Data storage in Universal Print
Universal Print stores all customer data in the geography the customer's tenant was created in. Customer data is not stored or moved outside the tenant's geography.
Encryption at rest is a phrase that commonly refers to the encryption of data on nonvolatile storage devices such as solid state drives (SSDs) and hard disk drives (HDDs). Universal Print stores customer data by using the same secure storage platform that your data in Exchange, Office, and Teams is stored on. Your data is encrypted in transit (over the network) and at rest (nonvolatile storage), giving you end-to-end encryption.
Because all customer data stored in Universal Print is encrypted at rest and in transit, you don't have to take any action to protect your data. Encryption is "on" by default and there are no controls to turn it on or off. Universal Print uses AES-256 encryption on all regions where the account is running.
Data stored in Universal Print is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed keys). Additionally, customer-managed keys can be configured at the tenant-level by using Customer Key for Microsoft 365.
Frequently asked questions
Q: Who manages the encryption keys?
A: The keys are managed by Microsoft.
Q: How often are encryption keys rotated?
A: Microsoft has a set of internal guidelines for encryption key rotation, which Universal Print follows. The specific guidelines are not published. Microsoft does publish the Security Development Lifecycle (SDL), which is seen as a subset of internal guidance and has useful best practices for developers.
Q: Can I use my own encryption key?
A: Since Universal Print stores your data on the same secure platform as Exchange, OneDrive for Business, and Teams, you can leverage existing support for customer-managed key encryption. See Customer Key for Microsoft 365 for details about encrypting your tenant's data with your own encryption key.