// Trust & Security Report
Microsoft Corporation
Power BI cloud service (Pro, Premium Per User, Premium/Fabric capacity), Power BI Embedded, Power BI Desktop (client), and Power BI Report Server (on-premises); Power BI is now delivered as part of Microsoft Fabric with Copilot AI features.
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on learn.microsoft.com“The Azure SOC 2 Type 2 attestation report shows Microsoft online services in scope: ... Power Apps, Power Automate, Power BI, Copilot Studios ...”
Verify on learn.microsoft.com“Microsoft in-scope cloud platforms and services ... Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite; Power BI Embedded”
Verify on learn.microsoft.com“Microsoft in-scope cloud platforms and services ... Power BI cloud service: either as a standalone service or as included in an Office 365 branded plan or suite; Power BI Embedded”
Verify on learn.microsoft.com“Microsoft processes Customer Data to provide the Online Services in accordance with the controller's documented instructions, as specified in the Product Terms and Products and Services Data Protection Addendum (DPA). ... Microsoft proactively provides these commitments to all Volume Licensing customers as part of their agreements.”
Verify on learn.microsoft.com“Microsoft in-scope cloud platforms and services ... Power BI cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite”
Verify on learn.microsoft.com“Microsoft in-scope cloud platforms and services ... Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite”
Verify on learn.microsoft.com“the Office 365 SOC 2 Type 2 attestation report addresses the requirements defined in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) ... The Office 365 SOC 2 Type 2 audit incorporates the CCM controls assessment as required by the CSA STAR attestation.”
> Show 2 unconfirmed / not-held certifications
source: learn.microsoft.comNo public evidence that the standalone Power BI cloud service is separately listed in scope for a Microsoft PCI DSS attestation; PCI DSS coverage on Microsoft Learn is documented for Azure and Dynamics 365, not named for Power BI specifically.
source: learn.microsoft.comMicrosoft holds ISO/IEC 42001 certification for Microsoft 365 Copilot, Copilot Chat, Copilot Studio, Security Copilot, GitHub Copilot, and Microsoft Foundry models; no public Microsoft Learn or Azure blog source lists Power BI, Fabric, or Copilot in Power BI within the certified ISO 42001 scope as of this review.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer-selected Office 365/Power BI geo; Microsoft states it will not replicate customer data outside the chosen geographic area for data resiliency purposes.
For Copilot features in Power Platform (which includes Power BI/Fabric Copilot), Microsoft states prompts and responses 'are NOT used to train or improve any third-party products or services (such as OpenAI models)' and 'are NOT used to train or improve Microsoft AI models, unless your tenant admin opts in to sharing data with us.' Training is opt-in only, controlled at the tenant level.
// Security controls
Encryption in transit
Power BI Desktop and the service require TLS 1.2 or higher for all client connections; earlier TLS versions are rejected.
learn.microsoft.comAuthentication
User sign-in and authorization is handled via Microsoft Entra ID; the Web Front End cluster authenticates clients and issues tokens for subsequent calls.
learn.microsoft.comData storage architecture
Uploaded data is stored in Azure Blob Storage; metadata is stored in Azure SQL Database. Only the API Management and Gateway roles are internet-facing.
learn.microsoft.comThird-party audits
Annual independent SOC 1/SOC 2 Type 2 examinations and annual ISO/IEC 27001 and 27018 audits cover the Power BI cloud service; reports are available to customers via the Service Trust Portal.
learn.microsoft.comBreach notification
Microsoft commits to notifying customers of a confirmed personal data breach without undue delay, with no minimum harm threshold, to help customers meet GDPR's 72-hour DPA notification requirement.
learn.microsoft.com// Products & data scope
data: Runs locally; connects to on-prem and cloud data sources for report authoring
No cloud storage of customer data unless published to the Power BI service.
data: Multi-tenant Power BI cloud service (Azure-hosted)
Covered under Office 365/Power Platform SOC 2, ISO 27001/27018, HIPAA BAA, GDPR terms.
data: Same multi-tenant Azure-hosted service with dedicated capacity
Adds enterprise features (larger datasets, dataflows, deployment pipelines); same compliance scope as Power BI cloud service.
data: Shared Fabric OneLake storage plus Copilot AI features
Copilot in Fabric/Power BI is built on Azure OpenAI Service; data is not shared with OpenAI and is not used to train foundation models unless the tenant opts in.
data: Customer/end-customer report data embedded in third-party apps
Explicitly listed as in-scope for SOC 2, ISO 27001, and ISO 27018 alongside the standalone service.
data: Fully on customer infrastructure; no Microsoft-hosted customer data
Self-hosted option for organizations that cannot use the cloud service; compliance responsibility shifts largely to the customer's own environment.
// What to watch
- All certification claims here were verified directly against Microsoft's own Learn compliance documentation, which explicitly names 'Power BI' in each in-scope services list, so identity and cert claims are not fabricated.
- Because Power BI is one line item inside very large, shared Microsoft attestations (Office 365 / Azure SOC 2, ISO 27001/27018, FedRAMP), the certification boundary is Microsoft's Office 365/Power Platform ecosystem as a whole, not a standalone Power BI-only audit. This is normal for Microsoft 365 family products but should be disclosed to buyers doing their own due diligence.
- PCI DSS is not separately documented for Power BI on Microsoft Learn; do not claim it without further verification if a customer specifically requires PCI scope for Power BI.
- ISO/IEC 42001 (AI governance) is held by Microsoft for several named Copilot products (M365 Copilot, Copilot Studio, Security Copilot, GitHub Copilot, Foundry models) but Power BI/Fabric Copilot is not named in that certified scope in current public sources; do not list ISO 42001 as held for Power BI.
// At a glance
Pricing model
Freemium (Power BI Desktop/free account) plus per-user subscription (Pro, Premium Per User) plus capacity-based (Premium/Fabric) plus Azure consumption-based (Embedded)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Microsoft Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
microsoft.com