Insights

TL;DR where is my Microsoft 365 Copilot data processed and stored?

Your Microsoft 365 Copilot data is stored in the same geographic region as your tenant. Some processing may happen in Microsoft managed Azure data centres outside of your tenant’s region, but no data is stored outside your Microsoft 365 tenant’s region, and nothing is retained by the AI model.

Every organisation remains responsible for ensuring Microsoft’s agreements and data handling commitments align with their own compliance and regulatory obligations before using Copilot.

AI data residency is a key concern for organisations

When organisations look at Microsoft 365 Copilot, they want to know where their data will be stored, where it could be processed, and whether it will ever leave their control.

While the answers should hopefully be reassuring, there are a couple of important distinctions worth understanding.

Please note: This content is provided for general information only. Microsoft’s services and data handling terms may change over time. Always refer to Microsoft’s latest documentation and contractual terms before making compliance or data residency decisions.

Where Copilot data is stored

All data storage related to Microsoft 365 Copilot happens in the same geographic region as your Microsoft 365 tenant.

That includes:

• Your emails, files, chats and meetings
• The Microsoft Graph data Copilot relies on
• Any metadata or Copilot query history that is stored by the service

Copilot doesn’t introduce a new storage location or move your information elsewhere. If your Microsoft 365 tenant is hosted in the UK, your data remains stored in the UK. If it’s hosted in another region, Copilot follows that same location.

This is because Copilot operates as part of the Microsoft 365 service, not as a separate platform.

The role of Microsoft Graph

When you use Copilot, it gathers context through the Microsoft Graph (i.e. the APIs and data model that underpins and links all your Microsoft 365 services), which is already part of Microsoft 365.

Microsoft Graph connects:

• Emails
• Files
• Teams chats
• Meetings
• The people you work with

Copilot uses this to retrieve only the information needed to answer your prompt.

Just as importantly, Microsoft Graph only returns content that you already have permission to access. Copilot cannot see anything you wouldn’t normally be able to open yourself.

Where is Microsoft 365 Copilot data processed?

Data processing is slightly different from data storage.

The AI model that Copilot uses runs within Microsoft’s Azure OpenAI service. This is still a Microsoft managed service, hosted in Azure data centres.

However, the processing environment isn’t co located with your Microsoft 365 tenant. Depending on capacity and demand, processing may take place in different Microsoft Azure regions globally.

This often raises eyebrows, but there are two key points to keep in mind.

Processing doesn’t mean storage

Although processing may happen outside your tenant’s home region, your data isn’t stored there.

• The AI model processes the information it’s given
• It generates a response
• It does not retain your data
• It does not store prompts or content

Once the response is returned, that interaction is complete. Your data continues to live only within your Microsoft 365 environment and remains subject to your existing security, compliance and retention policies.

Microsoft 365 Copilot is designed for enterprise requirements

Copilot is designed to work for most enterprises and their typical security and data boundary requirements by:

• Storing data in the same region as your Microsoft 365 tenant
• Processing data using Microsoft managed services
• Not creating shadow copies of your content

Before implementing Copilot, your organisation should ensure you understand Microsoft’s service agreements and that they align with your compliance obligations.

But for many organisations, the bigger risks to using Copilot will relate to whether their SharePoint permissions, sharing settings and information architecture are ready for Copilot to work with safely.

What about the Microsoft EU Data Boundary for EU and EFTA tenants?

Organisations with their Microsoft 365 tenants in the EU / EFTA, will be familiar with the Microsoft EU Data Boundary. Previously, the Microsoft EU Data Boundary meant that both storage and processing of Copilot data would remain within the boundary – but this is no longer always the case, depending on varying circumstances. Microsoft has introduced flex routing for eligible EU / EFTA tenants. This means some Copilot processing may occur outside the EU data boundary if flex routing isn’t disabled in those EU / EFTA tenants.

Flex routing is enabled by default for all new customer accounts (EU / EFTA) established after March 25, 2026. For existing accounts, flex routing was activated on April 17, 2026. Microsoft recommends administrators check their tenant’s flex routing setting, which can be turned off.

If any of this could apply to your business, see Microsoft’s official guidance here to learn more and assess if it could affect your compliance obligations, including GDPR: https://learn.microsoft.com/en-us/microsoft-365/copilot/copilot-flex-routing

Copilot data storage and processing summary:

Microsoft 365 Copilot does not change where your data is stored.

Your data remains in your Microsoft 365 tenant, in its existing geographic region. Some processing happens in Microsoft managed Azure data centres, but it’s not retained by the AI model or stored there, except for limited pseudonymized data which Microsoft says “may be stored outside the EU Data Boundary for security and operational purposes” with further information available on partial data transfers.