Request for Confirmation on Data Residency for Azure OpenAI PTUs in UAE North

Question

Dear's,

As part of our compliance obligations under CBUAE Rulebook (Circular 14/2021) and internal governance, we require confirmation regarding the data residency behavior of Azure OpenAI deployed via Regional Provisioned Throughput Units (PTUs) in UAE North.

Specifically, please confirm the following:

Prompt and Response Processing Location

• Does Microsoft guarantee that all prompt and response processing—including in-memory inference—occurs entirely within UAE North datacenters when PTUs are provisioned in this region?
• Are there any scenarios where data (including sampled prompts, outputs, or metadata) may leave UAE for abuse monitoring, telemetry, or other service-level operations?

Supporting Services If any supporting services (e.g., abuse detection, logging, telemetry) involve cross-border data movement, please detail:

• The nature of data transferred (full prompts, partial samples, metadata only)
• Retention duration and encryption measures applied
• Applicable contractual safeguards (e.g., Data Protection Addendum, SCCs)

Roadmap for Full In-Region Execution If full in-region processing is not currently guaranteed, what is Microsoft’s roadmap and timeline for enabling strict residency for inference and all associated operations for Azure OpenAI PTUs in UAE?

This confirmation is critical for us to proceed with deployment and ensure compliance with UAE’s data residency requirements. We appreciate your detailed response at the earliest convenience.

Thank you

Answer 1

Hi Rahul Ramakrishnan

When you provision Azure OpenAI PTUs in UAE North, inference (prompt and response processing) is designed to occur within the UAE North datacenter. This includes model execution and in-memory operations. However, Microsoft does not currently guarantee that all associated service-level operations remain in-region. Certain global functions—such as abuse monitoring and telemetry—may involve minimal cross-border data movement for security and reliability purposes.

Scenarios Where Data May Leave UAE

• Abuse Detection & Telemetry: Microsoft may sample small portions of data (e.g., truncated prompts or metadata) for abuse detection and service health monitoring.
• Nature of Data Transferred: Typically, this involves metadata and partial samples, not full prompts or responses.
• Retention & Encryption: Data is encrypted in transit and at rest. Retention is short-term and governed by Microsoft’s Data Protection Addendum (DPA) and applicable contractual safeguards, including Standard Contractual Clauses (SCCs) for any cross-border transfers.

Supporting Services and Compliance Controls

• Azure Policy & Purview Compliance Manager: These tools allow enforcement of data residency and monitoring policies.
• Diagnostic Settings: Logs and telemetry can be routed to UAE-based storage accounts to maintain compliance.
• Encryption: All telemetry and diagnostic data are encrypted using Microsoft’s standard security protocols.

Roadmap for Full In-Region Execution

Microsoft is actively expanding regional isolation capabilities for Azure OpenAI. While PTUs already provide strong residency alignment, full in-region execution for all supporting services (including abuse monitoring) is on the roadmap, but timelines have not been publicly committed. Expect incremental improvements aligned with Azure Sovereign Cloud initiatives and regulatory requirements in UAE and other jurisdictions..

Key Takeaways for Compliance

• PTUs in UAE North keep inference local, but some global monitoring functions may still apply.
• Contractual safeguards (DPA, SCCs) and encryption mitigate compliance risks.
• Use Azure Policy, Purview, and diagnostic routing to strengthen residency adherence.
• Monitor Microsoft roadmap for updates on full isolation features.

Reference

https://learn.microsoft.com/en-us/azure/ai-foundry/responsible-ai/openai/data-privacy?view=foundry-classic&tabs=azure-portal

https://learn.microsoft.com/en-us/azure/compliance/offerings/

Thank you!