AI Vendor Security & Compliance Brief

Microsoft 365 Copilot

Independent due-diligence summary · every fact links to the vendor's official source

6 source-cited facts

0 independently verified certs

9 legal documents tracked

Generated 2026-06-10

82/100

AI Governance Readiness

Enterprise-Ready

Strong verifiable security and governance posture.

＋ Monitor this vendor ⤓ Security Review PDF ⤓ Vendor questionnaire (CSV)

Readiness Breakdown deterministic · evidence-only

Independent Certification SOC 2 / ISO certifications attested via the vendor's trust center (ISO 27001, SOC2 TYPE2) but the audit report is gated behind NDA — request directly.
Vendor-Stated Compliance Vendor states (cited, not independently audited): GDPR, HIPAA, ISO 27001, SOC 2.
Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
Data Processing Agreement A Data Processing Agreement is published and tracked.
Breach History No known breaches in Have I Been Pwned.
Vulnerability Exposure No product identity match in vulnerability databases — not assessed.
Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
Web TLS Certificate Valid TLS certificate in place.
Legal Transparency 9 legal/policy documents publicly tracked.

Score is normalized over assessed components only — “unknown” items are shown but never silently counted against the vendor.

Ask This in Your Security Review 1 open items

Vulnerability ExposureRequest the remediation timeline / patch status for known CVEs (and any KEV-listed items).

Compliance Posture vendor-stated · cited

Framework	Status	Source
GDPR	Stated by vendor	https://learn.microsoft.com/en-us/compliance/regulatory/gdpr
HIPAA	Stated by vendor	https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech
ISO 27001	Stated by vendor	https://learn.microsoft.com/en-us/compliance/regulatory/offering-iso-27001
SOC 2	Stated by vendor	https://learn.microsoft.com/en-us/compliance/regulatory/offering-soc

As published on the vendor's own trust/compliance pages — not independently audited. Independently verified attestations, when available, appear in the certifications section below. Request the underlying report before relying on these.

Data & Contract Facts deterministic · cited

Attribute	Value	Source
Sub-processors	LinkedIn Corporation	https://aka.ms/online-services-subprocessors
Trains on Customer Data key clause	Free / Pro: trains on data The consumer Copilot app trains on conversation activity by default (opt-out) — this is NOT the M365 commercial product. cited → Enterprise: does not train Microsoft 365 Copilot (commercial): prompts, responses and Microsoft Graph data aren't used to train foundation LLMs; no customer data is shared with OpenAI. cited →	see per-tier citations

Security Posture authoritative · cited

Known Vulnerabilities (CVE / CISA KEV) Not applicable

Hosted SaaS — no installable software distributed; CVE/CPE tracking does not apply to this vendor.

Vulnerability Disclosure Policy (security.txt) Found 1

valid

Email Spoofing Protection (DMARC) Protected

DMARC enforced and SPF present — spoofing well mitigated.

DMARC enforced (p=reject/quarantine) · SPF present · checked @microsoft.com

Web TLS Certificate Valid

Certificate valid · 153d to expiry · Microsoft Corporation

Data Breach History None found

Queried the authoritative source; no records.

Supply-Chain Security (OpenSSF Scorecard) Not applicable

Closed-source service — no public source repository; OpenSSF Scorecard (open-source supply-chain) does not apply.

OFAC Sanctions Screening None found

Queried the authoritative source; no records.

SEC Cyber Incident Disclosures (8-K 1.05) Found 1

8-K Item 1.05 — Material Cybersecurity Incident · filed 2024-01-19 · by MICROSOFT CORP

Security & Compliance Timeline authoritative · dated

Dated, source-cited history from authoritative records (NVD, SEC, CISA KEV). Subscribe to get alerted the moment a new event lands.

2024-01-19 SEC 8-K Material cybersecurity incident disclosed to SEC by MICROSOFT CORP

Certifications Available Under NDA / Trust Center attested · report gated

Certification	Status	Trust Center
ISO 27001	Available via Trust Center	https://servicetrust.microsoft.com/
SOC2 TYPE2	Available via Trust Center	https://servicetrust.microsoft.com/

An independent audit report exists but is gated behind an NDA or trust-center registration. Request it directly via the vendor's trust center. These count as partial assurance — stronger than a vendor claim, but not an open third-party attestation.

Vendor-Claimed, Not Independently Verified treat as unconfirmed

FEDRAMP LOW	claimed_unverified	https://servicetrust.microsoft.com/
PEN TEST	claimed_unverified	https://techcommunity.microsoft.com/blog/microsoft365copilotblog/staying-ahead-of-compliance-keep-up-with-key-insights-from-our-quarterly-complia/4448011

These appear on the vendor's site but we could not confirm an independent audit report. Request the underlying attestation before relying on them.

Tracked Legal & Policy Documents

Document	URL
Ccpa Compliance	https://microsoft.com/privacy/ccpa
Dpa	https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
Gdpr Compliance	https://microsoft.com/gdpr
Privacy	https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-privacy
Security	https://www.microsoft.com/en-us/trust-center
Subprocessors	https://download.microsoft.com/download/3/0/2/302E3E4F-7EEF-4DB7-8183-E9134254841F/Microsoft%20Commercial%20Support%20Subprocessors.pdf
Tos	https://www.microsoft.com/licensing/terms
Trust	https://servicetrust.microsoft.com/
Vuln Mgmt	https://microsoft.com/.well-known/security.txt

How to Obtain Non-Public Documents

These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.

Document	Availability	How to obtain
Business Associate Agreement (BAA)	On request (HIPAA only)	A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center →
Master Services Agreement (MSA)	Negotiated per contract	The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center →
Service Level Agreement (SLA)	Enterprise tier	A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center →

Fourth-Party Supply Chain deterministic · cited

Your data reaches these fourth parties through Microsoft 365 Copilot. Source: vendor's published sub-processor list.

Microsoft 365 Copilot → LinkedIn Corporation

Sub-processor source →

If one of these fourth parties has a critical security event, you may be indirectly exposed even without a direct contract. Swanum flags this in your alerts.

Monitor Microsoft 365 Copilot — get alerted when this changes

This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Microsoft 365 Copilot changes something that affects your risk. Built for procurement & security teams.

Free. One email per material change. Unsubscribe anytime. No sales spam.

Every data point above is extracted from the vendor's own official trust, security, or legal pages and links to its source. This brief contains no scraped sentiment, forum chatter, or AI-inferred opinion — only verifiable, deterministic facts. Verify each source before procurement decisions.