Compliance and Data Residency Guide for Smart Processing
Status: 03.09.2025 • Reading time: ~12 minutes
This guide explains how Smart Processing utilizes external AI services, which compliance requirements are relevant by country/region, and how you can meet the requirements through regional deployment (Data Residency) and configurable options.
Important Note (No Legal Advice)
This article does not constitute legal advice. Please verify the requirements with your legal/data protection department and enter into the necessary contracts (e.g., DPA, SCCs) with your processors/sub-processors.
Overview: Which external AI services does Smart Processing use?
Smart Processing can use the following Microsoft services depending on the configured workflow:
| Purpose | Service | Key Statements on Data Processing |
|---|---|---|
| Classifying/Extracting (Documents) | Azure AI Document Intelligence | Processing in the region of your service resource location; inputs/results are temporarily stored in encrypted form and deleted within 24 hours. Custom models remain in your region/subscription. (Microsoft Learn) |
| Classifying/Extracting (generic, multimodal) | Azure AI Content Understanding | Processing in the region of the content understanding resource location; data is temporarily stored in Azure Storage in encrypted form and may be passed to Azure OpenAI for further processing (within the service framework). (Microsoft Learn) |
| Generative AI model / Matching logic | Azure OpenAI Service | Prompts/outputs are not used for training OpenAI or Azure models; processing within the chosen geography (except for Global/DataZone deployments, see below); optional abuse monitoring logs, region-specific data access. (Microsoft Learn) |
Recommendation
Create all AI resources (OpenAI, Document Intelligence, Content Understanding) in the target geography where your data should remain (e.g., EU). For strict data residency, do not use Global deployments (see below). (Microsoft Learn, Microsoft Azure)
Data Flows & Data Types in Smart Processing
| Data Type | Examples | Typical Flow |
|---|---|---|
| Document Content | PDF, Image, Email Attachment, XML | Upload → Classification/Extraction (DI/CU) → Results back to BC; for DI/CU regional processing, temporary storage, timely deletion. (Microsoft Learn) |
| Extracted Fields/Metadata | Header/Line Fields, Amounts, IDs | Returned to Smart Processing; used in templates/matching; optional archiving in Document Central. |
| AI Prompts/Outputs | Matching Suggestions, Validation Hints | Processed via Azure OpenAI; no training purpose; processing in the chosen geography (no data transfer to OpenAI.com). (Microsoft Learn) |
| Logs/Diagnostics | Status, Errors, Abuse Monitoring | Service-side (Azure) may involve temporary storage/review if suspicious; options to disable/customize available. (Microsoft Learn) |
Roles & Responsibilities (Typical GDPR Model)
- Your Company: Controller for the processed personal data.
- Simova Solution/Smart Processing: Processor within your BC environment.
- Microsoft (Azure Services): Sub-Processor providing the configured AI functionalities (Azure OpenAI, DI, CU).
- Contracts & Guarantees: Enter/review DPA (Microsoft Products and Services DPA) and for data transfers to third countries, the Standard Contractual Clauses (SCCs). (Microsoft Learn, European Commission)
Region & Data Residency: Keeping Data "At Home"
Azure Principle
Most Azure services allow you to set the region/geo for storage and processing. Microsoft does not store/process customer data outside the chosen geo, except for resilience within that geo. (Microsoft Azure)
EU Specifics
With the Microsoft EU Data Boundary, customer data and personal data for Microsoft's enterprise online services (including Azure, Dynamics 365) are processed/stored within the EU. (Microsoft Learn, Microsoft)
Service-Specific Points
-
Azure OpenAI
-
Prompts/Outputs not for training purposes, no transfer to OpenAI.com; processing in your geography, except for Global or DataZone deployments (then processing in the respective zone, data at rest remains in your geo). (Microsoft Learn)
-
Option to customize/disable abuse monitoring logging (upon request); for EEA deployments, any human reviews are conducted by staff in the EEA. (Microsoft Learn)
-
Document Intelligence
-
Processing in the region of the resource; temporary (regional) storage for asynchronous analysis; deletion within 24 hours; custom models remain in your region/subscription. (Microsoft Learn)
-
Content Understanding
-
Processing in the region; data is temporarily encrypted in Azure Storage and subsequently processed within the service framework (including Azure OpenAI). Note preview restrictions/regions. (Microsoft Learn)
Legal Framework (Selection)
| Jurisdiction | Core Topic | Implications for You |
|---|---|---|
| EU (GDPR) | Data transfers to third countries | Use SCCs/appropriate guarantees; review DPA & transfer impact assessment. (European Commission) |
| EU (AI Act) | Gradual implementation (first bans 02.02.2025, comprehensive obligations 02.08.2026) | Check if your use cases are high-risk and if GPAI transparency obligations apply. (DLA Piper, Digital Strategy of Europe) |
| UK (UK GDPR) | International Transfers | Use IDTA/Addendum and BCRs for third country transfers. (ICO) |
| Switzerland (nFADP) | Revised data protection law since 01.09.2023 | Review information obligations, DSFA, processing agreements, third country transfers. (KMU.admin.ch) |
| USA (California, CCPA/CPRA) | Rights of data subjects/Opt-out | Be aware of information obligations, deletion requests, opt-out mechanisms (if applicable). (California Department of Justice, cppa.ca.gov) |
Configuration Checklist (Recommended)
- Set Region Choice
- Create all AI resources (OpenAI, DI, CU) in the target geo (e.g., EU). Avoid "Global" for strict data residency; use DataZone only if the zone aligns with your compliance. (Microsoft Learn, Microsoft Azure)
- Data Minimization
- Capture only necessary fields; mask/overwrite sensitive fields where possible.
- Check Abuse Monitoring (Azure OpenAI)
- Review logging status and – if approved – disable/customize; document the setting. (Microsoft Learn)
- Encryption & Key Management
- Standard: TLS 1.2+ in Transit, AES-256 at Rest; optionally use CMK where available. (Microsoft Learn)
- Deletion Deadlines & Retention
- DI: automatic deletion typically within 24 hours; OpenAI/BC-Copilot: short-term storage possible (e.g., abuse monitoring up to 24 hours) – document internally. (Microsoft Learn)
- Contractual Safeguards
- DPA (Microsoft), SCCs for third country transfers, processing agreements with partners. (Microsoft Learn, European Commission)
- Utilize EU Data Boundary (if EU Scope)
- Check if all Microsoft services used fall under the EU Data Boundary. (Microsoft Learn, Microsoft)
Frequently Asked Questions (FAQ)
Will our data be used for training?
In Azure OpenAI, prompts/outputs/embeddings are not used for training OpenAI or Azure models and are not accessible to other customers or OpenAI. (Microsoft Learn)
Do documents remain in the EU if we use EU resources?
Document Intelligence and Content Understanding process in the region of the resource; Azure OpenAI processes in the chosen geography (be mindful of Global/DataZone deployments). (Microsoft Learn)
How do we legally address EU transfers?
Use SCCs/appropriate guarantees for third countries; in the UK, use IDTA/Addendum. (European Commission, ICO)
Does Simova GmbH store data?
No. We do not process any data outside your Business Central environment.