Copilot Studio security and governance

Copilot Studio follows the Security Development Lifecycle (SDL). The SDL is a set of strict practices that support security assurance and compliance requirements. Learn more at Microsoft Security Development Lifecycle Practices.

The Copilot Studio service is governed by your commercial license agreements, including the Microsoft Product Terms and the Data Protection Addendum. For the location of data processing, refer to the geographical availability documentation.

The Microsoft Trust Center is the primary resource for Power Platform compliance information. Learn more at Copilot Studio compliance offerings.

Furthermore, Power Platform has an extensive set of Data Loss Prevention features to help you manage the security of your data. Learn how to configure data loss prevention policies for copilots in your organization.

Copilot Studio follows a number of security and governance controls and processes, including geographic data residency, data loss prevention, multiple standards certifications, regulatory compliance, environment routing, and regional customization. See the Geographic data residency in Copilot Studio article for information and details on how data is handled in Copilot Studio.

Additionaly, to further govern and secure Copilot Studio using generative AI features in your organization, you can:

• Disable copilot publishing:

  • Your admin can use the Power Platform admin center to turn off the ability to publish copilots with generative answers and actions for your tenant.

• Disable data movement across geographic locations for Copilot Studio generative AI features outside the United States.

• Use the Microsoft 365 admin center to govern the conversational and AI actions and extensions that show in Copilot for Microsoft 365.

Finally, Copilot Studio supports securely accessing customer data using Customer Lockbox.