Focused EU AI DLP vs Microsoft 365 add-on
ZeusLock vs Microsoft Purview: which AI DLP fits a European Microsoft 365 estate?
Microsoft Purview is a powerful compliance and DLP suite — but its GenAI coverage is built around Edge for Business, omits Anthropic Claude, has no MCP or CLI surface, and only ships at scale with an E5 commitment. ZeusLock is a focused EU-hosted AI DLP that covers the same prompt-to-model path for €4/user/month and adds Claude, MCP and CLI agents that Purview does not.
Purview shines when you have already standardised on Microsoft 365 E5 and want a single console for retention, eDiscovery, Insider Risk and DLP. ZeusLock wins when AI DLP is the priority on its own, when you need Anthropic Claude or MCP coverage, when your data must stay in the EU under French jurisdiction, or when you simply do not want to bundle an E5 upgrade with your GenAI controls.
AI surface coverage
Where each product enforces controls on the most-used GenAI surfaces, by what each vendor publishes on their own site.
| ZeusLock | Microsoft Purview | |
|---|---|---|
| OpenAI ChatGPT (chat.openai.com) | ||
| Anthropic Claude (claude.ai) Claude is not listed in Microsoft Learn's Edge-for-Business DLP coverage documentation as of May 2026. | ||
| Google Gemini (gemini.google.com) | ||
| Microsoft Copilot (M365 + consumer) | ||
| MCP protocol (agent ↔ tool) No MCP coverage is documented in Microsoft Purview product documentation. | ||
| AI CLI tools (Claude Code, Cursor, Copilot CLI) | ||
| Linux endpoint agent Microsoft Purview endpoint DLP documents Windows and macOS only. |
How each product intercepts data
The architectural path a sensitive prompt takes from the user's keyboard to the AI model.
ZeusLock architecture
ZeusLock path- 1
User opens any browser (Chrome, Edge or Firefox) with the ZeusLock extension.
- 2
Extension intercepts the prompt locally before it leaves the page; sensitive substrings are anonymised in real time.
- 3
Sanitised prompt is delivered to ChatGPT / Claude / Gemini / Copilot — original sensitive content never leaves the device.
- 4
Audit event is recorded in the ZeusLock console hosted on AWS Paris (eu-west-3) — or on-premise with Sovereign Edition.
Microsoft Purview architecture
Competitor path- 1
User opens Microsoft Edge for Business signed in with a managed Entra ID identity.
- 2
Edge's built-in DLP engine evaluates the page against Purview policies — Chrome/Firefox fall back to file-activity coverage only.
- 3
On policy hit, the upload or paste is blocked (or audited) and surfaced to Microsoft Defender + the Purview portal.
- 4
Telemetry flows to the Azure region(s) configured in the Microsoft 365 tenant; metadata may transit US-controlled infrastructure.
At a glance
| ZeusLock | Microsoft Purview | |
|---|---|---|
| Vendor jurisdiction | France (ZEUSLOCK SASU, Vaucresson) | United States (Microsoft Corp., Redmond) |
| Default hosting region | EU (AWS Paris, eu-west-3) + on-premise Sovereign Edition | Azure global — EU pinning possible per tenant; service itself is cloud-only |
| CLOUD Act / FISA 702 exposure | None on Sovereign Edition (data never leaves the customer perimeter) | Yes — US-domiciled provider; CLOUD Act listed in Compliance Manager |
| GenAI apps covered at the browser layer | ChatGPT, Claude, Gemini, Copilot, Perplexity, Mistral, Grok + shadow-AI (DeepSeek etc.) | ChatGPT, Gemini, Microsoft Copilot, DeepSeek — Claude not listed in Edge-DLP docs |
| Browser extensions | Chrome, Edge, Firefox | Edge for Business (full AI-app coverage); Chrome (file activities only) |
| CLI agents / MCP protocol | Yes — only AI DLP covering MCP + CLI agents (Claude Code, Cursor, Copilot CLI) | Not documented in Microsoft Learn |
| On-premise / air-gapped deployment | Yes — Sovereign Edition on Kubernetes / OpenShift / bare-metal Docker | No — Purview is cloud-only |
| Out-of-the-box French detectors (SIRET, SIREN, INSEE) | SIRET + SIREN + INSEE + EU VAT + IBAN + NHS shipped by default | INSEE (France social security), IBAN and NHS listed; SIRET / SIREN not in built-in entity definitions |
| Starting list price | €4 / user / month (Starter), €7 / user / month (Business) | Requires Microsoft 365 E3 ($23) or E5 ($38) per user/month + new PAYG meters for AI surfaces |
| EU AI Act / NIS2 / DORA reporting | Built-in templates aligned to all three | Compliance Manager assessment templates for EU AI Act, NIS2, DORA (premium regulations) |
GenAI app coverage — what each vendor publicly documents
Microsoft Purview's "Learn about collecting DLP signals from Microsoft Edge for Business" documentation lists the AI sites that DLP can inspect: ChatGPT, Microsoft Copilot, Google Gemini and DeepSeek. Anthropic Claude does not appear in that list. The Purview Extension for Chrome ships file-activity coverage on Windows 10/11 only and does not provide the same AI-prompt inspection that Edge for Business does. ZeusLock's browser extension treats every major GenAI surface — ChatGPT, Claude, Gemini, Copilot, Perplexity, Mistral, Grok — as a first-class target, on Chrome, Edge and Firefox alike, and it actively flags shadow-AI tools such as DeepSeek the moment a user opens them.
