Copilot Studio security and governance


Power Virtual Agents capabilities and features are now part of Microsoft Copilot Studio following significant investments in generative AI and enhanced integrations across Microsoft Copilot.

Some articles and screenshots may refer to Power Virtual Agents while we update documentation and training content.

Microsoft Copilot Studio follows the Security Development Lifecycle (SDL). The SDL is a set of strict practices that support security assurance and compliance requirements. Learn more at Microsoft Security Development Lifecycle Practices.

The Copilot Studio service is governed by your commercial license agreements, including the Microsoft Product Terms and the Data Protection Addendum. For the location of data processing, refer to the geographical availability documentation.

The Microsoft Trust Center is the primary resource for Power Platform compliance information. Learn more at Copilot Studio Compliance Offerings.

Furthermore, Power Platform has an extensive set of Data Loss Prevention features to help you manage the security of your data. Learn how to Configure Data Loss Prevention policies for copilots in your organization.

To further govern and secure Copilot Studio using generative AI features in your organization, you can do the following,

  1. Disable copilot publishing:

    • Your admin can disable the ability to publish copilots with generative answers and actions for your tenant in the Power Platform admin center.

      Screenshot showing the option to disable copilot publishing.

    • Your admin can disable Copilot for your organization by creating a support request.

  2. Disable data movement across geographic locations for Copilot Studio generative AI features outside the United States.

  3. Enable Copilot Studio conversational plugins.

Finally, Copilot Studio supports securely accessing customer data using Customer Lockbox.