Microsoft Copilot

AI assistant embedded across Microsoft 365 apps

Lumo (Proton)

Privacy-first AI assistant from the makers of ProtonMail, with Swiss jurisdiction and zero-access encryption

Microsoft Copilot

Strong

20/25

Lumo (Proton)

Excellent

23/25

Score Breakdown

DimensionMicrosoft CopilotLumo (Proton)

Data Residency

Where is your data stored and processed?

Microsoft Copilot: Microsoft offers data residency across multiple global regions including US, EU, UK, and Asia Pacific. Customers can select their data location and data stays within the Microsoft 365 compliance boundary.

Lumo (Proton): Data hosted in Proton's own data centres in Germany and Norway. Zero-access encryption means even Proton cannot read conversation content. No US infrastructure dependency.

4/5

Microsoft offers data residency across multiple global regions including US, EU, UK, and Asia Pacific. Customers can select their data location and data stays within the Microsoft 365 compliance boundary.

5/5

Data hosted in Proton's own data centres in Germany and Norway. Zero-access encryption means even Proton cannot read conversation content. No US infrastructure dependency.

Legal Jurisdiction

Which laws govern the company and your data?

Microsoft Copilot: Incorporated in Washington State, US. Subject to US laws including the CLOUD Act. Microsoft has challenged government data requests and offers EU Data Boundary commitments.

Lumo (Proton): Swiss incorporation provides one of the strongest privacy jurisdictions globally. Outside US CLOUD Act reach. Swiss FADP and GDPR adequacy. Proton has a decade-long track record of defending user privacy.

3/5

Incorporated in Washington State, US. Subject to US laws including the CLOUD Act. Microsoft has challenged government data requests and offers EU Data Boundary commitments.

5/5

Swiss incorporation provides one of the strongest privacy jurisdictions globally. Outside US CLOUD Act reach. Swiss FADP and GDPR adequacy. Proton has a decade-long track record of defending user privacy.

Data Retention & Training

Is your data used for model training?

Microsoft Copilot: Copilot interactions inherit Microsoft 365 retention policies. Administrators have granular control over data retention, deletion, and eDiscovery. Copilot prompts and responses are stored in Exchange Online.

Lumo (Proton): Zero-access encryption on conversations. User data explicitly never used for model training. Open-source code enables independent verification of privacy claims.

4/5

Copilot interactions inherit Microsoft 365 retention policies. Administrators have granular control over data retention, deletion, and eDiscovery. Copilot prompts and responses are stored in Exchange Online.

5/5

Zero-access encryption on conversations. User data explicitly never used for model training. Open-source code enables independent verification of privacy claims.

Certifications

ISO 27001, SOC 2, Cyber Essentials, etc.

Microsoft Copilot: One of the most extensively certified cloud platforms globally, holding SOC 1/2 Type II, ISO 27001, ISO 27018, ISO 27701, FedRAMP High, and dozens of additional certifications across regions and industries.

Lumo (Proton): ISO 27001 and SOC 2 at Proton AG organisational level. Strong for a consumer-facing privacy product. ISO 27701 would further strengthen the posture.

5/5

One of the most extensively certified cloud platforms globally, holding SOC 1/2 Type II, ISO 27001, ISO 27018, ISO 27701, FedRAMP High, and dozens of additional certifications across regions and industries.

4/5

ISO 27001 and SOC 2 at Proton AG organisational level. Strong for a consumer-facing privacy product. ISO 27701 would further strengthen the posture.

Regulatory Fit

Suitability for regulated industries and professional services

Microsoft Copilot: Supports a vast range of regulatory frameworks including GDPR, HIPAA, FedRAMP, FERPA, and many industry-specific requirements. Government cloud offerings available for public sector customers.

Lumo (Proton): Excellent fit for privacy-sensitive professionals in legal and financial services. Swiss jurisdiction, zero-access encryption, and no training on user data address key regulatory concerns. Not EU-incorporated but GDPR adequate.

4/5

Supports a vast range of regulatory frameworks including GDPR, HIPAA, FedRAMP, FERPA, and many industry-specific requirements. Government cloud offerings available for public sector customers.

4/5

Excellent fit for privacy-sensitive professionals in legal and financial services. Swiss jurisdiction, zero-access encryption, and no training on user data address key regulatory concerns. Not EU-incorporated but GDPR adequate.

Total Score

20/25

23/25

Best For

Microsoft Copilot

Best for EU-headquartered organisations needing maximum data sovereignty; regulated industries (legal, financial-services); privacy-conscious teams who need strong data retention controls; organisations that need self-hosted or on-premise deployment; teams on a tight budget.

