fairlane.systems

Tools · Microsoft 365 Copilot

Microsoft 365 Copilot for Swiss Trustees: Data Residency, Flex Routing & revFADP Checklist

Data residency, EU Data Boundary, Flex Routing, no training on tenant data and revFADP processing rules – what really applies when using Copilot with client data.

Researched & fact-checked by: · As of: 2026-06

What is Microsoft 365 Copilot?

Microsoft 365 Copilot is an AI assistant that connects large language models (LLMs) with your Microsoft 365 data via the Microsoft Graph, working inside Word, Excel, PowerPoint, Outlook, Teams, Loop and OneNote. Copilot only accesses content for which the individual user has at least view permissions – existing permissions from SharePoint, OneDrive and Exchange apply unchanged.

The naming landscape is confusing, hence the distinction: Microsoft 365 Copilot Chat (launched January 2025, formerly "Microsoft Copilot" / for commercial users "Bing Chat Enterprise") is the licence-free tier with "Enterprise Data Protection" (EDP). It offers AI-assisted conversation but, without a paid Copilot licence, does not access your business data in the Graph. The former "Business Chat" feature within the paid M365 Copilot subscription is now also called "Copilot Chat" within that licensed experience. Be clear per use case which of the two products is meant.

For processing, Copilot uses Azure OpenAI, not the public OpenAI services. The layers must be kept apart: per Microsoft documentation, Azure OpenAI (the inference layer) does not cache prompts and responses. This is separate from the Copilot storage layer: Microsoft 365 Copilot stores interaction content (prompts, responses, citations) at rest in the tenant's region – which is precisely why data residency (and the ADR add-on) is a topic at all.

For a trustee office the key point is: as soon as Copilot accesses client documents, accounting data or correspondence, you are processing third-party personal data – which triggers the processor obligations of the revised Data Protection Act (revFADP, in force since 1 Sept 2023).

Why this matters for trustees

Trustees process particularly sensitive data: payroll, tax returns, bank details, sometimes health or debt-collection information. This data belongs to the clients, not the trustee office. When using an AI tool you must therefore be able to demonstrate where the data is processed, who is engaged as a processor, and that the data is not used for model training.

Microsoft makes binding commitments here: per Microsoft documentation, "prompts, responses, and data accessed through Microsoft Graph aren't used to train foundation LLMs." Copilot is also embedded in the existing Microsoft 365 contracts (DPA, Product Terms) and has been listed as a covered workload in the data residency commitments since 1 March 2024.

At the same time there are limits a trustee must know – and one has become the most urgent question since April 2026: Flex Routing. Since 17 April 2026, Flex Routing has been enabled by default for eligible EU/EFTA tenants (Switzerland included), and is not a narrow peak-load exception. With Flex Routing active, LLM inferencing – together with pseudonymised associated data – may be processed in the US, Canada or Australia, i.e. outside the EU Data Boundary. This is a transatlantic data transfer that requires a transfer basis under the GDPR/revFADP. Anyone needing exclusively EU/EFTA processing must actively disable Flex Routing (Copilot → Settings → View all → Flex routing).

Likewise, specific models – such as Anthropic models in Copilot – are explicitly outside the EU Data Boundary and in-country processing. Failing to check this risks giving a client an incorrect assurance.

How data residency and processing work

Data at rest. The content of Copilot interactions (your prompt and Copilot's response including citations) and the semantic index are stored in the relevant region. Switzerland is a valid sign-up region in the Microsoft Product Terms. For tenant data to actually reside in the Swiss datacenter region, the Advanced Data Residency (ADR) add-on is usually required – including a Global Admin opt-in if data currently sits in a macro region (e.g. the EU). Multi-Geo controls storage via each user's "Preferred Data Location".

Processing (LLM calls). The actual model calls are routed to the nearest datacentre. EU/EFTA traffic stays in principle within the EU Data Boundaryprovided Flex Routing is not enabled. Since 17 April 2026, however, Flex Routing has been on by default for eligible EU/EFTA tenants and allows LLM inferencing to be offloaded to the US, Canada or Australia – i.e. outside the boundary. Admins must actively disable Flex Routing (Copilot → Settings → View all → Flex routing) if exclusively EU/EFTA processing is required. Microsoft has also announced end-to-end AI processing in Europe as part of the EU Data Boundary on a regional EU/EFTA basis (Switzerland included as an EFTA member); Flex Routing acts as an exception to this commitment that is on by default.

