Control 2.7: Data Residency and Cross-Border Data Flow Governance
Control ID: 2.7 Pillar: Security & Protection Regulatory Reference: GLBA 501(b), GDPR (if applicable), State Privacy Laws Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish governance over data residency and cross-border data flows associated with Microsoft 365 Copilot processing. Financial institutions must understand where Copilot processes and stores data (prompts, responses, grounding data, telemetry), whether this data crosses jurisdictional boundaries, and how to configure residency controls for multinational operations. This control supports compliance with GLBA safeguard requirements, state-level data privacy laws, and international data transfer obligations for firms with global operations.
Why This Matters for FSI
- GLBA 501(b) requires financial institutions to protect customer information throughout its lifecycle — understanding where Copilot processes customer data is essential for demonstrating safeguard adequacy
- State privacy laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others) impose data handling obligations that may include data residency considerations for AI processing
- GDPR (Articles 44-49) restricts transfers of personal data to countries outside the EEA without adequate safeguards — US-headquartered firms with EU operations must address Copilot data flows under GDPR
- NYDFS Part 500 (Section 500.15) requires encryption of NPI in transit and at rest — data residency determines which jurisdictional encryption requirements apply
- OCC/Fed Interagency Guidance expects banks to manage risks associated with third-party data processing, including understanding data processing locations
- SEC/FINRA expectations for books and records may require that certain records remain accessible within US jurisdiction
Control Description
Microsoft 365 Copilot data processing follows the data residency commitments of the underlying Microsoft 365 services, with specific considerations for AI processing components.
Copilot Data Processing Locations
| Data Type | Processing Location | Storage Location | Residency Control |
|---|---|---|---|
| User prompts | Tenant's provisioned geography | Not stored persistently (processing only) | Follows M365 tenant geo |
| Copilot responses | Tenant's provisioned geography | Stored as user content in M365 services | Follows M365 tenant geo |
| Grounding data | Tenant's provisioned geography | Remains in source M365 service | Follows M365 data residency |
| Semantic Index | Tenant's provisioned geography | Co-located with M365 tenant | Follows M365 tenant geo |
| Azure OpenAI processing | Microsoft-managed infrastructure | Processing only — no persistent storage | Regional processing commitments |
| Web search queries | Bing infrastructure (if enabled) | Not stored in Bing (per Microsoft) | See Control 2.6 |
| Audit logs | Tenant's provisioned geography | Unified Audit Log location | Follows M365 tenant geo |
| Telemetry | Microsoft-managed | Aggregated, anonymized | Microsoft privacy commitments |
Microsoft 365 Data Residency Options
| Residency Option | Description | Copilot Coverage | FSI Relevance |
|---|---|---|---|
| Default geo | Data stored in the region where tenant is provisioned | Yes — Copilot follows tenant geo | Most US FSI firms are provisioned in US datacenters |
| Advanced Data Residency (ADR) | Add-on providing data residency commitments for additional workloads | Yes — includes Copilot processing | Recommended for firms requiring contractual residency assurances |
| Multi-Geo | Data stored in multiple regions based on user assignment | Yes — Copilot processes in user's assigned geo | Required for multinational FSI firms with regional regulatory requirements |
| EU Data Boundary | EU customer data processed and stored within the EU | Yes — for EU-assigned users | Relevant for US firms with EU banking or investment operations |
Cross-Border Data Flow Scenarios
| Scenario | Data Flow | Regulatory Concern | Mitigation |
|---|---|---|---|
| US firm, all US operations | US datacenter processing | Low — data stays in US | Default configuration adequate |
| US firm with EU subsidiary | EU user data may process in US Copilot infra | High — GDPR Article 44+ | Enable Multi-Geo; assign EU users to EU geo |
| US firm with APAC operations | APAC user data may process outside region | Medium — local data laws | Multi-Geo for APAC users |
| US firm with Canadian operations | Canadian data may process in US | Medium — PIPEDA considerations | Multi-Geo for Canadian users |
Data Residency Architecture
Multinational FSI Firm
│
┌────┴────────────────────────┐
│ │
US Operations EU Operations
│ │
US Tenant Geo EU Multi-Geo
│ │
┌─┴──────────┐ ┌────┴─────────┐
│ M365 Data │ │ M365 Data │
│ US DC │ │ EU DC │
│ │ │ │
│ Copilot │ │ Copilot │
│ Processing │ │ Processing │
│ US Region │ │ EU Region │
