If your organisation runs on Microsoft 365, Copilot's integration is genuinely hard to beat — AI inside the Word document and Outlook thread you already have open. The question for regulated UK work is not how well it integrates. It is one Microsoft's own lawyer was asked under oath, and could not answer "yes" to.
| Hush AI | Microsoft Copilot | |
|---|---|---|
| Company ownership | UK company | US company (Microsoft) |
| Where inference runs | Hardware we own, in England | US-owned cloud (Microsoft Azure) |
| US CLOUD Act jurisdiction | Outside it | Within it |
| Office / Teams integration | No — works alongside, copy & paste | Deep, native |
| Audit-log export for your IG lead | ✓ one click, all plans | Via M365 admin / compliance tooling |
| Content used to train foundation models | Never | Microsoft states no, under commercial terms |
Rows describe ownership and jurisdiction from public terms and filings as of June 2026. Microsoft is a US-incorporated company; the CLOUD Act (H.R.4943, 2018) applies to US providers wherever data is stored. Microsoft's commercial-data-protection terms state Copilot business prompts are not used to train its foundation models. Spot an error? Tell us and we will correct it within one working day.
On 10 June 2025, Microsoft France's director of public and legal affairs appeared, under oath, before a French Senate commission of inquiry. Asked whether he could guarantee French citizens' data would never be handed to US authorities without French consent, he answered:
"No, I cannot guarantee it — but, once again, that has never yet happened."
Both halves of that answer matter, and we walk through exactly what it does and does not mean in our full write-up. The short version: Microsoft's EU data-residency and "data boundary" commitments are real, but they describe where data sits, not who can be compelled to produce it. A US-owned company holding your data in a UK region still holds it within reach of a lawful US order.
Native integration with Word, Excel, Outlook, Teams and SharePoint — AI that reads and writes the documents and email you already work in, with no copy-and-paste. If you live in Microsoft 365 and your IG lead has signed off the jurisdiction question for the data involved, Copilot is the path of least friction, and Hush does not match it on integration.
Hush runs on hardware a UK company owns, in England — so there is no US entity in the chain for a CLOUD Act order to reach. Your DPIA can state that plainly. With Copilot, the most you can honestly write is that data stays in a chosen region under contract; the jurisdiction question, as Microsoft's own counsel confirmed, stays open.
Not sure how your stack scores? The two-minute CLOUD Act exposure checker stores nothing and gives you a result to forward to your DPO.
Choose Copilot if deep Microsoft 365 integration is the priority and your governance lead is comfortable with the jurisdiction position for the data your staff will use it on.
Choose Hush if you need to draft documents containing patient, client or employee data on hardware that is genuinely outside US jurisdiction, with an audit trail you own — and you can live without an Office plug-in. Hush drafts under your review; it is not an ambient scribe and not a medical device.
Free 14-day pilot, entirely in writing. No card, no calls. Or check your current tools first.
Start Free Pilot → Run the Checker