In-country processing. In November 2025 Microsoft announced expanding local processing of Copilot interactions to 15 countries in total, Switzerland included. Initial countries (e.g. UK, India) were already available by end of 2025; further countries (e.g. Australia, US) are planned by end of 2026, with Canada in 2027 and Japan in 2028. An April 2026 update placed EU/EFTA countries (incl. Switzerland) under the regional EU Data Boundary local-inferencing track rather than standalone in-country infrastructure. The "by end of 2026" date for Switzerland is therefore not confirmed with the same certainty as for e.g. UK/India – treat the Swiss timeline as subject to revision (as of Nov 2025 / Feb 2026).

Training & storage. Content is stored encrypted and is not used to train foundation LLMs. Abuse monitoring with human review is disabled for Copilot. Optional customer feedback does not feed model training.

revFADP checklist before the Copilot rollout

  1. 01Inventory: which client data (categories, sensitivity) should be accessible to Copilot? Update the revFADP record of processing activities.
  2. 02Document processing: file the Microsoft Data Protection Addendum and Product Terms as the basis of the processor relationship.
  3. 03Decide on Anthropic models deliberately: for EU/EFTA tenants Anthropic models are off by default. Enabling them is a transfer to a US-based sub-processor outside the EU Data Boundary and the in-country commitments and requires its own revFADP transfer basis (e.g. standard contractual clauses). Decide and document consciously, not merely note it.
  4. 04Set data residency: check whether Advanced Data Residency (ADR) is needed for the Swiss region. Note: ADR requires 100% coverage of all paid licences in the tenant – not just those of Copilot users; with mixed SKUs (e.g. M365 E3 + Business) this is economically significant. If needed, set the Global Admin opt-in to migrate into the Local Region Geography.
  5. 05Disable Flex Routing: since 17 April 2026 Flex Routing is on by default for EU/EFTA tenants and routes LLM inferencing to the US, Canada or Australia. Review under Copilot → Settings → View all → Flex routing and disable it if required so that processing stays within the EU Data Boundary; document the decision.
  6. 06Clarify processing location: review EU Data Boundary status and in-country processing (Swiss timeline subject to revision, as of Nov 2025/Feb 2026); record per use case which models and which routing setting are used.
  7. 07Harden permissions: clean up SharePoint/OneDrive/Exchange to least privilege, close oversharing risks, apply sensitivity labels via Microsoft Purview.
  8. 08Assign licences: grant Microsoft 365 Copilot add-on licences to eligible users; Copilot Chat without a licence does not access business data in the Graph.
  9. 09Governance & retention: set Purview retention policies for Copilot interactions, define deletion/access processes (data-subject rights under revFADP).
  10. 10Inform clients: update the privacy notice/engagement contract where AI processing is newly added; only make verifiable data-location commitments.
  11. 11Training & review: train staff on prompt hygiene and the duty to professionally check outputs; limit the initial rollout to non-critical use cases.

When Copilot fits your trustee office

Copilot makes sense if your office already runs on Microsoft 365 Business/Enterprise and you want to speed up productivity tasks: drafting emails, summarising Teams meeting notes, explaining Excel formulas, creating client presentations or summarising long documents.

It is well suited when you have first set permissions cleanly in SharePoint/OneDrive (least privilege), use sensitivity labels via Microsoft Purview, have reviewed and where necessary disabled Flex Routing, and clarified a valid data residency add-on (ADR) if the Swiss datacenter region is required. For processing, you rely on the Microsoft Data Protection Addendum as the basis of your revFADP-compliant processor relationship.

For purely internal, less sensitive tasks (internal memos, onboarding texts, templates), Copilot is especially low-risk – here the productivity gain clearly prevails.

When to be cautious

Do not point Copilot at highly sensitive client data unchecked while (a) your tenant permissions are not clean – Copilot ruthlessly exposes badly set access ("oversharing") – or (b) you have given a client a specific Swiss datacenter assurance without actually enabling and documenting ADR/in-country processing.