└────────────┘ └──────────────┘
Copilot Surface Coverage
| M365 Application | Follows Tenant Geo | Multi-Geo Support | ADR Coverage | Notes |
|---|---|---|---|---|
| Microsoft 365 Copilot Chat | Yes | Yes | Yes | Cross-workload processing in user's geo |
| Word | Yes | Yes | Yes | Document processing in user's geo |
| Excel | Yes | Yes | Yes | Data analysis in user's geo |
| PowerPoint | Yes | Yes | Yes | Presentation generation in user's geo |
| Outlook | Yes | Yes | Yes | Email processing in user's geo |
| Teams | Yes | Yes | Yes | Meeting/chat processing in user's geo |
| OneNote | Yes | Yes | Yes | Note processing in user's geo |
| Loop | Yes | Yes | Yes | Loop content in user's geo |
| Copilot Pages | Yes | Yes | Yes | Pages stored in user's geo |
| SharePoint (Agents) | Yes | Yes | Yes | Agent processing follows site geo |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Document the M365 tenant's provisioned geography; confirm Copilot processing follows tenant geo; verify no unintended cross-border data flows; review Microsoft's data residency commitments for Copilot annually | Establishes awareness of data processing locations — minimum requirement for any FSI Copilot deployment |
| Recommended | Implement Advanced Data Residency (ADR) add-on for contractual residency assurances; configure Multi-Geo for multinational operations; map Copilot data flows for privacy impact assessments; include Copilot data residency in vendor risk assessment; quarterly review of residency configuration | Provides contractual assurance and multi-region support — appropriate for firms with operations in multiple jurisdictions |
| Regulated | All Recommended requirements plus: formal data flow mapping for each jurisdiction; legal review of cross-border transfer mechanisms (SCCs, adequacy decisions); data residency included in regulatory examination packages; real-time monitoring of data processing locations via Microsoft service health; annual third-party audit of data residency compliance | Maximum residency governance for firms with the most complex jurisdictional requirements and highest regulatory expectations |
Setup & Configuration
Step 1: Verify Tenant Geography
Portal: Microsoft 365 Admin Center > Settings > Org settings > Organization profile > Data location
- Confirm the tenant's primary data location
- Note which M365 services are covered by the default residency commitment
- Document the provisioned geography for governance records
Step 2: Enable Advanced Data Residency (if applicable)
- Evaluate whether ADR add-on is needed based on regulatory requirements
- Purchase ADR add-on through Microsoft licensing
- ADR provides contractual data residency commitments for:
- Exchange Online
- SharePoint Online / OneDrive
- Microsoft Teams
- Microsoft 365 Copilot interactions
Step 3: Configure Multi-Geo (if applicable)
Portal: Microsoft 365 Admin Center > Settings > Org settings > Multi-Geo
- Enable Multi-Geo capabilities (requires Multi-Geo add-on licensing)
- Assign satellite geographies for applicable regions
- Assign users to their correct preferred data location (PDL)
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "User.ReadWrite.All"
# Set preferred data location for EU users
Update-MgUser -UserId "eu-user@firm.com" -PreferredDataLocation "EUR"
# Verify user's preferred data location
Get-MgUser -UserId "eu-user@firm.com" | Select-Object DisplayName, PreferredDataLocation
Step 4: Map Copilot Data Flows
Create a data flow mapping document that includes:
- Source data locations (where M365 content resides)
- Processing locations (where Copilot AI processing occurs)
- Output locations (where Copilot responses and Pages are stored)
- Ancillary data flows (audit logs, telemetry, web search if enabled)
Step 5: Privacy Impact Assessment
For firms subject to GDPR or comprehensive state privacy laws:
- Include Copilot data processing in the firm's Data Protection Impact Assessment (DPIA)
- Document the legal basis for processing (legitimate interest, contractual necessity)
- Evaluate cross-border transfer mechanisms if applicable
- Update Records of Processing Activities (ROPA) to include Copilot
Step 6: Document Residency Configuration
Maintain a residency configuration document that includes:
| Element | Detail |
|---|---|
| Tenant primary geography | [e.g., United States] |
| ADR status | [Enabled/Not Enabled] |
| Multi-Geo regions | [List of satellite geos] |
| Copilot processing geography | [Confirmed location] |
| Web search status | [Enabled/Disabled — see Control 2.6] |
| Last review date | [Date] |
| Reviewer | [Name/Role] |
Financial Sector Considerations
- US-Only Operations: Most US-only FSI firms have M365 tenants provisioned in US datacenters. For these firms, data residency risk from Copilot is low, but documenting the residency posture is still a governance requirement. Examiners may ask where AI processing occurs.
