I'm trying to figure out the governing law for an English company using Azure. If we sign up with Microsoft Ireland Operations Ltd and host a Windows server in the UK South region, does US law still apply according to the terms and conditions? I believe it might not, but I couldn't find a clear and definitive answer.
2 Answers
You won't be under US law in this case. The EULA is a bit tricky, and the trust portal doesn't give all the details. Remember, your data stays in the tenancy location, but encryption is only at 128-bit. Also, while your server is in the UK South region, there’s not a lot of information about how services like Microsoft Editor handle data. Plus, telemetry from various services can still go to the US, so keep that in mind! Don't forget about the US Cloud Act, as it could still apply even if your data resides in the UK. They could also move your info around as part of service continuity.
I suggest digging into the concept of sovereignty. While data residency is one factor, keep in mind that Microsoft can still grant the US government access to your data under the US Cloud Act. Make sure to consider encryption both at rest and in transit, preferably using your own generated keys (BYOK), so that Microsoft can’t decrypt your information.
Interesting, thank you. I'll read up on it.
Just a heads up, tenancy encryption is only for data at rest; Microsoft hasn't specified anything about data in use, so it's wise to be cautious about telemetry collection.