Agentic AI — CLI tools and the MCP protocol
The 2026 enterprise GenAI footprint extends past the browser into developer terminals (Claude Code, Cursor, Copilot CLI) and into Model Context Protocol (MCP) connectors that let agents reach tools like Slack, Jira and GitHub. Microsoft Purview's product documentation does not currently describe MCP-protocol DLP or CLI-tool DLP. ZeusLock built both as first-class surfaces: a desktop CLI agent intercepts prompts at the terminal, and an MCP guard sits at the tool-call boundary to redact secrets and prompt-injection patterns travelling across MCP. For organisations whose engineering teams are already using AI agents on production codebases, this is the gap that defines whether you have AI DLP or you do not.
Hosting, sovereignty and CLOUD Act exposure
Microsoft is a US corporation; Microsoft 365 tenants can geo-pin data to EU Azure regions, but the vendor itself remains subject to the US CLOUD Act and FISA 702. Microsoft's own Compliance Manager regulations list explicitly includes "US – Clarifying Lawful Overseas Use of Data (CLOUD) Act" alongside GDPR, EU AI Act, NIS2 and DORA — which is honest but does not change the legal exposure. ZeusLock is a French SASU operating on AWS Paris (eu-west-3); the Sovereign Edition runs entirely on customer infrastructure (Kubernetes, OpenShift or hardened bare-metal Docker), supports air-gapped delivery via signed offline container images, and integrates with customer-managed HSMs (Thales Luna, Atos Trustway) over PKCS#11. For banking, defence, healthcare and public-sector buyers under DORA, NIS2 or French sovereignty requirements, this is the architectural difference that matters.
Pricing — focused product vs platform commitment
Microsoft's public Microsoft 365 plan comparison page lists E3 at $23/user/month and E5 at $38/user/month (annual commitment) — base DLP for emails and files comes with E3; advanced DLP, credential scanning and endpoint DLP require E5. In May 2025 Microsoft added a new pay-as-you-go billing model for protecting AI apps and agents — additional consumption meters on top of the per-seat licence. ZeusLock charges €4/user/month at Starter (100 detections/user, 30-day history) and €7/user/month at Business (300 detections, 90-day history), with Enterprise on quote for unlimited detections, 1-year retention and an SLA. If you already pay for E5, Purview's base DLP is "free" in the sense that you already own the license; if you don't, an E5 upgrade plus the AI PAYG meters is materially more than €7/user/month dedicated to AI DLP only.
EU regulation evidence — what auditors will actually ask for
Microsoft Purview's Compliance Manager ships assessment templates for EU AI Act, NIS2 and DORA — these are checklists that map controls to regulation articles, and they are excellent. ZeusLock approaches the same regulations differently: every detection event, every block, every consent prompt is captured as evidence formatted for EU AI Act Article 53 transparency obligations, NIS2 incident-reporting flows and DORA operational-resilience audit packs. For a French DSI staring down a Banque de France DORA review, "we generate the evidence template" tends to be more useful than "we provide an assessment template" — though both approaches are legitimate.
When ZeusLock is the better choice
- ✓Your engineering teams use Anthropic Claude (claude.ai) — Microsoft's Edge-for-Business DLP does not list Claude as a supported AI app.
- ✓Your developers run Claude Code, Cursor or Copilot CLI on workstations and you need DLP at the terminal and MCP layer.
- ✓You need on-premise or air-gapped deployment for banking, defence, healthcare or French public-sector workloads — Purview is cloud-only.
