// Trust & Security Report

    Microsoft Corporation logo

    Microsoft Corporation

    Microsoft Power Automate (part of Microsoft Power Platform, alongside Power Apps, Power BI, and Power Pages). Sub-products: Power Automate Free/Community, Power Automate Premium (cloud flows + attended desktop flows), Power Automate Process (unattended desktop flows / RPA bots), and Power Automate as bundled in Microsoft 365 / Dynamics 365 plans. Includes Copilot-powered natural-language flow creation.

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    For a list of Microsoft cloud services in audit scope... Azure, Dynamics 365, Microsoft 365, Power Platform. ... The Azure SOC 2 Type 2 attestation report covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services.

    Verify on learn.microsoft.com
    ISO/IEC 27001:2022
    HELD

    Services in scope... Azure, Dynamics 365, Microsoft 365, Power Platform. ... The Azure ISO/IEC 27001 certificate covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services.

    Verify on learn.microsoft.com
    ISO/IEC 27017:2015 (cloud security controls)
    HELD

    Services in scope... Azure, Dynamics 365, Microsoft 365, Power Platform. ... The Azure ISO/IEC 27017 certificate covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services.

    Verify on learn.microsoft.com
    ISO/IEC 27018:2019 (cloud privacy / PII protection)
    HELD

    Services in scope... Azure, Dynamics 365, Microsoft 365, Power Platform. ... The Azure ISO/IEC 27018 certificate covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services.

    Verify on learn.microsoft.com
    ISO/IEC 27701:2019 (privacy information management)
    HELD

    Services in scope... Azure, Dynamics 365, Microsoft 365, Power Platform. ... The Azure ISO/IEC 27701 certificate covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services.

    Verify on learn.microsoft.com
    PCI DSS (Service Provider Level 1, v4.0)
    HELD

    Services in scope... Azure, Dynamics 365, Microsoft 365, Power Platform. ... The Azure PCI DSS audit documentation covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services.

    Verify on learn.microsoft.com
    CSA STAR Attestation
    HELD

    Microsoft cloud services in scope for the Azure CSA STAR Attestation are the same services assessed as part of the Azure SOC 2 Type 2 attestation.

    Verify on learn.microsoft.com
    HIPAA Business Associate Agreement (BAA)
    HELD

    Microsoft in-scope cloud platforms and services ... Power Automate cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite ... Microsoft offers its covered entity and business associate customers a Business Associate Agreement that covers in-scope Microsoft services.

    Verify on learn.microsoft.com
    GDPR (regulatory alignment via DPA and DSR tooling)
    HELD

    The Service Trust portal provides information about how Microsoft services help support compliance with GDPR. ... Power Automate | Responding to Data Subject Requests for Power Automate

    Verify on learn.microsoft.com
    > Show 2 unconfirmed / not-held certifications
    ISO/IEC 42001:2023 (AI management system)
    NOT CONFIRMED

    Microsoft AI services in scope for ISO 42001 certification: GitHub Copilot, Microsoft 365 Copilot, Microsoft Copilot Health, Microsoft Copilot Studio, Microsoft Dragon Copilot, Microsoft Dragon Copilot (Radiologist), Microsoft Foundry, Microsoft Security Copilot. [Power Automate / Copilot in Power Automate is not on this list.]

    source: learn.microsoft.com
    FedRAMP High P-ATO
    NOT CONFIRMED

    Applicability: Azure, Azure Government. ... For a list of Microsoft online services in scope for the FedRAMP High P-ATO in Azure and Azure Government, see Cloud services in audit scope. [Power Platform / Power Automate commercial service is not named as an applicable scope on this offering page; only Azure/Azure Government infrastructure is, with Dynamics 365 U.S. Government covered by a separate agency ATO.]

    source: learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Power Platform environments are pinned to a tenant-selected geo; Microsoft may replicate data to other regions within that geo for resiliency but does not move data outside the geo except for narrow legal/support exceptions.

