If you are using Microsoft 365 Copilot in your business, there is something worth knowing right now. A feature called “flex routing” is enabled by default for accounts created after 25 March 2026, and it allows some of your AI query processing to happen in overseas data centres. That includes the United States and Canada.

This is not a data breach. Your data remains encrypted. But it does raise real questions for Australian businesses around the Privacy Act, industry-specific obligations, and where your information is actually being processed when you use Copilot day to day.

Here is what flex routing is, why it exists, and exactly how to check and disable it if your business needs tighter control over where data is processed.

What Is Microsoft 365 Copilot Flex Routing?

Flex routing is a feature Microsoft introduced to help manage peak demand on its AI infrastructure. When large numbers of businesses are using Copilot at the same time, Microsoft’s local data centres can become congested. Flex routing gives Microsoft the ability to redirect some of that processing load to data centres in other regions, specifically the United States, Canada, or Australia.

The key word here is “processing.” Flex routing does not change where your data is stored. Your Microsoft 365 data, files, emails, and documents remain in the region Microsoft has assigned to your tenancy. What changes is where the inference happens. Inference is the compute work that occurs when Copilot reads a prompt, queries a document, or generates a response.

For many businesses, that distinction matters a great deal.

Why This Matters for Australian Businesses

Australia’s Privacy Act 1988 applies to how personal information is handled, not just where it is stored. If data is processed overseas, even temporarily, obligations around cross-border disclosure can apply depending on the nature of the information and the industry you operate in.

This is not a hypothetical concern. It is a genuine compliance question for businesses in the following sectors:

• Healthcare: Patient records, clinical notes, and health information processed overseas can trigger obligations under the Privacy Act and the Australian Privacy Principles, particularly APP 8 covering cross-border disclosure.
• Legal: Solicitor-client privilege and confidentiality obligations extend to how and where data is processed. Overseas processing of client matter documents creates real risk.
• Financial services: APRA-regulated entities operate under strict data governance requirements. Any overseas processing of financial records or customer data warrants careful review.
• Government contractors: Agencies and contractors handling government information are often subject to specific data sovereignty requirements that prohibit overseas processing entirely.

Beyond regulated industries, any business that handles personal information about clients, employees, or customers should understand where that data goes when Copilot is running queries against it.

What Data Is Affected?

When you use Microsoft 365 Copilot to draft an email, summarise a document, answer a question about a Teams conversation, or generate content from your data, Copilot runs an inference process. That is the computational step where the AI model reads your input, applies reasoning, and produces a response.

Under flex routing, that inference step may occur in an overseas Microsoft data centre during peak demand periods. The content being processed during that inference, which could include document excerpts, email content, or user queries, travels to and from that overseas location.

Microsoft states that data remains encrypted in transit and that it is subject to Microsoft’s standard data handling terms. However, the processing does occur outside Australia when flex routing is active and demand requires it.

How to Check If Flex Routing Is Enabled

If your Microsoft 365 tenancy was created after 25 March 2026, flex routing is enabled by default. If your tenancy is older, the feature may not be active unless it was turned on manually. Here is how to check:

1. Sign in to the Microsoft 365 Admin Centre at admin.microsoft.com
2. In the left navigation, go to Settings, then Org settings
3. Select the Services tab
4. Look for Copilot or search for flex routing settings
5. Review the data processing configuration shown for your organisation

If you are unsure what you are looking at, or you do not have Global Admin access, your IT provider can check this for you in a few minutes.

How to Disable Flex Routing in Microsoft 365 Admin Centre

Turning off flex routing is straightforward for any Global Administrator. Here are the steps:

1. Go to admin.microsoft.com and sign in with your Global Admin credentials
2. Navigate to Settings, then Org settings
3. Open the Services tab and locate the Copilot or AI data settings section
4. Find the flex routing or data processing region setting
5. Set the data processing preference to Australia only or disable flex routing
6. Save your changes

Once disabled, all Copilot inference processing will remain within Australian Microsoft data centres. The setting takes effect for subsequent Copilot sessions.

If your organisation uses Microsoft Purview or has specific data residency commitments in place, review those alongside this setting to ensure your full data governance posture is consistent.

