Data residency in Azure

Azure has more global regions than any other cloud provider – offering the scale and data residency options that you need to bring your apps closer to your users around the world.

As a customer, you maintain ownership of customer data – the content, personal and other data that you provide for storing and hosting in Azure services. Microsoft will not store or process customer data outside the geography that you specify, except for certain non-regional services. You are also in control of any additional geographies where you decide to deploy your solutions or replicate your data.

Where a service’s functionality requires global data replication, details are available below.

  • Microsoft secures your data using multiple layers of security and encryption protocols. Get an overview of how Microsoft uses encryption to secure your data.

    By default, Microsoft Managed Keys protect your data, and customer data that persists on any physical media is always encrypted using FIPS 140-2-compliant encryption protocols. Customers can also employ customer-managed keys (CMK), double encryption and/or hardware security modules (HSM) for increased data protection.

    All data traffic moving between data centres is protected using IEEE 802.1AE MAC Security Standards, preventing physical “man-in-the-middle” attacks. To maintain resiliency, Microsoft uses variable network paths that sometimes cross Geo boundaries but replication of customer data between regions is always transmitted over encrypted network connections.

    Additionally, to minimise privacy risk, Microsoft generates pseudonymous identifiers that enable Microsoft to offer a global cloud service (including operating and improving services, billing and fraud protection). In all cases, pseudonymous identifiers cannot be used to directly identify an individual, and access to the customer data that identifies individuals is always protected as described above.

  • All Azure services can be used in compliance with the GDPR. If customers using Azure services choose to transfer content containing personal data across borders, they will need to consider the legal requirements that apply to such transfers. Microsoft provides customers with services and resources to help them comply with GDPR requirements that may apply to their operations.

    Some Microsoft online services share data with third parties acting as its subprocessors. The publicly disclosed Microsoft Online Services Subprocessors List identifies subprocessors authorised to process customer data or personal data. All such subprocessors are contractually obligated to meet or exceed the contractual commitments that Microsoft makes to its customers.

    Microsoft will not provide any third party (a) direct, blanket or unfettered access to customers' data; (b) platform encryption keys used to secure data or the ability to break such encryption; or (c) access to data if Microsoft is aware that the data is to be used for purposes other than those stated in the third party's request. Further information on Microsoft’s approach to legal disclosure of customer data in relation to government demands is available here.

Most Azure services enable you to specify the region where your customer data will be stored and processed. Microsoft may replicate to other regions for data resiliency, but Microsoft will not store or process customer data outside the selected Geo. You and your users may move, copy or access your customer data from any location globally.

More information on customer data location

Data storage for regional services

Most Azure services are deployed regionally and enable the customer to specify the region into which the service will be deployed. Examples of such Azure services include virtual machines, storage and SQL Database. For a complete list of regional services, see Products available by region.

Microsoft may copy customer data between regions within a given Geo for data redundancy or other operational purposes. For example, geo-redundant storage replicates Blob, File, Queue and Table data between two regions within the same Geo for enhanced data durability in case of a major data centre disaster.

Microsoft will not store or process customer data outside the customer-specified Geo without your permission except for the following regional services:

  • Azure Cloud Services, which backs up web and worker-role software deployment packages to the United States regardless of the deployment region.
  • Language Understanding, which may store active learning data in the United States, Europe or Australia based on the authoring regions which the customer uses. Learn more
  • Azure Machine Learning, which may store freeform text that the customer provides (such as names for workspaces, resource groups, experiments, files and images) and experiment parameters in the United States.
  • Azure Databricks, which stores identity data, and certain table names and object path information in the United States.
  • Azure Sentinel
  • Azure Serial Console, which stores all customer data at rest in the Geo selected by customer, but when used through the Azure Portal, it may process console commands and responses outside the Geo for the sole purpose of providing the Console experience inside the Portal.
  • Preview, beta or other prerelease services, which typically store customer data in the United States but may store it globally.

Customers can configure the following Azure services, tiers or plans to store customer data only in a single region:

1Single-region data residency is currently only provided by default in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. For all other regions, customer data is stored in geo.

2Single-region data residency is currently only provided by default in the Southeast Asia Region (Singapore) of the Asia Pacific Geo. For all other regions, customer data is stored in geo.

3The previewed feature to enable storing customer data in a single region is currently only available in the Southeast Asia region (Singapore) of the Asia Pacific geo and South Brazil (Sao Paulo state) region of Brazil geo. For all other regions, customer data is stored in geo.

4For Azure Databricks, identity data, certain table names and object path information are stored in the United States. The capability to enable storing all other customer data in a single region is currently available in the Southeast Asia region (Singapore) of the Asia Pacific geo and South Brazil (Sao Paulo state) region of the Brazil geo. For all other regions, customer data is stored in geo (subject to the aforementioned exception).

5ZRS Classic stores data in multiple regions.

Data storage for non-regional services

Certain Azure services do not enable the customer to specify the region where the service will be deployed. These services may store or process customer data in any Microsoft data centre, unless otherwise specified.

  • Azure Content Delivery Network, which provides a global caching service and stores customer data at edge locations around the world.
  • Azure Active Directory (Azure AD), which may store Azure AD data globally. This does not apply to Azure AD deployments in the United States (where Azure AD data is stored solely in the United States) and in Europe (where Azure AD data is stored in Europe or the United States). Learn more
  • Azure Multi-Factor Authentication, which stores authentication data in the United States. Learn more
  • Azure Security Center, which may store a copy of security-related customer data, collected from or associated with a customer resource (such as virtual machine or Azure AD tenant):

    (a) in the same Geo as that resource, except in those Geos where Microsoft has yet to deploy Security Center, in which case, a copy of such data will be stored in the United States; and

    (b) where Security Center uses another Microsoft Online Service to process such data, it may store such data in accordance with the geolocation rules of that other Online Service.

  • Services that provide global routing functions and do not process or store customer data themselves. This includes Azure Traffic Manager – which provides load balancing between different regions – and Azure DNS – which provides domain name services that route to different regions.

For a complete list of non-regional services, see Products available by region and select Non-regional.