Skip to main content
9 – 17 UHR +49 8031 3508270 LUITPOLDSTR. 9, 83022 ROSENHEIM
DE / EN
Microsoft 365 Copilot

Microsoft Copilot Now Processes EU Data Outside Europe by Default – What Companies Must Do Immediately

Tobias Jonas Tobias Jonas | | 5 min read

Microsoft has quietly introduced a change with far-reaching consequences for European businesses: Since March 2026, the new “Flex Routing” feature is enabled by default for all new Microsoft 365 tenants. This means that AI requests via Microsoft 365 Copilot are no longer necessarily processed in European data centers – they can be routed to the US, Canada, or Australia.

What Is Flex Routing?

Flex Routing is Microsoft’s response to capacity bottlenecks in AI processing. When European data centers are under high load, Copilot requests are automatically forwarded to data centers in other regions. Microsoft argues this improves performance and availability.

The problem: For new tenants since March 2026, this feature is enabled by default – without active administrator consent. If you do nothing, you may be sending sensitive company data across the Atlantic.

Why This Is a Problem for GDPR Compliance

The General Data Protection Regulation (GDPR) sets strict requirements for the transfer of personal data to third countries. Even though Microsoft emphasizes that the EU Data Boundary is generally maintained, there are critical points:

1. Anthropic Models Outside the EU Data Boundary

Particularly concerning: Since January 2026, Microsoft uses Anthropic as a subprocessor for Microsoft 365 Copilot. The official Microsoft documentation states:

“Anthropic models are out of scope for the EU Data Boundary and when available, in-country LLM processing commitments.”

This means: When Copilot uses Anthropic models (Claude) for processing, your data leaves the EU in any case – regardless of your Flex Routing settings.

2. No True Data Sovereignty

Microsoft’s own documentation admits: “Microsoft 365 Copilot calls to the LLM are routed to the closest data centers in the region, but also can call into other regions where capacity is available during high utilization periods.” This is an opt-out solution, not opt-in – the exact opposite of what the GDPR demands.

3. Third-Country Transfers Without Sufficient Legal Basis?

Following the Schrems II ruling by the CJEU, transferring personal data to the US is only possible under strict conditions. While the EU-US Data Privacy Framework provides a basis, the combination of automatic routing and lack of control over the exact processing location makes it difficult for companies to fulfill their accountability obligations under Art. 5(2) GDPR.

What You Should Do Immediately: Disable Flex Routing

If you use Microsoft 365 Copilot, you should immediately check whether Flex Routing is enabled in your tenant and disable it if necessary:

  1. Sign in to the Microsoft 365 Admin Center (admin.microsoft.com)
  2. Navigate to Settings → Organization profile → Data location
  3. Check the setting for Copilot data processing
  4. Ensure processing is restricted to the EU region
  5. Document this setting for your GDPR compliance records

For existing tenants created before March 2026, Flex Routing is reportedly not automatically enabled. Nevertheless, we recommend proactively checking your settings.

The Real Problem: Vendor Lock-in and Loss of Control

Flex Routing is just the latest example of a fundamental problem: When you rely on SaaS-based AI solutions like Microsoft Copilot, you largely give up control over data processing. Microsoft decides:

  • Which AI models are used (including Anthropic as a subprocessor)
  • Where processing takes place (potentially worldwide with Flex Routing)
  • When conditions change (as with the silent activation of Flex Routing)

Add to this the significant licensing costs: Microsoft 365 Copilot costs $30 per user per month – on top of the existing Microsoft 365 license. For 100 employees, that’s $36,000 per year; for 500 employees, already $180,000.

The Alternative: CompanyGPT – Full Control in Your Own Azure Environment

If you want AI functionality like Copilot but need to maintain full control over your data, CompanyGPT is the consistent alternative.

What Is CompanyGPT?

CompanyGPT is an open-source-based enterprise AI platform that you operate in your own Azure or STACKIT cloud. You get a powerful AI chat solution that:

  • Runs exclusively in the EU – in your own Azure tenant
  • Shares no data with third parties – no subprocessor risk
  • Supports all major AI models (GPT-4o, Claude, Gemini, Llama, Mistral)
  • Incurs no per-user license costs – you only pay for infrastructure and token usage
  • Enables custom AI agents and prompt catalogs
  • Offers Confluence, SharePoint, and other integrations

Cost Comparison: Copilot vs. CompanyGPT

Microsoft 365 CopilotCompanyGPT
Cost/User/Month~$30 + M365 LicenseInfrastructure + Tokens only
100 Users/Year~$36,000~$6,000–12,000
500 Users/Year~$180,000~$12,000–24,000
Data ProcessingEU + Flex RoutingGuaranteed EU only
SubprocessorsMicrosoft, Anthropic, etc.None external
Model SelectionMicrosoft-controlledFreely selectable
Custom AgentsLimitedFull support

Why Switching Pays Off

With CompanyGPT, companies not only save significant licensing costs but most importantly regain complete control over their data. No Flex Routing, no external subprocessors, no surprise changes to terms of service.

Conclusion: Act Now

Microsoft’s activation of Flex Routing demonstrates once again that cloud providers prioritize their own interests (capacity management, cost optimization) over the data protection interests of their customers. For European companies, there are two immediate recommendations:

  1. Short-term: Check and disable Flex Routing in your Microsoft 365 Admin Center. Document the setting and inform your Data Protection Officer.

  2. Medium-term: Evaluate data-sovereign alternatives like CompanyGPT that give you full control over data processing while being significantly more cost-effective.

Your GDPR compliance for AI usage should not depend on the capacity planning of a US technology corporation.

Want to learn more about CompanyGPT or have your current Copilot configuration reviewed? Contact us for a non-binding consultation. As AI compliance experts, we support you in evaluating your current situation and show you the path to a data-sovereign AI strategy.

Sources and Further Reading

Tobias Jonas
Written by

Tobias Jonas

Co-CEO, M.Sc.

Tobias Jonas, M.Sc. ist Mitgründer und Co-CEO der innFactory AI Consulting GmbH. Er ist ein führender Innovator im Bereich Künstliche Intelligenz und Cloud Computing. Als Co-Founder der innFactory GmbH hat er hunderte KI- und Cloud-Projekte erfolgreich geleitet und das Unternehmen als wichtigen Akteur im deutschen IT-Sektor etabliert. Dabei ist Tobias immer am Puls der Zeit: Er erkannte früh das Potenzial von KI Agenten und veranstaltete dazu eines der ersten Meetups in Deutschland. Zudem wies er bereits im ersten Monat nach Veröffentlichung auf das MCP Protokoll hin und informierte seine Follower am Gründungstag über die Agentic AI Foundation. Neben seinen Geschäftsführerrollen engagiert sich Tobias Jonas in verschiedenen Fach- und Wirtschaftsverbänden, darunter der KI Bundesverband und der Digitalausschuss der IHK München und Oberbayern, und leitet praxisorientierte KI- und Cloudprojekte an der Technischen Hochschule Rosenheim. Als Keynote Speaker teilt er seine Expertise zu KI und vermittelt komplexe technologische Konzepte verständlich.

LinkedIn

Related Articles

CompanyGPT Langdock

The Best Langdock Alternative 2026: CompanyGPT in a Direct …

24.04.2026
CompanyGPT Langdock

CompanyGPT vs. Langdock: Enterprise AI Platforms Compared …

30.03.2026
CompanyGPT Logicc

CompanyGPT vs. Logicc: AI Platforms Compared – SaaS …

30.03.2026
Back to Blog