Special caution applies to Flex Routing: since 17 April 2026 it has been on by default for EU/EFTA tenants (incl. Switzerland) and routes LLM inferencing not just to other EU regions but explicitly to the US, Canada or Australia – i.e. outside the EU Data Boundary. Where client contracts or professional duties (e.g. strict confidentiality clauses) require exclusive processing in the EU/EFTA or in Switzerland, you must deliberately disable Flex Routing. Likewise, Anthropic models in Copilot sit outside the boundary and the in-country commitments. Check per use case which model is used and whether Flex Routing is active.

No fully automated decisions without review: AI answers are not guaranteed correct. Tax, accounting and legal statements must be professionally checked before being shared with clients. This is not legal advice – for a definitive data-protection and professional-law assessment, consult a specialist.

FAQ

Is our client data used to train AI models?

No. According to Microsoft, prompts, responses and data accessed through Microsoft Graph are not used to train the foundation language models – including those used by Microsoft 365 Copilot. Stored interaction content is encrypted at rest; optional customer feedback also does not feed model training. This commitment is part of the Microsoft 365 contractual terms.

What is Flex Routing and do we need to disable it?

Flex Routing is a Microsoft feature that has been enabled by default for eligible EU/EFTA tenants (Switzerland included) since 17 April 2026. With Flex Routing active, LLM inferencing may be offloaded to the US, Canada or Australia as needed – i.e. outside the EU Data Boundary. This is an international data transfer that requires a transfer basis under the GDPR/revFADP. Anyone needing exclusively EU/EFTA processing must actively disable Flex Routing (Copilot → Settings → View all → Flex routing) and document that decision.

Is our data guaranteed to reside in a Swiss datacentre?

Not automatically. Switzerland is a valid sign-up region, and the content of Copilot interactions is stored at rest in the relevant region. Guaranteed storage in the Swiss datacenter region usually requires the Advanced Data Residency (ADR) add-on, including a Global Admin opt-in for migration. ADR also requires 100% coverage of all paid licences in the tenant, not just those of Copilot users – with mixed SKUs this is economically significant. LLM processing may also occur outside the EU Data Boundary when Flex Routing is active; local in-country processing for Switzerland has been announced, but the timeline is subject to revision (as of Nov 2025/Feb 2026).

What is the difference between Copilot and Copilot Chat for business data?

Microsoft 365 Copilot (with the paid add-on) works inside the Office apps and accesses business data in the Microsoft Graph using your permissions. Microsoft 365 Copilot Chat (launched January 2025, formerly Microsoft Copilot / Bing Chat Enterprise) offers AI chat with Enterprise Data Protection but, without an assigned Copilot licence, cannot access shared or individual business data in the Graph. So users working on client files need a Copilot licence.

Do we need to inform our clients about the AI use?

If you start processing clients' personal data with Copilot, a processor relationship under the revFADP is added. Check whether your privacy notice and engagement contract need updating, keep the record of processing activities current, and only make verifiable data-location commitments. This is not legal advice – for a binding assessment of your information and professional duties, consult a specialist.

Related topics

Law & ComplianceMay I use ChatGPT as a Swiss fiduciary? Data protection, DPA & business version (revFADP + possibly Art. 321 SCC)revDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useData Protection & Data SovereigntyUS CLOUD Act vs. Swiss Data Location: Why CH/EU Hosting Matters for Client DataImplementationPrompt Library for Trustees: Proven Prompts for Accounting, VAT and Correspondence

Sources

  1. Microsoft Learn – Data, Privacy, and Security for Microsoft 365 Copilot · 2026-06
  2. Microsoft Learn – Data Residency for Microsoft 365 Copilot and Copilot Chat · 2026-05
  3. Microsoft 365 Blog – In-country data processing for Microsoft 365 Copilot (15 countries) · 2025-11
  4. Microsoft News EMEA – How Microsoft is addressing digital sovereignty in Switzerland · 2026-02
  5. Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB) – revDSG · 2026-06
  6. Fedlex – Bundesgesetz über den Datenschutz (DSG, SR 235.1) · 2026-06

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call