Lumo (Proton)

Best for organisations requiring broad certification coverage (SOC 1 Type II, SOC 2 Type II, ISO 27001); privacy-conscious teams who need strong data retention controls.

Detailed Comparison

Lumo (Proton) vs Microsoft Copilot: Trust & Compliance Comparison

Lumo (Proton) (Proton, CH) scores 23/25 overall with a Gold (Excellent) trust badge. Privacy-first AI assistant from the makers of ProtonMail, with Swiss jurisdiction and zero-access encryption. Microsoft Copilot (Microsoft, US) scores 20/25 with a Silver (Strong) trust badge. AI assistant embedded across Microsoft 365 apps.

Dimension-by-Dimension Breakdown

#### Data Residency

Lumo (Proton) leads with 5/5 vs 4/5.

●Lumo (Proton) (5/5): Data hosted in Proton's own data centres in Germany and Norway. Zero-access encryption means even Proton cannot read conversation content. No US infrastructure dependency.

●Microsoft Copilot (4/5): Microsoft offers data residency across multiple global regions including US, EU, UK, and Asia Pacific. Customers can select their data location and data stays within the Microsoft 365 compliance boundary.

#### Legal Jurisdiction

Lumo (Proton) leads with 5/5 vs 3/5.

●Lumo (Proton) (5/5): Swiss incorporation provides one of the strongest privacy jurisdictions globally. Outside US CLOUD Act reach. Swiss FADP and GDPR adequacy. Proton has a decade-long track record of defending user privacy.

●Microsoft Copilot (3/5): Incorporated in Washington State, US. Subject to US laws including the CLOUD Act. Microsoft has challenged government data requests and offers EU Data Boundary commitments.

#### Data Retention & Training

Lumo (Proton) leads with 5/5 vs 4/5.

●Lumo (Proton) (5/5): Zero-access encryption on conversations. User data explicitly never used for model training. Open-source code enables independent verification of privacy claims.

●Microsoft Copilot (4/5): Copilot interactions inherit Microsoft 365 retention policies. Administrators have granular control over data retention, deletion, and eDiscovery. Copilot prompts and responses are stored in Exchange Online.

#### Certifications

Microsoft Copilot leads with 5/5 vs 4/5.

●Lumo (Proton) (4/5): ISO 27001 and SOC 2 at Proton AG organisational level. Strong for a consumer-facing privacy product. ISO 27701 would further strengthen the posture.

●Microsoft Copilot (5/5): One of the most extensively certified cloud platforms globally, holding SOC 1/2 Type II, ISO 27001, ISO 27018, ISO 27701, FedRAMP High, and dozens of additional certifications across regions and industries.

#### Regulatory Fit

Both score equally at 4/5.

●Lumo (Proton) (4/5): Excellent fit for privacy-sensitive professionals in legal and financial services. Swiss jurisdiction, zero-access encryption, and no training on user data address key regulatory concerns. Not EU-incorporated but GDPR adequate.

●Microsoft Copilot (4/5): Supports a vast range of regulatory frameworks including GDPR, HIPAA, FedRAMP, FERPA, and many industry-specific requirements. Government cloud offerings available for public sector customers.

Certifications at a Glance

Certification	Lumo (Proton)	Microsoft Copilot
FedRAMP High	No	Yes
ISO 27001	Yes	Yes
ISO 27018	No	Yes
ISO 27701	No	Yes
SOC 1 Type II	No	Yes
SOC 2	Yes	No
SOC 2 Type II	No	Yes

Overall Verdict

Lumo (Proton) has a clear trust advantage, scoring 23/25 compared to Microsoft Copilot's 20/25. Lumo (Proton) particularly excels in data residency, legal jurisdiction, data retention & training.

Frequently Asked Questions

Which is better for EU compliance, Microsoft Copilot or Lumo (Proton)?

Microsoft Copilot has a TrustKit score of 20/25 while Lumo (Proton) scores 23/25. Lumo (Proton) currently rates higher across data residency, legal jurisdiction, data retention, certifications, and regulatory fit.

How do Microsoft Copilot and Lumo (Proton) compare on data residency?

Microsoft Copilot scores 4/5 for data residency (Microsoft offers data residency across multiple global regions including US, EU, UK, and Asia Pacific. Customers can select their data location and data stays within the Microsoft 365 compliance boundary.), while Lumo (Proton) scores 5/5 (Data hosted in Proton's own data centres in Germany and Norway. Zero-access encryption means even Proton cannot read conversation content. No US infrastructure dependency.).

Are Microsoft Copilot and Lumo (Proton) GDPR compliant?

Both tools are assessed across five compliance dimensions. Microsoft Copilot has a regulatory fit score of 4/5 and Lumo (Proton) scores 4/5. Check the full comparison above for a detailed breakdown.

Explore Each Tool