// Trust & Security Report
Microsoft Corporation
Microsoft Teams / Microsoft 365 Copilot
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on learn.microsoft.com“Office 365 (Commercial) in-scope services include: ... Microsoft Teams ... [listed explicitly in the SOC 2 Type 2 applicability table under Commercial, GCC, GCC High, and DoD environments]”
Verify on learn.microsoft.com“Microsoft Teams [explicitly listed in-scope for Commercial, GCC, GCC High, and DoD environments]. Certificate: 'Microsoft 365 - ISO 27001:2022 Certificate (2024-2027)'”
Verify on learn.microsoft.com“Your control over your data is reinforced by Microsoft's commitment to comply with broadly applicable privacy laws, such as the GDPR, and privacy standards, such as ISO/IEC 27018, the world's first international code of practice for cloud privacy.”
Verify on learn.microsoft.com“Microsoft 365 Copilot provides broad compliance offerings and certifications, including GDPR, ISO 27001, HIPAA, and the ISO 42001 standard for AI management systems.”
Verify on support.microsoft.com“Microsoft Teams is a HIPAA in-scope service under Microsoft 365 when used under the Microsoft HIPAA Business Associate Agreement (BAA) and configured with appropriate compliance controls.”
Verify on learn.microsoft.com“Microsoft 365 Copilot, including Microsoft 365 Copilot Search, is compliant with our existing privacy, security, and compliance commitments to Microsoft 365 commercial customers, including the General Data Protection Regulation (GDPR) and European Union (EU) Data Boundary.”
Verify on learn.microsoft.com“For European Union (EU) users, we have additional safeguards to comply with the EU Data Boundary. EU traffic stays within the EU Data Boundary while worldwide traffic can be sent to the EU and other countries or regions for LLM processing.”
Verify on learn.microsoft.com“Microsoft Teams is listed in-scope for Office 365 GCC, GCC High, and DoD environments which are designed to Department of Defense Security Requirements Guidelines Level 4 and Level 5 controls.”
Verify on learn.microsoft.com“The Office 365 SOC 2 Type 2 audit incorporates the CCM controls assessment as required by the CSA STAR attestation.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer can choose region; data stored within chosen geographic area. EU customers covered by EU Data Boundary. Advanced Data Residency (ADR) and Multi-Geo Capabilities available for enterprise. Copilot LLM calls may be routed to nearest data center or other regions during high utilization for non-EU customers.
For enterprise/commercial Microsoft 365 subscribers: 'Prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation LLMs, including those used by Microsoft 365 Copilot.' Optional feedback is not used to train foundation LLMs. Consumer (personal) accounts are governed separately and the consumer privacy statement states Microsoft 'may use your data to develop and train our AI models' with opt-out controls available via the Microsoft privacy dashboard. Enterprise customers have hard contractual guarantees via the DPA; consumer users should review and adjust settings.
// Security controls
Bug Bounty Program
Microsoft runs its own MSRC (Microsoft Security Response Center) bug bounty program directly, not via HackerOne or Bugcrowd. M365 bounty awards range from $1,250 to $19,500 USD for qualified submissions. Payment processing via Intigriti.
microsoft.comPenetration Testing
Annual third-party audits for SOC 2 and ISO 27001 conducted by independent AICPA-accredited CPA firms. Microsoft also conducts internal red teaming and the Secure Future Initiative (SFI) mandates security-first engineering across all products.
learn.microsoft.comEncryption at Rest and in Transit
Microsoft 365 uses BitLocker, per-file encryption, TLS, and IPsec. 'Microsoft uses rigorous physical security, background screening, and a multi-layered encryption strategy to protect the confidentiality and integrity of customer content.'
learn.microsoft.comJailbreak and Prompt Injection Defenses
Microsoft 365 Copilot uses jailbreak and cross-prompt injection attack (XPIA) classifiers. Content harm filters cover Hate & Fairness, Sexual, Violence, and Self-harm categories.
learn.microsoft.comZero Trust / Logical Isolation
Logical isolation of customer content within each tenant achieved through Microsoft Entra authorization and role-based access control.
learn.microsoft.comVulnerability Disclosure
Coordinated Vulnerability Disclosure (CVD) via MSRC Researcher Portal at msrc.microsoft.com/report/vulnerability
microsoft.comCopilot Copyright Commitment
Microsoft will defend commercial customers and pay adverse judgments for copyright infringement lawsuits arising from use of Microsoft Copilots, subject to guardrail compliance.
learn.microsoft.com// Products & data scope
data: Consumer account terms apply. Microsoft may use data to improve services. AI features limited. Privacy governed by consumer privacy statement.
Basic chat, meetings, file sharing. No Copilot AI. Consumer data terms, not enterprise DPA.
data: Enterprise DPA applies. SOC 2 Type 2, ISO 27001 in-scope. HIPAA BAA available. Data not used for LLM training.
Requires M365 Business or Enterprise subscription. Full compliance suite. Admin controls for data governance.
data: Enterprise DPA applies. Prompts and responses not used to train foundation LLMs. EU Data Boundary for EU customers. Data residency commitments via ADR and Multi-Geo. Azure OpenAI used for processing, not public OpenAI.
Add-on to M365 E3/E5 or Business Premium. Covers AI meeting summaries, chat drafting, Copilot in Teams. ISO 42001 certified. Anthropic models available as subprocessor (separate terms for EU Data Boundary scope).
data: FERPA-compliant configurations available. Same M365 compliance umbrella. Parental consent controls for minors.
Used by schools and universities. Student data protections apply.
data: Designed for US Federal, State, Local, and DoD use. FedRAMP High authorized (GCC High/DoD). Data stored in US only.
Separate cloud environment. Strictest compliance tier. Not available to commercial customers.
// What to watch
- Consumer accounts (personal Microsoft accounts) are subject to a different privacy regime where Microsoft may use data for AI model improvement with opt-out controls; enterprise/commercial customers have hard DPA protections.
- Anthropic models are available as a subprocessor within M365 Copilot experiences but are out of scope for EU Data Boundary commitments per Microsoft's own documentation.
- Microsoft Teams itself is not self-hostable; all AI features require cloud connectivity to Azure OpenAI infrastructure.
// At a glance
Pricing model
Freemium. Free tier available. Paid via Microsoft 365 subscriptions (Business Basic from ~$6/user/month, Business Standard ~$12.50/user/month). Microsoft 365 Copilot AI add-on ~$30/user/month.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Microsoft Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
microsoft.com