In today’s digital landscape, compliance is more critical than ever. Organizations must adhere to various regulations and standards to protect sensitive data, maintain customer trust, and avoid legal repercussions. One key aspect of compliance is ensuring data residency, which involves storing and processing data within specific geographic boundaries. Microsoft Copilot Studio offers robust features to help organizations meet critical compliance requirements, particularly in terms of geographical data residency.
Why compliance is important
Legal requirements: Many countries have stringent data protection laws that mandate where data can be stored and processed. Non-compliance can result in hefty fines and legal actions.
Customer trust: Adhering to compliance standards demonstrates a commitment to data security, which can enhance customer trust and loyalty.
Risk management: Compliance helps in identifying and mitigating risks associated with data breaches and unauthorized access.
Operational efficiency: Following compliance guidelines can streamline processes and improve overall operational efficiency.
Copilot Studio is designed with compliance at its core and is an Online Service as defined in the Online Services Terms (OST). It is compliant with or covered by:
Health Insurance Portability and Accountability Act (HIPAA) coverage
Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)
Federal Risk and Authorization Management Program (FedRAMP)
System and Organization Controls (SOC)
Various International Organization for Standardization (ISO) certifications
Payment Card Industry (PCI) Data Security Standard (DSS)
The Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR)
United Kingdom Government Cloud (G-Cloud)
Outsourced Service Provider's Audit Report (OSPAR)
Korea-Information Security Management System (K-ISMS)
Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures
Health Insurance Portability and Accountability Act (HIPAA) coverage
HIPAA is a United States healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—that have access to patients' protected health information (PHI), in addition to business associates—such as cloud service and IT providers—that process PHI on their behalf.
Microsoft Copilot Studio is covered under the Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA).
You can create agents that handle protected health information when your organization is bound by HIPAA, as in the following scenarios where the agent can:
Ask individuals to provide their health information (blood pressure, weight, and so on).
Capture health information and personally identifying information, such as the customer's IP address or email address.
HITRUST is an organization governed by representatives from the healthcare industry.
HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance consistently.
The CSF builds on HIPAA and the HITECH Act, which are US healthcare laws that have established requirements for the use, disclosure, and safeguarding of individually identifiable health information and enforce non-compliance.
HITRUST provides a benchmark—a standardized compliance framework, assessment, and certification process—against which cloud service providers and covered health entities can measure compliance.
Federal Risk and Authorization Management Program (FedRAMP)
FedRAMP was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA) and to accelerate the adoption of secure cloud solutions by federal agencies.
Microsoft's government cloud services meet the requirements of FedRAMP.
By deploying protected services including Azure Government, Office 365 US Government, and Dynamics 365 Government, federal and defense agencies can use a rich array of compliant services.
Microsoft Copilot Studio is compliant with the ISO standards listed in the following table. Audit reports for each are available from the Microsoft Service Trust Portal.
Payment Card Industry (PCI) Data Security Standard (DSS)
The Payment Card Industry (PCI) Data Security Standards (DSS) form a global information security standard designed to prevent fraud through increased control of credit card data.
Organizations of all sizes must follow PCI DSS standards if they accept payment cards from the five major credit card brands:
Visa
MasterCard
American Express
Discover
Japan Credit Bureau (JCB).
Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and card-holder data.
The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.
The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.
Microsoft Copilot Studio has been audited to be compliant with CSA STAR.
Government Cloud (G-Cloud) is a UK government initiative to ease procurement of cloud services by government departments and promote government-wide adoption of cloud computing.
G-Cloud comprises a series of framework agreements with cloud services suppliers (such as Microsoft), and a listing of their services in an online store, the Digital Marketplace. These enable public-sector organizations to compare and procure those services without having to do their own full review process.
Inclusion in the Digital Marketplace requires a self-attestation of compliance, followed by a verification performed by the Government Digital Service (GDS) branch at its discretion.
Outsourced Service Provider's Audit Report (OSPAR)
The OSPAR framework was established by the Association of Banks in Singapore (ABS), which formulated IT security guidelines for outsourced service providers (OSPs) that seek to provide services to Singapore's financial institutions. The ABS Guidelines are intended to assist financial institutions in understanding approaches to due diligence, vendor management, and key technical and organizational controls that should be implemented in cloud outsourcing arrangements, particularly for material workloads.
Korea-Information Security Management System (K-ISMS)
K-ISMS is a country/region-specific ISMS framework that defines a stringent set of control requirements designed to help ensure that organizations in Korea consistently and securely protect their information assets.
The MTCS Standard for Singapore was prepared under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Development Authority of Singapore (IDA).
The ITSC promotes and facilitates national programs to standardize IT and communications, and Singapore's participation in international standardization activities.
Spain Esquema Nacional de Seguridad (ENS) High-Level Security Measures
In 2007, the Spanish government enacted Law 11/2007, which established a legal framework to give citizens electronic access to government and public services. This law is the basis for Esquema Nacional de Seguridad (National Security Framework), which is governed by Royal Decree (RD) 3/2010.
The goal of the framework is to build trust in the provision of electronic services, and ensure the access, integrity, availability, authenticity, confidentiality, traceability, and preservation of data, information, and services.
This module examines how Microsoft 365 Copilot adheres to existing privacy and compliance obligations, how it ensures data residency and compliance boundary, and how it protects sensitive business data.