- Multinational Banking Groups: Large banking groups with operations in the EU, UK, and Asia face the most complex residency requirements. Multi-Geo is essential, and each regional subsidiary may need independent review of Copilot data flows against local regulations.
- EU Operations and GDPR: US financial firms with EU banking, asset management, or brokerage operations must address GDPR requirements for Copilot. This includes legal basis for processing, DPIA completion, and cross-border transfer mechanisms (Standard Contractual Clauses or EU-US Data Privacy Framework).
- State Privacy Laws: California (CCPA/CPRA), Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws may impose requirements relevant to how Copilot processes resident information. Monitor evolving state-level AI-specific legislation.
- Examination Readiness: SEC and FINRA may ask where firm records are processed and stored. If Copilot-generated content (emails drafted by Copilot, meeting summaries, document drafts) constitutes firm records, data residency documentation should cover these items.
- Third-Party Risk Management: Include Copilot's data processing geography in the firm's vendor risk assessment for Microsoft. OCC and FFIEC guidance expects financial institutions to understand where third-party service providers process their data.
- Future Regulatory Development: US federal financial regulators are developing AI-specific guidance that may include data residency requirements. Establishing residency governance now positions the firm for future compliance requirements.
Verification Criteria
- Tenant Geography Documented: Verify that the tenant's primary data location is documented and accessible to compliance
- Copilot Processing Location: Confirm that Copilot processing occurs within the tenant's provisioned geography (verify via Microsoft documentation or support confirmation)
- ADR Status: Verify ADR subscription status if contractual residency assurances are required
- Multi-Geo Configuration: For multinational firms, verify that users in each jurisdiction are assigned the correct preferred data location
- Data Flow Mapping: Confirm a Copilot data flow map exists that documents source, processing, output, and ancillary data locations
- Privacy Impact Assessment: Verify that Copilot is included in the firm's DPIA or privacy impact assessment (required for firms subject to GDPR or state privacy laws)
- Cross-Border Transfer Mechanisms: If data crosses borders, verify that appropriate transfer mechanisms (SCCs, DPF certification) are in place
- Vendor Risk Assessment: Confirm that Copilot data residency is documented in the firm's vendor risk assessment for Microsoft
- Review Cadence: Verify that data residency review is scheduled at the appropriate frequency (annually for Baseline, quarterly for Recommended, real-time for Regulated)
- Regulatory Examination Package: Confirm that data residency documentation is included in the firm's regulatory examination readiness materials
Additional Resources
- Microsoft 365 Data Residency
- Advanced Data Residency
- Multi-Geo Capabilities
- Microsoft 365 Copilot Data Residency
- EU Data Boundary for Microsoft Cloud
- Related Controls: 2.6 Web Search Controls, 2.8 Encryption, 2.15 Network Security, 3.10 SEC Reg S-P Privacy, 3.13 FFIEC Alignment
- Playbooks: Data Residency Assessment Playbook, Multi-Geo Configuration Playbook, Privacy Impact Assessment Template