Claude is now inside Microsoft 365 Copilot as a formal subprocessor. Not a SaaS add-on your users signed up for separately — a contracted third-party model that Microsoft routes your data to under its own Product Terms and DPA.
This issue maps the architecture: what Microsoft processes, what Anthropic processes, what leaves the EU Data Boundary, what doesn't, and what your admins, compliance teams, and board need to know before the default-on date hits your tenant.
Claude is inside your tenant now. Here is what that means for your data, your compliance, and your admin controls.
Until recently, organisations that wanted to use Claude models inside Microsoft 365 Copilot had to opt in through a separate route — the "Anthropic independent processor" path — which meant accepting Anthropic's own terms and DPA directly for certain frontier features.[1]
That arrangement was decommissioned on 1 May 2026.[2] In its place, Anthropic has been onboarded as a formal Microsoft subprocessor under the standard Microsoft Product Terms and Data Protection Addendum (DPA). You no longer sign separate Anthropic enterprise contracts for these workloads. You don't need to. The Microsoft contract covers it.
For most non-EU commercial tenants, Anthropic as subprocessor is enabled by default from 7 January 2026. For EU, EFTA, and UK tenants, Anthropic remains off by default and requires explicit admin opt-in for both the global subprocessor setting and the separate M365 apps toggle.[3]
The phrase "co-processing" describes the division of labour between Microsoft and Anthropic when a Copilot request routes to a Claude model. It is not joint controllership — Anthropic is a processor acting on Microsoft's instructions. But understanding who does what is essential for compliance assessments, DPIAs, and honest conversations with your legal team.
Copilot receives the request. It grounds the prompt using Microsoft Graph data, applies Entra ID permissions, enforces DLP and Purview policies, and constructs a bounded, filtered input for the model layer.[7]
Microsoft sends the bounded, encrypted prompt to Anthropic Claude for inference. Anthropic acts as a stateless subprocessor — it receives the input, generates a response, and returns it. No persistent storage. No state retained between requests.[8]
Microsoft receives the model output, applies safety and compliance filters, and either presents the result or — in Cowork — queues approved actions for execution. All outputs and actions are logged within your tenant.[9]
Anthropic does not become a system of record. It performs transient inference on inputs that Microsoft controls. Microsoft retains responsibility for storage, logging, audit trails, and policy enforcement.[10] The risk surface for Anthropic is the prompt and the inference window — not your broader tenant data.
This is the question that matters most for regulated organisations, and it requires two separate answers — one logical, one physical.
Logically, your data stays within your Microsoft 365 tenant boundary. Copilot uses your existing Entra ID permissions and DLP policies. Outputs and audit trails land back in tenant-owned storage. The compliance boundary — what you can discover, retain, and policy-enforce — does not change.[10]
Physically, it is more nuanced. When Anthropic models are used, a subset of data — the prompt and selected context — is transmitted to Anthropic's infrastructure for inference. Microsoft explicitly states that this processing is excluded from its EU Data Boundary and in-country processing commitments.[3][11]
Microsoft's documentation for the "Copilot in Microsoft 365 apps with Anthropic models" setting states: "data processing for these models occurs outside of the Microsoft EU Data Boundary (EUDB)".[11]
Storage and state, however, remain in-region and under Microsoft's control. Anthropic does not hold persistent copies of customer data. No customer data or state is stored outside EU data centres for these workloads — only the transient inference window crosses the boundary.[3][12]
| Data category | Stays in EU? | Notes |
|---|---|---|
| Tenant storage (SharePoint, OneDrive, Exchange) | Yes | Governed by Microsoft's standard EUDB commitments |
| Copilot outputs & conversation history | Yes | Stored in tenant-owned location; subject to Purview |
| Prompt + context sent for inference (Anthropic) | No | Transmitted encrypted; stateless; not stored by Anthropic |
| Audit trails & action logs (Cowork) | Yes | Logged within tenant via standard M365 logging |
| Model training | N/A | Your data is not used to train Anthropic or Microsoft models |
For organisations where EUDB-only or in-country processing is a hard requirement — critical infrastructure, certain financial services, some public sector — Anthropic should remain disabled until you have written confirmation from Microsoft on the precise infrastructure path.[13]
Two controls govern Anthropic access in M365. They are independent and can be scoped to specific users or groups rather than applied tenant-wide.[14]
| Control | What it governs | Default (non-EU) | Default (EU/EFTA/UK) |
