Services permanently excluded from the EU Data Boundary
While the majority of Microsoft's major commercial enterprise online services in the Azure, Dynamics 365, Power Platform, and Microsoft 365 service families are in-scope for the EU Data Boundary, subject to the continuing flows of customer data related to operation and use of the services detailed in other EU Data Boundary articles or sections in this article, some services in these families aren't in scope for the EU Data Boundary, typically where the nature of the service and the customer value it provides can't be delivered by implementing a regionalized architecture. In this article, we describe primary examples of services in this category. This list is non-exhaustive and may be updated over time. The Product Terms portion of the services agreement is the definitive source for determining whether a given service is an EU Data Boundary Service.
- Azure Front Door / Content Delivery Network: Azure Front Door (AFD) and Azure Content Delivery Network (CDN) are non-regional services that can be used to bring customers' static and dynamic content closer to their end users all over the world. To help accelerate global requests, Azure Front Door and Azure CDN cache data at global edge locations on behalf of the customer. Both services use a networking technique called anycast to direct traffic between customer end users and point of presence (PoP) locations using the fastest possible route. Due to the nature of this routing mechanism and in order to serve our customers' requirements to push data around the world, not all traffic will stay within the EU Data Boundary. Cached content duration can be changed based on a customer's configuration within the AFD or CDN profile settings.
- Windows 10 IoT Core Services: Windows 10 IoT Core Services is a global software update distribution service that hosts customer data to be distributed to our customers' own customers. The service enables customers to update their managed IoT devices using the global Windows Update content delivery network (CDN), and it allows for their custom content and Microsoft's Windows IoT software updates to be delivered as a Windows Update. To provide this capability, customer data is stored in both Azure Storage and across the world in the servers that support Windows Update. Customer data transferred globally includes all data customers upload in their Board-Supported-Package (BSP), which can contain custom drivers, applications, and other data targeted for the device update.
Microsoft 365 services
- Microsoft 365 Applications (for builds pre-dating December 31, 2022): To ensure performance and stability for existing customers who use Microsoft 365 Applications, the EU Data Boundary commitments will apply only to versions released after December 31, 2022. Customers using older builds should upgrade to the latest version.
Microsoft Security Products help protect customers from the latest malware attacks, whether protecting their endpoints, cloud workloads, or their email and collaboration software. Examples of customer-facing security capabilities generated by Microsoft Security Products through usage of cross-boundary signals include:
- Protection against sophisticated modern security threats: Microsoft uses advanced analytics capabilities, including artificial intelligence to analyze globally aggregated security-related data. This helps prevent, detect, investigate, respond to, and remediate threats. Without this centralized analytics capability across global data, the efficacy of these services would degrade significantly, preventing Microsoft from providing the necessary levels of protection to customers.
- Detecting a compromised enterprise user: Microsoft helps detect identity compromise by tracking suspicious account logins from multiple geo regions within a brief period. This is known as impossible travel attacks. To enable this type of protection, Microsoft security products centrally process global Azure Active Directory authentication logs.
- Detecting data exfiltration: Microsoft can help alert customers to potential data leakage from the enterprise by aggregating several signals of malicious access to data storage from various locations, a technique used by malicious actors to fly under the detection radar (known as low and slow attacks).
The following Microsoft security products consolidate data globally to provide the previously described customer requested benefits.
Microsoft 365 Defender: Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. Microsoft 365 Defender services require operations of global systems (artificial intelligence, automation, and humans) on global data to hunt on global customer telemetry. These human security researchers and analysts operate the intelligence aspect of the service 24/7/365, creating new detections, signatures, and heuristics. They must work on global data from sites spread over the globe. Microsoft 365 Defender services store most customer data of EU customers in the EU region with limited transfers that are stored encrypted in the United States. Access to this customer data is only through a Secure Admin Workstation (SAW) with just-in-time (JIT) access permission. For more information, visit the Microsoft Trust Center data location page and navigate to the Microsoft 365 Defender services within cloud service data residency and transfer policies.
Microsoft Cloud Security: The suite of Microsoft Cloud Security services provides security posture management and threat protection for customers' workloads running in Azure, hybrid, and other cloud platforms, including Internet of Things (IoT) devices. These are global services, providing real-time alerts and security recommendations for customers' cloud resources. Customer data transferred by these services includes limited data access, traffic, apps and files metadata, and customer configurations. The transferred customer data is stored encrypted in the United States. Access to this customer data is only through a Secure Admin Workstation (SAW) with just-in-time (JIT) access permission.