Anthropic Claude AI in Microsoft 365 Copilot — A Data Boundary Hurdle for the EU?

Microsoft’s ongoing expansion of its Copilot ecosystem continues to push boundaries, particularly with the introduction of the Researcher Agent. Recently, excitement surged across the European tech community with reports that the Researcher Agent now offers an LLM selection feature, integrating advanced models like Anthropic’s Claude AI alongside existing options. There a several rumors spread in Tech Blogposts that Claude could also substitute Open AI’s Chat GPT in Word, Excel and PowerPoint. We are going to see soon if the IT Admins will have a choice of LLMs (which I appreciate) or if certain Apps will receive a new LLM.

However, for organizations in the European Union, a critical question immediately arises: Can EU customers safely use the new Anthropic Claude integration in Microsoft 365 Copilot, and is it compliant with the GDPR and the EU Data Boundary?

A recent analysis by Raphael Köllner, highlighted on his website, offers a strong warning that demands immediate attention from Microsoft 365 administrators and data protection officers (DPOs) across the EU.

The Feature: Claude AI in the Researcher Agent

The Microsoft Researcher Agent is a powerful tool within Copilot, designed to handle complex research tasks by providing structured, cited, and reliable information through the synthesis of web searches and source analysis.

The new functionality, reportedly rolled out in late September 2025, allows users to choose their underlying Large Language Model (LLM) — including Anthropic’s highly-regarded Claude AI (such as Claude 3 variants). This choice enhances the power and nuance of the research output.

Fact Check: GDPR and EU Data Boundary Compliance

When it comes to the core question of EU data compliance, the current verdict is clear and cautionary, according to the analysis: No, the Anthropic Claude integration currently appears non-compliant for processing personal data under the GDPR.

Here is the breakdown of the critical facts and findings:

1. Data Processing Location

The most significant compliance issue is the location of the data. The analysis explicitly states that the Claude AI model, when used via the Microsoft 365 Researcher Agent, runs exclusively on Amazon Web Services (AWS) in the United States.

This means that data submitted to the Researcher Agent, if it includes personal data, is transferred and processed outside the EU/EEA, a transfer not covered by typical EU contractual safeguards.

2. EU Data Boundary Commitments Do Not Apply

Microsoft has invested heavily in its EU Data Boundary program, which aims to ensure all customer data processing for core Microsoft 365 services remains within the EU.

Crucially, the analysis states that this new Claude integration does not fall under Microsoft’s established data residency and EU Data Boundary commitments. Furthermore, it is not covered by standard Microsoft agreements, such as the Product Terms Data Protection Addendum (DPA) or specific data residency licenses (like ADR).

In short: while Microsoft 365 itself adheres to the EU Data Boundary, the integrated third-party LLM operates outside of this committed boundary.

3. Conclusion on GDPR Compliance & Training LLMs with your Data

Because data processing occurs exclusively in the US and is not covered by the necessary EU Data Boundary commitments or data transfer safeguards, the use of this feature for any task involving personal data is deemed non-operable within the current framework of the GDPR.

In contrast, for commercial and enterprise services (e.g., via their API or through partners like Microsoft), Anthropic’s legal terms generally state that customer content is not used for model training. This is a critical distinction that aligns with standard industry practices for data processors and is generally considered more GDPR-compliant.

Action Required for EU Customers

Based on these findings, any organization in the EU that uses Microsoft 365 Copilot and processes personal or sensitive data should take immediate action.

The analysis strongly recommends that this new feature be deactivated (Opt-Out) immediately at the administrative level. Administrators can do this via the Microsoft 365 Admin Center:

Admin center > Copilot > Settings > Data access > AI providers for other large language models > Anthropic > Don’t allow provider by NOT accepting Terms and Conditions

The only suggested path for limited use is on a dedicated test tenant that guarantees no processing of personal data, accompanied by a formal risk assessment.

In summary, while the Anthropic Claude AI integration represents a powerful technological leap for the Researcher Agent, EU customers must exercise extreme caution when using it. The lack of inclusion in Microsoft’s existing EU Data Boundary program makes it a significant data protection risk that should be administratively blocked until Microsoft or Anthropic provides a compliant processing solution within the European Union.

Talk to us at HanseVision about your requirements and questions about Power Platform, M365 Governance, Copilot (Studio) and Agents Governance!

Find my Calendar here and check out our OnePager about M365 Governance.