Services temporarily excluded from the EU Data Boundary

For some services, work is in progress to be included in the EU Data Boundary, but completion of this work is delayed. Services in this category are either temporarily excluded from the EU Data Boundary for all customers or are temporarily excluded from the EU Data Boundary for a particular subset of customers for a service (for example, based on a customer not yet having migrated to a service version in scope for the EU Data Boundary), as described in this documentation. The details in this documentation explain the Customer Data or pseudonymized personal data that these services currently transfer out of the EU Data Boundary as part of their service operations.

Azure services

Azure non-regional services

Azure non-regional services (complete list available here: Azure Products by Region) are services that have no dependency on a specific Azure region and don't currently let customers specify a region for deployment. Non-regional services are being rearchitected to be included in the EU Data Boundary. For some services, this work is already complete. See Configuring Azure non-regional services for the EU Data Boundary for a list of these services, including information on how to configure them to store and process Customer Data and pseudonymized personal data in the EU Data Boundary.

The following sections provide information about the other non-regional services for which rearchitecting is still in progress and explain what Customer Data or pseudonymized personal data is transferred outside of the EU Data Boundary, why those transfers occur, and how the transferred data is protected while outside the EU.

Azure Resource Manager

Azure Resource Manager is the deployment and management service for Azure. To provide maximum availability and performance, Azure Resource Manager was architected to distribute all data it stores and processes globally across the Azure cloud. As part of the EU Data Boundary and Microsoft's regional data residency commitments, Azure Resource Manager is being rearchitected to allow Customer Data and pseudonymized personal data to be stored and processed regionally. This work is still in progress, and the following Azure services that depend on Azure Resource Manager for routing capabilities will continue to store and process Customer Data and pseudonymized personal data globally (in any Microsoft datacenter within Azure public regions) until this work is complete:

  • Azure Managed Applications provide a framework to implement cloud solutions that are easy for consumers to deploy and operate. Types of Customer Data that is transferred and stored in the United States include metadata associated with publishing the application like Plan and Publisher Name, Publisher ARM templates, and other package files. Pseudonymized personal data such as primary unique user ID (PUID) and object IDs associated with customer operations are also transferred and stored in the US.

  • Azure Policy enforces organizational standards and compliance by comparing the properties of Azure resources against configured business policies. Types of Customer Data that will be transferred globally include policy entities, compliance information, usernames, and email addresses. Pseudonymized personal data transferred globally includes object IDs.

  • Azure portal, Azure Mobile App, Azure Resource Graph, Role-Based Access Control: Azure portal provides a web-based interface that allows customers to manage Azure subscriptions and resources. Azure Mobile App provides customers with a mobile application to manage Azure subscriptions and resources. Azure Resource Graph provides APIs to query Azure resources at scale. Role-Based Access Control provides Azure resource access management via the Azure portal. All these solutions provide ways to interact with resources that are governed by Azure Resource Manager. Customer Data that is transferred globally includes values like usernames, email addresses, IP addresses, and Microsoft Entra ID tokens. Pseudonymized personal data transferred globally includes user global unique ID (GUID), primary unique ID (PUID), and sessions IDs. In the case of Azure Resource Graph, pseudonymized personal data transferred globally includes object IDs, PUID, subscriptions, tenant IDs, and user queries in addition to customer-defined resource properties.

Azure DevOps

Azure DevOps: Azure DevOps provides a suite of services to facilitate team development, planning, and collaboration. When Azure DevOps customers use the Token feature and issue Personal Access Tokens (PAT), or provide Secure Shell (SSH) Keys, this Customer Data is transferred from the EU Data Boundary to systems within the United States. PATs and SSH Keys are stored in the United States for as long as the Azure DevOps organization and/or project is active, or the customer decides to delete the PAT or SSH Keys. In addition to Customer Data transfer with PAT and SSH keys, user email addresses are globally stored in a US-based DevOps routing service for back-end compatibility with public APIs that support the way user descriptors were previously stored in Azure DevOps.

Microsoft 365 services

Viva Engage (formerly called Yammer)

Viva Engage customers that onboarded prior to 2019 currently have their data stored in North America. Microsoft will publish a plan for migrating these customers by the end of the year. Until migration, all Customer Data for these affected customers will continue to be transferred to, stored, and processed in North America. This also applies to the same customers using Viva Answers, which is part of Viva Engage.

A copy of Viva Engage reactions data (for example, likes of Viva Engage posts) is currently stored with a third-party subprocessor, Snowflake, Inc., which processes data in the United States. The Engage team is working on a plan to keep reactions data within the EU by mid-2025.

Pseudonymized personal data about a user’s interactions with Viva Engage (for example, a user navigating from one page to another or performing a scroll action on a feed) will be stored in North America through December 31, 2024.

Viva Insights

Viva Insights (legacy version) data will continue to be processed in North America, while the modern Viva Insights supports full storage and processing of Customer Data in the EU. To start using the modern version, refer to these instructions.

Watson Platform for Enterprise

Watson Platform for Enterprise: If a customer has enabled optional connected experiences for Office products or has configured Windows for enterprise to collect optional diagnostic data, crash data is sent to the United States. When an Office application or Windows for enterprise exits unexpectedly, crash data is collected and can include various information about the application state or device, such as in-memory data, processes running on the device, device configuration and other data depend on the crash scenario or application or service.

Whiteboard

Whiteboard: As of July 2022, Customer Data stored in whiteboards created in the standalone Whiteboard application and in Microsoft Teams meetings, chats, and channels defaults to OneDrive for Business storage in the EU Data Boundary for relevant customers. With the exception of Whiteboards created prior to July 2022, and those created from Surface Hubs and Microsoft Teams Room devices, all Whiteboard content is stored in the EU for EU customers. By the end of 2024, customers who created whiteboards from a Surface Hub or Microsoft Teams Room device will be moved to the EU for EU customers through a choice driven migration experience.