- ✓You want AI DLP without committing to Microsoft 365 E5 plus the new PAYG AI meters.
- ✓French SIRET / SIREN detection out of the box matters to your auditors — Purview lists INSEE but not SIRET / SIREN in its built-in entity definitions.
- ✓You want vendor jurisdiction in the EU under French law, not a US corporation listed on the CLOUD Act compliance template.
When Microsoft Purview is the better choice
- •You have already standardised on Microsoft 365 E5 and treat AI DLP as one feature inside a wider DLP / Insider Risk / eDiscovery suite.
- •Your AI usage is overwhelmingly Microsoft Copilot and you want the deepest Edge for Business + Entra ID + Defender integration available.
- •Your auditors prefer the consolidated Compliance Manager assessment-template format for EU AI Act, NIS2 and DORA across one platform.
- •You do not run Claude (claude.ai), MCP-based agents, or AI CLI tools, and you do not need on-premise / air-gapped deployment.
Frequently asked questions
Does Microsoft Purview block Anthropic Claude prompts?
Microsoft's official Edge-for-Business DLP documentation as of May 2026 lists ChatGPT, Google Gemini, Microsoft Copilot and DeepSeek as the AI sites it can inspect. Anthropic Claude (claude.ai) is not on that list. You may be able to write a custom URL-based policy for claude.ai, but it will not have the same prompt-level inspection logic Microsoft built for ChatGPT and Gemini. ZeusLock treats Claude as a first-class target.
Can Microsoft Purview run on-premise or air-gapped like the ZeusLock Sovereign Edition?
No. Microsoft Purview is a cloud service delivered through the Microsoft 365 and Azure platforms. On-premise data sources can be scanned by the Information Protection scanner, but the Purview service itself runs in Microsoft's cloud. ZeusLock Sovereign Edition is delivered as signed offline container images, runs on customer Kubernetes / OpenShift / hardened Docker, and integrates with customer-managed HSMs over PKCS#11.
How does ZeusLock pricing compare to a Purview-on-E5 deployment for 500 users?
For 500 seats, ZeusLock Business is €3,500 / month (≈ €42k / year) for AI DLP exclusively. Microsoft 365 E5 at $38/user/month is $19,000 / month (≈ $228k / year) — that bundles DLP, eDiscovery, Insider Risk, Threat Protection and many other services. If you only want AI DLP, ZeusLock is roughly an order of magnitude less expensive. If you already pay for E5 across the same 500 seats, Purview's base DLP comes with the license — but the new PAYG meters for AI app inspection are charged on top.
Is Microsoft subject to the US CLOUD Act for EU customer data?
Yes. Microsoft is a US-domiciled corporation and the CLOUD Act applies to data it processes regardless of where the data is geographically stored. Microsoft itself lists the "US – Clarifying Lawful Overseas Use of Data (CLOUD) Act" in its Compliance Manager regulations catalogue. EU-region pinning reduces routine data transit but does not change the underlying legal exposure. ZeusLock Sovereign Edition removes the exposure entirely by running on-premise on the customer's own infrastructure.
Does ZeusLock replace Microsoft Purview entirely, or do they coexist?
They coexist comfortably. Purview keeps doing what it is best at — Microsoft 365-native DLP, eDiscovery, retention and Insider Risk on Exchange / SharePoint / Teams. ZeusLock sits in front of the GenAI surface (browser, desktop, CLI, MCP) and produces EU-formatted compliance evidence. Many ZeusLock customers run Purview for M365 content and ZeusLock for AI prompt protection — they target different attack surfaces and audit different regulations.
See ZeusLock live in 15 minutes
Book a demo with a ZeusLock engineer — no slide deck, just the product.
Book a demoSources & citations
Every non-trivial claim on this page traces back to one of these primary sources.
- Microsoft Purview product page (microsoft.com)
- Edge for Business DLP — supported AI apps (learn.microsoft.com)
- Microsoft Purview Extension for Chrome (learn.microsoft.com)
- Microsoft 365 plan comparison — E3, E5, Business Premium (microsoft.com)
- New Purview PAYG pricing for AI apps & agents (techcommunity.microsoft.com)
- Compliance Manager regulations list (learn.microsoft.com)
- Purview sensitive information type entity definitions (learn.microsoft.com)
- Purview "all credentials" SIT — API keys & secrets (learn.microsoft.com)
- ZeusLock — Sovereign Edition (zeuslock.ai)
- ZeusLock — security & compliance (zeuslock.ai)