Who Should Definitely Turn It Off

Some businesses should treat disabling flex routing as a non-negotiable step. If your organisation falls into any of the following categories, act now:

• Healthcare providers handling patient records, referrals, or clinical correspondence in Microsoft 365
• Legal firms using Copilot to search or draft documents containing client matter information
• Financial services organisations regulated by APRA, ASIC, or subject to the Privacy Act’s financial sector provisions
• Government agencies and contractors with data sovereignty requirements or Australian Signals Directorate (ASD) guidelines to follow
• Businesses with contractual data residency obligations where client contracts specify that data must not leave Australia

For these organisations, overseas processing of data, even encrypted and temporary, creates compliance exposure that is not worth accepting by default.

Who Might Be Fine Leaving It On

Not every business faces the same data governance requirements. For some organisations, flex routing may not create meaningful risk:

• Businesses using Copilot only for internal productivity tasks with no sensitive personal information involved
• Organisations that have reviewed Microsoft’s data processing terms and are satisfied that the encryption and handling standards meet their risk appetite
• Teams where Copilot queries are limited to publicly available information or internal non-sensitive documents
• Businesses that have already reviewed their data residency posture with their IT provider and made an informed decision to accept Microsoft’s standard terms

If you are in this category, the most important thing is that the decision is deliberate and documented, not accidental. Leaving flex routing on because no one checked is not a risk management strategy.

How Otto IT Can Help

Understanding the technical settings is one part of the picture. The harder part is knowing how those settings interact with your specific obligations under the Privacy Act, your industry’s regulatory framework, and any client or contractual commitments you have made.

Otto IT works with Australian professional services businesses to review and strengthen their Microsoft 365 data governance setup. That includes:

• Auditing your current Copilot and data residency settings
• Reviewing your Microsoft 365 configuration against relevant compliance requirements
• Recommending and implementing changes that align with your obligations
• Providing ongoing managed oversight as Microsoft continues to evolve its AI feature set

If you want a second set of eyes on your Microsoft 365 environment, book a consultation with our team. We will review your current setup and give you a clear picture of where your data is going and what you might want to change.

You can also explore our managed cybersecurity services for broader data protection and compliance support, or get in touch directly if you have a specific question.

Frequently Asked Questions

What is Microsoft 365 Copilot flex routing?

Flex routing is a Microsoft feature that allows some AI inference processing, the computation that happens when Copilot responds to a query, to be routed to data centres in the US, Canada, or Australia during peak demand. It is enabled by default for new accounts created after 25 March 2026.

Does flex routing move my data overseas permanently?

No. Flex routing affects where data is processed during an AI query, not where it is stored. Your Microsoft 365 data remains in your assigned region. However, the content processed during inference may temporarily pass through an overseas data centre.

Is flex routing a security risk?

Microsoft states that data is encrypted in transit during flex routing. The concern is less about security and more about compliance, particularly for businesses with obligations under the Australian Privacy Act or industry-specific regulations that apply to overseas data processing.

How do I know if my account has flex routing enabled?

Accounts created after 25 March 2026 have flex routing enabled by default. You can check your current settings in the Microsoft 365 Admin Centre under Settings, then Org settings, then Services.

Can I turn off flex routing without affecting Copilot functionality?

Yes. Disabling flex routing keeps Copilot working normally. The only difference is that all inference processing will remain within Australian Microsoft data centres. There may be occasional performance differences during peak periods, but your Copilot features remain intact.

Does the Australian Privacy Act apply to how my data is processed by Copilot?

Yes. The Privacy Act applies to how personal information is handled, including processing. If Copilot queries involve personal information about clients, employees, or patients, the processing location is relevant to your obligations, particularly under Australian Privacy Principle 8, which covers cross-border disclosure.

Our IT provider set up our Microsoft 365. Do we need to check with them?

Yes, your IT provider should be able to review your current flex routing settings and advise whether any changes are needed for your specific compliance situation. If you do not have an IT provider reviewing these settings, talk to the Otto IT team.

Is flex routing the same as data residency?

No. Data residency refers to where your data is stored at rest. Flex routing is about where data is processed during AI inference. Both are important for a complete data sovereignty position, but they are separate settings.