Compliance and supporting information for Azure Information Protection
Note
Are you looking for Microsoft Purview Information Protection, formerly Microsoft Information Protection (MIP)?
The Azure Information Protection add-in for Office is now in maintenance mode and we recommend you use labels that are built in to your Office 365 apps and services. Learn more about the support status of other Azure Information Protection components.
Azure Information Protection supports other services and also relies on other services. If you’re looking for information that is related to Azure Information Protection but not about how to use the Azure Information Protection service, check the following resources:
Suitability for different countries
Given the variability between laws and regulations in different countries, different use cases and scenarios, and the varying requirements between different business sectors, you will need to consult your legal adviser to help you answer whether Azure Information Protection is suitable for your country.
However, some relevant information that can help your legal adviser make a determination:
Azure Information Protection uses AES 256 and AES 128 to encrypt documents. More information
All encryption keys used by Azure Information Protection are protected with a customer-specific root key that uses RSA 2048 bits. RSA 1024 bits is also supported for backwards compatibility. More information
Customer-specific root keys are either managed by Microsoft or provisioned by the customer in a nCipher HSM by using "bring your own key" (BYOK). Azure Information Protection also supports features for on-premises protection, for content that cannot be protected with a cloud-based key. For more information, see Planning and implementing your Azure Information Protection tenant key.
The Azure Information Protection service is hosted in regional data centers across the globe. Azure Information Protection keys always remain within the region in which is originally deployed.
Azure Information Protection does not transmit document contents from clients to the Azure Information Protection service. Content encryption and decryption operations are performed in-place in the client device. Or, for service-based rendering, these operations are performed within the service that’s rendering the content. More information
Legal and privacy
For Microsoft Azure agreement information: Azure Agreement
For Microsoft Azure privacy information: Azure Privacy Statement
Security, compliance, and auditing
See the Security, compliance, and regulatory requirements section in the What is Azure RMS? article, for information about specific certifications for the Azure Rights Management service. In addition:
For external certifications for Azure Information Protection: Azure Trust Center
For FIPS 140 information: FIPS 140 Validation
For in-depth technical information about how the protection technology works, see How does Azure RMS work?
Service level agreements
Documentation
Microsoft Entra documentation: Microsoft Entra ID
Microsoft 365 documentation: Microsoft 365 for enterprise documentation and resources