Trace Id is missing
Skip to main content
Azure

Data residency in Azure

Azure has more global regions than any other cloud provider—offering the scale and data residency options you need to bring your apps closer to your users around the world.
Overview

Data security and compliance with the GDPR

As a customer, you maintain ownership of customer data—the content, personal and other data you provide for storing and hosting in Azure services. You are also in control of any additional geographies where you decide to deploy your solutions or replicate your data.

Where a service's functionality requires global data replication, details are available below.

Data security

Microsoft secures your data using multiple layers of security and encryption protocols. Get an overview of how Microsoft uses encryption to secure your data.

By default, Microsoft Managed Keys protect your data, and customer data that persists on any physical media is always encrypted using FIPS 140-2 compliant encryption protocols. Customers can also employ customer-managed keys (CMK), double encryption and/or hardware security modules (HSM) for increased data protection.

All data traffic moving between datacenters is protected using IEEE 802.1AE MAC Security Standards, preventing physical "man-in-the-middle" attacks. To maintain resiliency, Microsoft uses variable network paths that sometimes cross Geo boundaries but replication of customer data between regions is always transmitted over encrypted network connections.

Additionally, to minimize privacy risk, Microsoft generates pseudonymous identifiers that enable Microsoft to offer a global cloud service (including operating and improving services, billing, and fraud protection). In all cases, pseudonymous identifiers cannot be used to directly identify an individual, and access to the customer data that identifies individuals is always protected as described above. 

Two people sit at a desk, engaged in a conversation.
Back to OVERVIEW section
SELECT GEOGRAPHY

Select your geography

Most Azure services enable you to specify the region where your customer data will be stored and processed. Microsoft may replicate to other regions for data resiliency, but Microsoft will not store or process customer data outside the selected Geo. You and your users may move, copy, or access your customer data from any location globally.

*In some cases, data for certain services may be stored outside of specified regions. See more information on this page for details.

Data residency

Download the chart under, “Select your geography” for details.

Products available

To learn about product availability, visit Products available by Region.
More information

More information on customer data location 

Data storage for regional services

Most Azure services are deployed regionally and enable the customer to specify the region into which the service will be deployed. Examples of such Azure services include virtual machines, storage, and SQL Database. For a complete list of regional services, see Products available by region.

Microsoft will not store or process customer data outside the customer-specified Geo without your authorization.

Microsoft may copy customer data between regions within a given Geo for data redundancy or other operational purposes. For example, geo-redundant storage replicates Blob, File, Queue and Table data between two regions within the same Geo for enhanced data durability in case of a major datacenter disaster.

Microsoft personnel (including subprocessors) located outside the Geo may remotely operate data processing systems in the Geo but will not access Customer Data without your authorization.

The following services may store or process certain data outside the specified Geo:

  • Azure Cloud Services, which backs up web and worker-role software deployment packages to the United States regardless of the deployment region.
  • Azure Data Explorer (ADX) stores partial usage data and service traces on a central cluster located in the EU for a limited time.
  • Language Understanding, which may store active learning data in the United States, Europe, or Australia based on the authoring regions which the customer uses. Learn more
  • Azure Machine Learning, may store freeform texts of asset names that the customer provides (such as names for workspaces, names for resource groups, names for experiments, names of files, and names of images) and experiment execution parameters aka experiment metadata in the United States for debugging purposes.
  • Azure Databricks stores the following identity information in the United States to provide account and access management functionality to customers: username, first name, last name, and email address. This data is stored in the United States to support the global Azure Databricks platform.
  • Azure Serial Console, which stores all customer data at rest in the Geo selected by customer, but when used through the Azure Portal may process console commands and responses outside of the Geo for the sole purpose of providing the Console experience inside the Portal.
  • Azure OpenAI Service, which stores all customer data at rest in the Geo selected by the customer, but for any model deployment type labeled as ‘Global,’ may process prompts and completions sent to and output by that deployment, for inferencing or fine-tuning, in any Azure OpenAI region globally. Learn more
  • Preview, beta, or other prerelease services, which typically store customer data in the United States but may store it globally.
Illustration of a digital screen displaying a 3D cube in front of two server racks

Customer data in a single region

Customers can configure the following Azure services, tiers, or plans to store customer data only in a single region in Singapore, Hong Kong, or Brazil South:
ADDITIONAL RESOURCES

Data storage for non-regional services

Certain Azure services do not enable the customer to specify the region where the service will be deployed. These services may store or process customer data in any Microsoft datacenter within Azure public regions, unless otherwise specified. 

  • Azure Content Delivery Network, which provides a global caching service and stores customer data at edge locations around the world. Azure CDN POP locations by region.
  • Microsoft Entra ID (formerly Azure Active Directory) operates as a non-regional service and based on customer requirements, including availability and scalability, may store Microsoft Entra directory data globally. Learn more
  • Microsoft Defender for Cloud, which may store a copy of security-related customer data, collected from or associated with a customer resource (such as virtual machine or Azure AD tenant):
    (a) in the same Geo as that resource, except in those Geos where Microsoft has yet to deploy Microsoft Defender for Cloud, in which case a copy of such data will be stored in the United States; and
    (b) where Microsoft Defender for Cloud uses another Microsoft Online Service to process such data, it may store such data in accordance with the geolocation rules of that other Online Service.
    (c) if a customer provisions its tenant in the European Union or the United States, Microsoft will store Customer Data at rest only within that Geo.
    (d) The geo commitments in (a) and (c) do not apply to the following features: Security-Solution (WAF). 
  • Microsoft Defender for IoT may use other Microsoft Online Services to process security-related customer data, this data may be stored in accordance with the geolocation rules of that other Online Service. 
  • Microsoft Fabric enables the option to select an Azure region where Customer Data is stored when creating new Microsoft Fabric capacity. The default option listed is the user's tenant home region; if a user selects that region, all associated data, including Customer Data, will be stored in that Geo. If a user selects a different region, some Customer Data will still remain in the home Geo. Learn more
  • Services that provide global routing functions and do not themselves process or store customer data. This includes Azure Traffic Manager—which provides load balancing between different regions—and Azure DNS—which provides domain name services that route to different regions. 

For a complete list of non-regional services, see Products available by region and select Non-regional.

Additional resources

A layered abstract design featuring gradient squares with translucent panels and floating rectangular shapes
A man is sitting at a desk, looking at a laptop screen, and smiling.
Account signup

Get started with a free account

Get 12 months of popular free products and $200 USD credit to explore Azure for 30 days.
Two people are sitting at a table, engaged in a conversation.
Account Signup

Get started with pay-as-you-go pricing

There’s no upfront commitment—cancel anytime.
  1. [1]
    Single region data residency is provided by default currently only in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of Brazil Geo. For all other regions, customer data is stored in Geo.
  2. [2]
    Single region data residency is provided by default currently only in the Southeast Asia Region (Singapore) of the Asia Pacific Geo. For all other regions, customer data is stored in Geo.
  3. [3]
    Azure Databricks stores the following identity information in the United States to provide account and access management functionality to customers: username, first name, last name, and email address. This data is stored in the United States to support the global Azure Databricks platform. The capability to enable storing all other customer data in a single region is currently available in the Southeast Asia Region (Singapore) of the Asia Pacific Geo and Brazil South (Sao Paulo State) Region of the Brazil Geo. For all other regions, customer data is stored in Geo (subject to the aforementioned exception). 
  4. [4]
    ZRS Classic, GRS/RA-GRS, GZRS/RA-GZRS stores data in multiple regions.