data: Enterprise DPA applies. Prompts and responses not used to train foundation LLMs. EU Data Boundary for EU customers. Data residency commitments via ADR and Multi-Geo. Azure OpenAI used for processing, not public OpenAI.

    Add-on to M365 E3/E5 or Business Premium. Covers AI meeting summaries, chat drafting, Copilot in Teams. ISO 42001 certified. Anthropic models available as subprocessor (separate terms for EU Data Boundary scope).

    Microsoft Teams for EducationCollaboration / Education

    data: FERPA-compliant configurations available. Same M365 compliance umbrella. Parental consent controls for minors.

    Used by schools and universities. Student data protections apply.

    Microsoft Teams GCC / GCC High / DoDCollaboration / Government

    data: Designed for US Federal, State, Local, and DoD use. FedRAMP High authorized (GCC High/DoD). Data stored in US only.

    Separate cloud environment. Strictest compliance tier. Not available to commercial customers.

    // What to watch

    • Consumer accounts (personal Microsoft accounts) are subject to a different privacy regime where Microsoft may use data for AI model improvement with opt-out controls; enterprise/commercial customers have hard DPA protections.
    • Anthropic models are available as a subprocessor within M365 Copilot experiences but are out of scope for EU Data Boundary commitments per Microsoft's own documentation.
    • Microsoft Teams itself is not self-hostable; all AI features require cloud connectivity to Azure OpenAI infrastructure.

    // At a glance

    Pricing model

    Freemium. Free tier available. Paid via Microsoft 365 subscriptions (Business Basic from ~$6/user/month, Business Standard ~$12.50/user/month). Microsoft 365 Copilot AI add-on ~$30/user/month.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Microsoft Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    microsoft.com

    > Browse all vendor trust reports