    Microsoft Learn states, specific to Copilot in Power Automate cloud flows: 'We don't use your customer data to train Copilot or its AI features, unless you provide consent for us to do so' and prompts/responses 'are NOT used to train or improve Microsoft AI models, unless your tenant admin opts in to sharing data with us.' A separate opt-in 'Data sharing for Dynamics 365 Copilot and Power Platform Copilot AI Features' setting is disabled by default; if a tenant admin enables it, Microsoft may capture and manually review inputs/outputs/telemetry to improve its models, retained for 30 days within the tenant's geographic boundary. Default posture: no training. Do not present this as an unconditional 'never trains' guarantee.

    // Security controls

    Encryption in transit

    Connections between customers and Microsoft datacenters are encrypted; all public endpoints use TLS, with TLS 1.2 or higher required for server endpoint access. Data through the on-premises data gateway is also encrypted.

    learn.microsoft.com

    Encryption at rest

    All Dataverse environments use SQL Server Transparent Data Encryption (TDE) for real-time encryption at rest; Microsoft manages database encryption keys by default, with a customer-managed key option available to admins.

    learn.microsoft.com

    Audit logging

    Power Automate events (flow created/edited/deleted, permission changes, trial activity) are searchable in the Microsoft Purview compliance portal Audit Log, retained for 90 days and exportable as CSV.

    learn.microsoft.com

    Trust Center / Service Trust Portal

    Public Microsoft Trust Center covers Power Apps, Power Automate, and Power BI; the authenticated Service Trust Portal hosts downloadable SOC, ISO, and PCI DSS audit reports and certificates.

    learn.microsoft.com

    // Products & data scope

    Power Automate Free / Community planNo-cost cloud flow automation

    data: Standard (non-premium) connectors only; same underlying Power Platform compliance and data-location boundary as paid tiers.

    Entry tier for individual users; limited connector access.

    Power Automate PremiumPer-user cloud + attended desktop flow automation

    data: Adds premium connectors, process mining, and attended (user-driven) desktop flows.

    Primary paid consumer/business tier, ~$15/user/month billed yearly per public pricing on the vendor site.

    Power Automate ProcessPer-bot unattended desktop flow automation (RPA)

    data: Licenses a bot for unattended desktop flows or cloud flows usable by unlimited organization users.

    ~$150/bot/month billed yearly per public pricing on the vendor site; used for large-scale RPA.

    Power Automate bundled in Microsoft 365 / Dynamics 365Included automation capability within a broader suite

    data: Inherits the licensing suite's data boundary and is separately confirmed in-scope for the Office 365 HIPAA BAA table (as 'Power Automate' under Office 365 Microservices).

    Distinct compliance in-scope listing from the standalone Power Automate cloud service, though both are covered.

    Desktop flows (RPA) via on-premises data gatewayHybrid automation connecting on-prem systems

    data: Uses an on-premises data gateway to reach local data sources; gateway traffic is encrypted, but this introduces a customer-managed component outside Microsoft's direct cloud boundary.

    Relevant for data-residency and self-hosting questions; the orchestration/management plane itself remains Microsoft's cloud service.

    // What to watch

    • SOC 2, ISO 27001/27017/27018/27701, PCI DSS, and CSA STAR are shared Azure/Dynamics 365/Power-Platform-wide audits, not a Power-Automate-specific standalone audit; Power Automate is covered because it is part of the 'Power Platform' service group named in each offering's 'Services in scope' list.
    • Do not overclaim AI governance: ISO/IEC 42001 (AI management system) explicitly does NOT list Power Automate or its Copilot features in scope; Microsoft's ISO 42001 certification currently covers Copilot Studio, Microsoft 365 Copilot, GitHub Copilot, Security Copilot, Microsoft Foundry, and Dragon Copilot only.
    • FedRAMP High P-ATO scope (per the Azure FedRAMP offering page) names Azure and Azure Government infrastructure; Power Platform/Power Automate is not listed as an in-scope service there, so it should not be marketed as FedRAMP-authorized for the commercial product.
    • AI training posture is conditional, not absolute: Copilot in Power Automate does not train Microsoft's models on customer data by default, but a tenant admin can opt in to a data-sharing program that allows Microsoft to review and use inputs/outputs/telemetry (30-day retention) to improve the models.

    // At a glance

    Pricing model

    Freemium plus per-user (Premium, ~$15/user/month) and per-bot (Process, ~$150/bot/month) subscriptions, also bundled into Microsoft 365 and Dynamics 365 suite licensing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Microsoft Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    microsoft.com

    > Browse all vendor trust reports