Share via

Frequently asked questions about Dragon Copilot

This article addresses some common questions around Microsoft Dragon Copilot's use and retention of user data.

How does Dragon Copilot handle personally identifiable information (PII)?

Dragon Copilot processes and stores the following types of PII:

  • Voice dictation audio and transcribed text from clinician-patient encounters.
  • Generated AI content such as draft clinical notes and flowsheet values.
  • User-specific adaptation data, which includes voice patterns and environmental context to improve transcription accuracy.

Applications and associated environments have been built to support HIPAA, Personal Information Protection and Electronic Document Act (PIPEDA), GDPR, and GDPR-UK compliant standards. Data is deidentified or pseudonymized for AI model improvement.

For more information, see: privacy whitepaper.

How long does Dragon Copilot retain data?

Dragon Copilot retains data for the following periods:

  • Audio, transcript, and flowsheet value data is retained for up to 90 days.
  • Voice dictation and text are retained for 180 days to support user-specific adaptation.

Data deletion is managed using Microsoft Purview Data Lifecycle Management, ensuring secure and policy-compliant purging.

Is the data encrypted?

Yes. Dragon Copilot uses Microsoft's enterprise-grade encryption:

  • In transit: TLS 1.2 or TLS 1.3 encryption.
  • At rest: AES-256 encryption, with support for Bring Your Own Key (BYOK) via Microsoft 365 Customer Key.
  • For authentication: Entra ID (formerly Azure AD) is used for identity management, with support for SSO and token-based access.

For more information, see the privacy whitepaper, data flow diagram.

Is Dragon Copilot subject to security audits and penetration testing?

Yes. Dragon Copilot adheres to Microsoft's Secure Development Lifecycle (SDL), which includes:

  • Penetration testing: Conducted regularly, including third-party assessments.
  • Attack Surface Analyzer (ASA): Used to validate that installations do not weaken OS security.
  • Certifications: Compliant with ISO/IEC 27001 (certification pending), SOC 1 Type II, SOC 2 Type II, ISO/IEC 27701 (certification pending), C5 type II and NEN7510/2/3.

Is there an incident response plan?

Yes. Dragon Copilot follows Microsoft's enterprise-wide incident response framework:

  • Detection and containment: Automated monitoring and alerting.
  • Investigation and remediation: Coordinated by Microsoft's ICM process
  • Cyber Defense Operations Center is engaged and involved if applicable.
  • Post-incident review: Includes root cause analysis and policy updates.

Do we notify customers if there are security issues?

Yes. Notifications are issued using the following channels:

  • Microsoft 365 Message Center for enterprise customers.
  • Direct partner communications for SDK and integration partners.
  • Support Area Path (SAP) documentation and escalation channels.

What's the response time for security incidents?

Microsoft typically responds to critical security incidents within hours. Full resolution timelines depend on severity and scope.