Data handling in Universal Print
Universal Print keeps your data secure in transit (over the network) and at rest (in nonvolatile storage). All data is encrypted end-to-end with TLS 1.2 or 1.3 and HTTPS. At rest, Universal Print stores your data on the same secure platform as Exchange, OneDrive for Business, and Teams.
Universal Print stores all customer data in the geography the customer's tenant was created in. Customer data is not stored or moved outside the tenant's geography.
To learn how to configure your tenant's preferred data location, or how to use Advanced Data Residency to store data in multiple locations, read Data Residency for Exchange Online.
Because all customer data stored in Universal Print is encrypted at rest and in transit, you don't have to take any action to protect your data. Encryption is "on" by default and there are no controls to turn it on or off. Universal Print uses the same tools and processes as other Microsoft 365 services. Read about Encryption in Microsoft 365 for an in-depth look.
Data stored in Universal Print is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed keys).
Microsoft has a set of internal guidelines for encryption key rotation, which Universal Print follows. The specific guidelines are not published. Microsoft does publish the Security Development Lifecycle (SDL), which is seen as a subset of internal guidance and has useful best practices for developers.
Additionally, customer-managed keys can be configured at the tenant-level by using Customer Key for Microsoft 365. Read that documentation to understand how to encrypt your tenant's data with your own encryption key.