Compliance and supporting information for Azure Information Protection

Note

Are you looking for Microsoft Purview Information Protection, formerly Microsoft Information Protection (MIP)?

The Azure Information Protection unified labeling client is now in maintenance mode. We recommend you use labels that are built in to your Office 365 apps and services. Learn more

Azure Information Protection supports other services and also relies on other services. If you’re looking for information that is related to Azure Information Protection but not about how to use the Azure Information Protection service, check the following resources:

Suitability for different countries

Given the variability between laws and regulations in different countries, different use cases and scenarios, and the varying requirements between different business sectors, you will need to consult your legal adviser to help you answer whether Azure Information Protection is suitable for your country.

However, some relevant information that can help your legal adviser make a determination:

  • Azure Information Protection uses AES 256 and AES 128 to encrypt documents. More information

  • All encryption keys used by Azure Information Protection are protected with a customer-specific root key that uses RSA 2048 bits. RSA 1024 bits is also supported for backwards compatibility. More information

  • Customer-specific root keys are either managed by Microsoft or provisioned by the customer in a nCipher HSM by using "bring your own key" (BYOK). Azure Information Protection also supports features for on-premises protection, for content that cannot be protected with a cloud-based key. For more information, see Planning and implementing your Azure Information Protection tenant key.

  • The Azure Information Protection service is hosted in regional data centers across the globe. Azure Information Protection keys always remain within the region in which is originally deployed.

  • Azure Information Protection does not transmit document contents from clients to the Azure Information Protection service. Content encryption and decryption operations are performed in-place in the client device. Or, for service-based rendering, these operations are performed within the service that’s rendering the content. More information

Security, compliance, and auditing

See the Security, compliance, and regulatory requirements section in the What is Azure RMS? article, for information about specific certifications for the Azure Rights Management service. In addition:

For in-depth technical information about how the protection technology works, see How does Azure RMS work?

Service level agreements

Documentation