|---|---|---|---|
| AI providers as subprocessors | Global toggle — enables or disables Anthropic (and other third-party providers) across Copilot Studio, Power Platform, and M365 services | On (from 7 Jan 2026) | Off — explicit opt-in required |
| Copilot in M365 apps with Anthropic models | Separate control for Word, Excel, and PowerPoint — governs Anthropic usage specifically in these apps | On | Off — explicit opt-in required |
Both controls can be assigned to specific users or security groups rather than applied tenant-wide. This means you can enable Anthropic for non-EU users or lower-risk populations while keeping it disabled for users handling sensitive or regulated data — without a blanket tenant block.[14]
Disabling Anthropic as a subprocessor means Copilot routes those requests to other available models (Microsoft's own or OpenAI). It does not disable Copilot. It does not prevent the features from working. It changes the model used for inference — which is exactly what you need if your compliance position requires EUDB-only processing.[3]
Anthropic models are not available in GCC, GCC High, DoD, or equivalent sovereign/government cloud environments. If your tenant sits in one of these clouds, this article does not apply to you — Anthropic is not an available provider in your environment.[15]
Copilot Cowork is the agentic execution layer inside Microsoft 365 Copilot. It plans and performs multi-step tasks — sending emails, scheduling meetings, creating and editing documents, posting to Teams, managing files — based on natural language instructions. It is available through the Frontier preview programme and is subject to preview terms.[16]
Cowork uses Anthropic's Claude models in a multi-model architecture for long-horizon planning and reasoning.[17] But the key point is where Cowork lives: it runs as a Microsoft-hosted service within your Microsoft 365 tenant, anchored in your Entra ID and compliance framework. Anthropic is invoked by that service as a subprocessor, not as an independently-contracted endpoint.[10]
Every Cowork action is visible in the conversation thread. Sensitive actions — sending email, creating calendar invites, posting to Teams — require explicit user approval before execution. The architecture is designed around human oversight, not autonomous execution.[16]
At least one community source has claimed that Cowork keeps all processing within Microsoft 365 and data does not reach Anthropic. This conflicts with Microsoft's explicit EUDB-exclusion statements.[11][13] The conservative, contract-aligned position is: when Cowork uses Anthropic for planning or reasoning, a subset of tenant data — the bounded prompt and relevant context — is transmitted to Anthropic infrastructure for stateless inference, outside the EUDB, under Microsoft's DPA. Storage remains in-tenant. No training occurs. But the inference window does leave EU data centres.[12]
Anthropic has its own product called Claude Cowork, which operates under Anthropic's contracts and infrastructure. Microsoft Copilot Cowork is a completely separate product — a Microsoft service that uses Claude models. Do not conflate them in procurement documentation or DPIAs.[18]
If you are preparing a board or CTO briefing, these are the five things the room needs to understand.
Treat Anthropic in Copilot as a third-party subprocessor with cross-border processing. It needs to appear in your subprocessor registers and DPIAs. Mitigations include scoping Anthropic to specific user populations, disabling it where EUDB-only processing is mandatory, and codifying approved Cowork use cases with clear approval gate requirements before agentic execution is allowed.
Public sources still disagree on whether Anthropic's models for Microsoft workloads run on Anthropic-controlled infrastructure or on Azure under Anthropic's management. Community posts assert one or the other without authoritative sourcing.
Because Microsoft explicitly excludes Anthropic processing from the EU Data Boundary while listing Anthropic as a subprocessor, the safest working assumption is that some processing occurs on Anthropic-controlled infrastructure under Microsoft's contractual oversight — not within Azure regions.[13]
Where this distinction materially affects your risk posture — national security workloads, critical infrastructure, MoD or equivalent — obtain written clarification from Microsoft directly. Request up-to-date subprocessor listings and data-flow diagrams. Do not rely on community commentary or this article for high-stakes decisions. It is a starting framework, not a legal opinion.
All sources verified against Microsoft public documentation and Microsoft Learn as of 28 May 2026.
AI-assisted research: this issue was researched and drafted with the assistance of Claude (Anthropic). All claims have been checked against cited sources. Where sources are paywalled or require Microsoft tenant access, the citation describes the document and its canonical URL. This article does not constitute legal advice. Obtain your own professional guidance for DPIA, GDPR, and contractual compliance decisions.