Cookie Consent by Free Privacy Policy Generator
microsoft365copilot cowork agents
2 min read

Anthropic in Cowork: Subprocessor Status and EU Data Residency

Anthropic's role as a Microsoft subprocessor in Cowork, the default-state map by region, and the GDPR checklist before opting in.
Holger Imbery
Written by Holger Imbery
Anthropic in Cowork: Subprocessor Status and EU Data Residency
Photo generated by AI

Anthropic in Cowork: Subprocessor Status and EU Data Residency

Post 3 of 14

Introduction

Cowork uses Anthropic Claude models as part of its multi-model engine. For most tenants, this is invisible. For tenants in the EU, UK, EFTA, or in any government cloud, it is the single most important configuration decision before rollout. If you get it wrong, you will either have no Cowork or a compliance gap.

What the Toggle Actually Means

Subprocessor status. Since 7 January 2026, Anthropic operates as a Microsoft subprocessor under Microsoft’s Product Terms and Data Processing Addendum for in-scope workflows. This means breach notification, incident response, and data handling obligations flow through Microsoft’s contractual framework — not through a separate Anthropic agreement. Verify this with your Microsoft account team for your specific scenario, request written confirmation, and update your vendor risk register.

Default state by region.

  • Most commercial public-cloud tenants: Anthropic models are enabled by default.
  • EU, UK, EFTA: Excluded from the default rollout. Admins must explicitly opt in due to data residency constraints.
  • Government, sovereign, GCC, GCC High, DoD: No access; no toggle is shown.

Where to find the setting. Microsoft 365 Admin Center → Copilot → Settings → Data Access → look for “AI providers operating as Microsoft subprocessors.”

Data residency reality check. Microsoft has confirmed that Anthropic-processed requests are excluded from the EU Data Boundary and from in-country processing guarantees. If your organization handles personal data under GDPR, you must either leave Anthropic disabled or implement a lawful transfer mechanism and document it in your Records of Processing Activities. Do not assume that Microsoft’s existing data residency commitments extend to Anthropic-routed traffic.

Automatic fallback awareness. If Anthropic is disabled or encounters an error, Copilot Studio automatically falls back to the default OpenAI GPT model. The user is not explicitly notified. Document this behavior in your operational runbooks so users understand the model can change without a banner.

Practical checklist before opting in (EU/UK/EFTA tenants):

  • Lawful transfer mechanism in place and documented.
  • Records of Processing Activities updated.
  • Approved-use matrix defined: which roles, business units, and data classifications may use Anthropic-routed features.
  • DLP policies and sensitivity labels tested end-to-end against Anthropic-hosted endpoints.
  • SIEM telemetry capturing model ID, provider, user identity, and document sources for every Cowork session.

Takeaway

Anthropic, as a subprocessor, simplifies procurement but does not eliminate data residency questions for European tenants. The toggle is a contractual decision, not a technical one. Treat it that way.

Sources

Holger Imbery
Written by

Holger Imbery

Start the conversation

Related

See all microsoft365copilot
microsoft365copilot cowork agents

Enabling Cowork: The Frontier Path

The four-step Frontier enrollment path for Cowork — tenant opt-in, admin account enrollment, user availability, and the first-run experience.

Holger Imbery
Written by Holger Imbery
microsoft365copilot cowork agents

Microsoft Copilot Cowork: A Practical Introduction

A hands-on guide to Microsoft Copilot Cowork: what it is, how it works, and how to use it effectively in your Microsoft 365 environment.

Holger Imbery
Written by Holger Imbery
copilotstudio agents applicationinsights telemetry monitoring

Connecting Azure Application Insights to Microsoft Copilot Studio: Unlocking Deep Analytics for Agentic Systems

Transform your Copilot Studio agents from a black box into a fully observable, debuggable system. Learn how to connect Azure Application Insights for enterprise-grade monitoring, real-time diagnostics, and data-driven optimization that reduces support costs, improves user satisfaction, and demonstrates measurable ROI.

Holger Imbery
Written by Holger Imbery