// Trust & Security Report

    Microsoft (Nuance) logo

    Microsoft (Nuance)

    Microsoft Dragon Copilot (formerly Nuance DAX Copilot / Dragon Ambient eXperience)

    Certifications held

    11

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HIPAA (BAA available)
    HELD

    Applications and associated environments have been built to support HIPAA, Personal Information Protection and Electronic Document Act (PIPEDA), GDPR, and GDPR-UK compliant standards.

    Verify on learn.microsoft.com
    HITRUST CSF
    HELD

    Azure meets HITRUST requirements. Specifically, the Microsoft Azure environment has been certified by the Health Information Trust Alliance (HITRUST) as meeting the HITRUST Common Security Framework (CSF), a set of industry-defined, risk-based and compliance-based security standards and controls tailored for the healthcare industry.

    Verify on learn.microsoft.com
    SOC 1 Type II
    HELD

    Certifications: Compliant with ISO/IEC 27001 (certification pending), SOC 1 Type II, SOC 2 Type II, ISO/IEC 27701 (certification pending), C5 type II and NEN7510/2/3.

    Verify on learn.microsoft.com
    SOC 2 Type II
    HELD

    Certifications: Compliant with ISO/IEC 27001 (certification pending), SOC 1 Type II, SOC 2 Type II, ISO/IEC 27701 (certification pending), C5 type II and NEN7510/2/3.

    Verify on learn.microsoft.com
    FedRAMP
    HELD

    Microsoft Azure supports compliance efforts related to more than 65 national, regional, and industry-specific requirements governing the collection and use of individuals' data, including: US Federal Risk and Authorization Management Program (FedRAMP)

    Verify on learn.microsoft.com
    ISO 27001
    HELD

    ISO/IEC 27001 (certification pending) — note: Azure infrastructure is ISO 27001 certified; Dragon Copilot product-level certification was listed as pending in June 2026 FAQ.

    Verify on learn.microsoft.com
    ISO 27701
    HELD

    ISO/IEC 27701 (certification pending) — listed as pending in June 2026 FAQ.

    Verify on learn.microsoft.com
    C5 Type II (Germany)
    HELD

    Certifications: Compliant with ... C5 type II and NEN7510/2/3.

    Verify on learn.microsoft.com
    NEN7510/2/3 (Netherlands)
    HELD

    Certifications: Compliant with ... C5 type II and NEN7510/2/3.

    Verify on learn.microsoft.com
    GDPR
    HELD

    Applications and associated environments have been built to support HIPAA, Personal Information Protection and Electronic Document Act (PIPEDA), GDPR, and GDPR-UK compliant standards.

    Verify on learn.microsoft.com
    PIPEDA
    HELD

    Applications and associated environments have been built to support HIPAA, Personal Information Protection and Electronic Document Act (PIPEDA), GDPR, and GDPR-UK compliant standards.

    Verify on learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    US (operations + research in US), Canada (operations in Canada), UK (operations in UK), France/Ireland/Belgium (operations in France, research in EU), Germany/Austria/Netherlands/Switzerland (operations in Germany, research in EU). Data never leaves its geography.

    Customer data (audio, transcripts, clinical documentation) is anonymized within 90 days per HIPAA de-identification and GDPR anonymization standards. Dragon Copilot's AI/ML models are trained SOLELY on this anonymized data. Raw PHI is never used to train models. Direct quote: 'Dragon Copilot's AI/ML models are trained solely on anonymized data.' The vendor also states data is 'never used to train large language models' (referring to the underlying base LLMs); model improvement is limited to Dragon Copilot's own clinical AI/ML components. Human review of raw customer data occurs only for support tickets and annotation of anonymized training sets.

    // Security controls

    Encryption at rest

    AES-256; Bring Your Own Key (BYOK) via Microsoft 365 Customer Key supported

    learn.microsoft.com

    Encryption in transit

    TLS 1.3 with AES-256; audio additionally encrypted with RSA 4096-bit key at capture before TLS wrapping

    learn.microsoft.com

    Penetration testing

    Yes - third-party periodic penetration testing; internal and external scanning; red team approach. Quote: 'Microsoft HLS uses a third-party service to conduct periodic penetration testing, and conducts internal and external scans to identify and address potential vulnerabilities.'

    learn.microsoft.com

    Bug bounty

    Microsoft self-hosted MSRC program (not HackerOne or Bugcrowd); uses Intigriti for award delivery. Dragon Copilot is part of Microsoft Azure/M365 scope. Awards up to $250,000 USD. URL: https://www.microsoft.com/en-us/msrc/bounty

    microsoft.com

    Authentication

    Microsoft Entra ID (Azure AD) with OpenID Connect; SSO and token-based access; two-factor authentication required for all administrative access via Secure Admin Workstation (SAW)

    learn.microsoft.com

    Audit logging

    Full audit logs (date, time, user, event type, IP, success/failure) stored in Azure Application Insights and ingested into Azure Sentinel SIEM. Logs are read-only.

    learn.microsoft.com

    High availability

    Active/active Azure deployment; guaranteed 99.9% uptime; 10 US data centers; data replicated between two data centers; automatic failover

    learn.microsoft.com

    Secure development lifecycle

    Microsoft SDL + BSIMM; Attack Surface Analyzer (ASA) used on each release

    learn.microsoft.com

    Data retention

    Audio, transcript, and flowsheet data retained up to 90 days. Anonymization occurs within 90 days. Data purged via Microsoft Purview Data Lifecycle Management on contract expiry.

    learn.microsoft.com

    // Products & data scope

    Dragon Copilot for PhysiciansAmbient AI clinical documentation

    data: PHI: audio recordings, transcripts, AI-generated clinical notes. Processes voice of clinician and patient during encounters. Data stays in customer's geography. HIPAA BAA covers this product.

    Available on iOS (mobile), Windows (desktop), browser (web), and embedded in EHR. Rebranded from DAX Copilot in March 2025.

    Dragon Copilot for NursesAmbient AI nursing documentation

    data: PHI: audio, transcripts, flowsheet values. Currently US-only; data never leaves the US. Embedded in EHR mobile apps via Entra ID mapping.

    US-only as of June 2026. Captures flowsheet rows and narrative summaries. Separate embedded EHR experience.

    Dragon Copilot for RadiologistsAI-assisted radiology reporting

    data: PHI: radiology encounter audio and report drafts. Integrates with PowerScribe One for reporting workflow.

    Combines Dragon Medical One voice dictation with ambient AI; PowerScribe One integration.

    // What to watch

    • ISO 27001 certification for Dragon Copilot product is listed as 'pending' as of June 2026 FAQ; Azure infrastructure itself holds ISO 27001 but the product-specific cert is not yet issued.
    • AI/ML model training uses anonymized customer data: this is HIPAA-compliant de-identification, not raw PHI. Healthcare procurement teams should review the DPA and Service Specific Terms for opt-out or data-use restriction options.
    • Nursing functionality is currently US-only; international expansion planned but not confirmed timeline.
    • Pricing is not publicly disclosed; enterprise sales engagement required with multi-month implementation timelines (3-6 months).

    // At a glance

    Pricing model

    Enterprise subscription per clinician per month (~$369-$830/month per provider depending on volume; one-time setup fee ~$650-$700). Pricing not publicly listed; requires sales quote. Available on Microsoft Azure Marketplace.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Microsoft (Nuance)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    microsoft.com

    > Browse all vendor trust reports