How can we manage documents in privacy-sensitive domains when dealing with clients located in EU (GDPR)?

Question

How can we manage documents in privacy-sensitive domains when dealing with clients located in EU (GDPR)?

Andrei Pruteanu 0

Hello,

How can we manage documents in privacy-sensitive domains when dealing with clients located in EU (GDPR)? Used Azure services are: Document Intelligence and AI Foundry.

We're interested in knowing:

where are the documents stored when uploaded to Document Intelligence Studio?
where are the trained models stored (classification and extraction)?
where are the services deployed?

In brief, we want to be able to use Azure services but also be compliant with EU legislation (GDPR).

Regards,
Andrei

Pavankumar Purilla 8,665 Reputation points Microsoft External Staff Moderator

2025-07-04T10:58:39.2966667+00:00

Hi Andrei Pruteanu,
When working with clients located in the European Union (EU), ensuring compliance with the General Data Protection Regulation (GDPR) is critical, especially when handling sensitive documents. Using Azure Document Intelligence and AI Foundry, you can effectively manage documents while respecting GDPR requirements by carefully controlling where and how data is stored and processed.

Document Storage Location

Documents uploaded to Azure Document Intelligence Studio are stored temporarily in Azure Blob Storage associated with your Azure resource. Importantly, the storage location depends on the Azure region you select when creating your Document Intelligence resource. To comply with GDPR’s data residency requirements, it is strongly recommended to choose an Azure region located within the EU or the European Economic Area (EEA). This ensures that your documents remain within EU jurisdiction. Additionally, all data is encrypted both at rest and in transit, providing strong protection against unauthorized access.

Storage of Trained Models

Custom models created for document classification and data extraction are stored in the same Azure region as your Document Intelligence resource. The training data and models reside in your Azure subscription’s storage accounts, which you control. This setup allows you to manage and delete models as needed, supporting GDPR principles such as data minimization and the right to erasure. By keeping models and data within the EU region, you further ensure compliance with data localization requirements.

Service Deployment and Data Processing

Azure Document Intelligence and AI Foundry services run in the Azure region you select, so deploying these services in an EU region guarantees that data processing occurs within EU boundaries. Microsoft acts as a data processor under GDPR, and your organization remains the data controller responsible for compliance. Azure supports encryption with Microsoft-managed or customer-managed keys, and offers tools like Azure Policy and Compliance Manager to help enforce data residency, encryption, and audit logging policies.

GDPR Compliance and Best Practices

Microsoft Azure complies with GDPR and related privacy standards such as ISO 27018 and ISO 27701. Data processed by Document Intelligence is used solely to provide the service and is deleted within 24 hours unless you choose to retain it for model training. Azure provides transparency through contractual commitments and subprocessors disclosures.

To maintain GDPR compliance, it is advisable to complement Azure’s technical safeguards with organizational policies. This includes controlling access to sensitive documents, managing data retention periods, and ensuring data subject rights such as access, correction, and deletion are respected.

By selecting EU-based Azure regions, leveraging encryption, and applying appropriate data governance policies, you can confidently use Azure Document Intelligence and AI Foundry to manage documents in privacy-sensitive domains while meeting GDPR requirements.

Reference thread: https://learn.microsoft.com/en-us/answers/questions/2148511/verification-of-compliance-for-azure-document-inte
For more information: Data, privacy, and security for Document Intelligence
Data residency in Azure
Protecting privacy in Microsoft Azure: GDPR, Azure Policy Updates

2 answers

Your answer

Answer 1

Andrei Pruteanu 0

Hi Pavankumar,

So to summarize the answer: you're saying that EU-based Azure regions are fully GDPR compliant. If the documents are stored in an EU region, all data (documents and models) are stored within that region. Does the training happen within that region as well? If not, is the data moved outside that region for training and the model is moved back when done?

best,
Andrei

Manas Mohanty 6,455 Reputation points Microsoft External Staff Moderator

2025-07-07T07:20:43+00:00

Hey Andrei Pruteanu

All temporary processing from model and other data points are done on respective region only.

Have provided all details here on 2338310

Reference - https://learn.microsoft.com/en-us/legal/cognitive-services/document-intelligence/data-privacy-security#data-stored-by-document-intelligence

Thank you.
Andrei Pruteanu 0 Reputation points

2025-07-07T08:22:12.09+00:00

Hi @Manas Mohanty ,

Thank you for the answer! You haven't clarified my question about the training process:
`[..]
Does the training happen within that EU region as well? If not, is the data moved outside that region for training and the model is moved back when done?
[..]

best,
Andrei
Pavankumar Purilla 8,665 Reputation points Microsoft External Staff Moderator

2025-07-09T05:09:24.8466667+00:00

Hi Andrei Pruteanu,
Did you get any chance to check the response. Thank you!
Andrei Pruteanu 0 Reputation points

2025-07-09T06:44:08.8733333+00:00

Hi,

Thank you! You can close the ticket.

Answer 2

Hi Andrei Pruteanu,
yes, the training process itself also takes place entirely within the selected Azure region in this case, an EU-based region such as West Europe or North Europe. When you upload documents and train custom models using Azure Document Intelligence, the data, training operations, and resulting models are all confined to the region where the resource is deployed. Microsoft does not move data outside of the region for training or processing, nor are models relocated after training unless you explicitly configure such transfers. This approach ensures full support for data residency and localization under GDPR, giving you control over your data and where it is processed. You can find more details in Microsoft’s official documentation on Document Intelligence Data Privacy & Security.

Share via

How can we manage documents in privacy-sensitive domains when dealing with clients located in EU (GDPR)?

2 answers

Your answer