// Trust & Security Report

    Microsoft Corporation logo

    Microsoft Corporation

    Power BI cloud service (Pro, Premium Per User, Premium/Fabric capacity), Power BI Embedded, Power BI Desktop (client), and Power BI Report Server (on-premises); Power BI is now delivered as part of Microsoft Fabric with Copilot AI features.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    The Azure SOC 2 Type 2 attestation report shows Microsoft online services in scope: ... Power Apps, Power Automate, Power BI, Copilot Studios ...

    Verify on learn.microsoft.com
    ISO/IEC 27001
    HELD

    Microsoft in-scope cloud platforms and services ... Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite; Power BI Embedded

    Verify on learn.microsoft.com
    ISO/IEC 27018 (PII protection in public clouds)
    HELD

    Microsoft in-scope cloud platforms and services ... Power BI cloud service: either as a standalone service or as included in an Office 365 branded plan or suite; Power BI Embedded

    Verify on learn.microsoft.com
    GDPR (posture / DPA)
    HELD

    Microsoft processes Customer Data to provide the Online Services in accordance with the controller's documented instructions, as specified in the Product Terms and Products and Services Data Protection Addendum (DPA). ... Microsoft proactively provides these commitments to all Volume Licensing customers as part of their agreements.

    Verify on learn.microsoft.com
    HIPAA / HITECH (BAA)
    HELD

    Microsoft in-scope cloud platforms and services ... Power BI cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite

    Verify on learn.microsoft.com
    FedRAMP (US government cloud, GCC / GCC High)
    HELD

    Microsoft in-scope cloud platforms and services ... Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite

    Verify on learn.microsoft.com
    CSA STAR
    HELD

    the Office 365 SOC 2 Type 2 attestation report addresses the requirements defined in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) ... The Office 365 SOC 2 Type 2 audit incorporates the CCM controls assessment as required by the CSA STAR attestation.

    Verify on learn.microsoft.com
    > Show 2 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    No public evidence that the standalone Power BI cloud service is separately listed in scope for a Microsoft PCI DSS attestation; PCI DSS coverage on Microsoft Learn is documented for Azure and Dynamics 365, not named for Power BI specifically.

    source: learn.microsoft.com
    ISO/IEC 42001 (AI management system / AI governance)
    NOT CONFIRMED

    Microsoft holds ISO/IEC 42001 certification for Microsoft 365 Copilot, Copilot Chat, Copilot Studio, Security Copilot, GitHub Copilot, and Microsoft Foundry models; no public Microsoft Learn or Azure blog source lists Power BI, Fabric, or Copilot in Power BI within the certified ISO 42001 scope as of this review.

    source: learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer-selected Office 365/Power BI geo; Microsoft states it will not replicate customer data outside the chosen geographic area for data resiliency purposes.

    For Copilot features in Power Platform (which includes Power BI/Fabric Copilot), Microsoft states prompts and responses 'are NOT used to train or improve any third-party products or services (such as OpenAI models)' and 'are NOT used to train or improve Microsoft AI models, unless your tenant admin opts in to sharing data with us.' Training is opt-in only, controlled at the tenant level.

    // Security controls

    Encryption in transit

    Power BI Desktop and the service require TLS 1.2 or higher for all client connections; earlier TLS versions are rejected.

    learn.microsoft.com

    Authentication

    User sign-in and authorization is handled via Microsoft Entra ID; the Web Front End cluster authenticates clients and issues tokens for subsequent calls.

    learn.microsoft.com

    Data storage architecture

    Uploaded data is stored in Azure Blob Storage; metadata is stored in Azure SQL Database. Only the API Management and Gateway roles are internet-facing.

    learn.microsoft.com

    Third-party audits

    Annual independent SOC 1/SOC 2 Type 2 examinations and annual ISO/IEC 27001 and 27018 audits cover the Power BI cloud service; reports are available to customers via the Service Trust Portal.

    learn.microsoft.com

    Breach notification

    Microsoft commits to notifying customers of a confirmed personal data breach without undue delay, with no minimum harm threshold, to help customers meet GDPR's 72-hour DPA notification requirement.

    learn.microsoft.com

    // Products & data scope

    Power BI DesktopFree authoring client

    data: Runs locally; connects to on-prem and cloud data sources for report authoring

    No cloud storage of customer data unless published to the Power BI service.

    Power BI ProPer-user cloud subscription

    data: Multi-tenant Power BI cloud service (Azure-hosted)

    Covered under Office 365/Power Platform SOC 2, ISO 27001/27018, HIPAA BAA, GDPR terms.

    Power BI Premium Per User / Premium (capacity)Enterprise-scale subscription

    data: Same multi-tenant Azure-hosted service with dedicated capacity

    Adds enterprise features (larger datasets, dataflows, deployment pipelines); same compliance scope as Power BI cloud service.

    Power BI in Microsoft FabricUnified analytics platform (current GA direction for Power BI)

    data: Shared Fabric OneLake storage plus Copilot AI features

    Copilot in Fabric/Power BI is built on Azure OpenAI Service; data is not shared with OpenAI and is not used to train foundation models unless the tenant opts in.

    Power BI EmbeddedAzure PAYG embedding service for ISVs

    data: Customer/end-customer report data embedded in third-party apps

    Explicitly listed as in-scope for SOC 2, ISO 27001, and ISO 27018 alongside the standalone service.

    Power BI Report ServerOn-premises reporting server

    data: Fully on customer infrastructure; no Microsoft-hosted customer data

    Self-hosted option for organizations that cannot use the cloud service; compliance responsibility shifts largely to the customer's own environment.

    // What to watch

    • All certification claims here were verified directly against Microsoft's own Learn compliance documentation, which explicitly names 'Power BI' in each in-scope services list, so identity and cert claims are not fabricated.
    • Because Power BI is one line item inside very large, shared Microsoft attestations (Office 365 / Azure SOC 2, ISO 27001/27018, FedRAMP), the certification boundary is Microsoft's Office 365/Power Platform ecosystem as a whole, not a standalone Power BI-only audit. This is normal for Microsoft 365 family products but should be disclosed to buyers doing their own due diligence.
    • PCI DSS is not separately documented for Power BI on Microsoft Learn; do not claim it without further verification if a customer specifically requires PCI scope for Power BI.
    • ISO/IEC 42001 (AI governance) is held by Microsoft for several named Copilot products (M365 Copilot, Copilot Studio, Security Copilot, GitHub Copilot, Foundry models) but Power BI/Fabric Copilot is not named in that certified scope in current public sources; do not list ISO 42001 as held for Power BI.

    // At a glance

    Pricing model

    Freemium (Power BI Desktop/free account) plus per-user subscription (Pro, Premium Per User) plus capacity-based (Premium/Fabric) plus Azure consumption-based (Embedded)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Microsoft Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    microsoft.com

    > Browse all vendor trust reports