Privacy & data management overview

  • Article

How does Microsoft approach privacy for customers?

Microsoft’s commitment to protecting customer data is set forth in the Product Terms and the Data Protection Addendum (DPA). The foundation of Microsoft's approach to privacy is built on the following principles: customer control, transparency, security, defending data from third party access, no content-based targeting, and compliance with relevant laws and regulations. For more information, see Privacy at Microsoft and the Microsoft Privacy Report to learn more about Microsoft’s approach to protecting privacy.

How does Microsoft implement its privacy commitments?

Microsoft maintains the Microsoft Corporate Privacy Policy and Microsoft Privacy Standard to ensure we meet our privacy commitments across the enterprise. Microsoft has governance councils, boards and committees to support the consistent and compliant adoption and implementation of our corporate privacy requirements. Microsoft's privacy program starts with a "hub and spoke" governance model, where responsibility for compliance is shared across the company, some are centralized, and others are distributed. The "hub" of Microsoft's corporate privacy team is the CELA (Corporate, External, and Legal Affairs) group. The "spokes" reside within the company's engineering and functional groups.

Microsoft also has Data Handling Standards in place that provide guidance on how to manage each data classification type within specific activities or scenarios, including requirements to meet the obligations outlined in the Product Terms and DPA.

How does Microsoft collect and process customer data?

The data lifecycle describes how Microsoft processes data based on customer guidance and in compliance with applicable security and privacy laws, as noted in the Product Terms and DPA. Stages of the data lifecycle include collection, processing, storage, third-party sharing (where applicable), retention, transfer, and deletion. Microsoft's approach to privacy informs each stage of the data lifecycle to protect the privacy of our customers.

Microsoft limits collection of customer data to three data categories: Customer Data, Personal Data, and Professional Services Data as defined in the DPA. Microsoft uses and processes data from these categories to provide products and services in accordance with documented instructions from its customers and for business operations incident to providing the products and services. Specific descriptions of these use and processing activities are defined in the DPA in sections, “Processing to Provide Customer the Products and Services” and “Processing for Business Operations Incident to Providing the Products and Services to Customer,” respectively.

How does Microsoft handle third-party sharing?

Third-party sharing is the sharing or onward disclosure of data to third parties. Microsoft will only share data when authorized by the customer or required to do so by applicable law. Microsoft does not give any government (including law enforcement or other government entities) direct or unfettered access to customer data. For more information, see the Law Enforcement Request Report and U.S. National Security Order Report to learn how Microsoft responds to government requests to access data.

Does Microsoft use subprocessors or subcontractors?

For information on how Microsoft manages suppliers, see Supplier Management page.

Who has access to customer data within Microsoft?

To learn how Microsoft manages access to customer data, see Identity and Access Management page.

Where is customer data located?

For Core Online Services, see our commitments outlined in the Product Terms and the DPA to find the most up to date information on location of customer data.

As described in the DPA for the Core Online Services, Microsoft stores Customer Data at rest within certain major geographic areas (each, a Geo) as set forth in the Product Terms. For commercial services in scope for the Microsoft EU Data Boundary, Microsoft stores and processes Customer Data within the European Union as set forth in the Product Terms. Microsoft does not control or limit the regions from which Customer or Customer’s end users may access or move Customer Data.

Visit Microsoft Privacy - Where is Your Data Located to learn more.

For Azure and M365 services, visit Azure data residency and M365 data locations.

Other services data locations:

Microsoft EU Data Boundary

On May 6, 2021, Microsoft announced the EU Data Boundary for the Microsoft Cloud, Microsoft’s new commitment to customers in Europe. The EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process customer data for our major online services, including Azure, Dynamics 365, Power Platform, and Microsoft 365, subject to limited circumstances where customer data will continue to be transferred outside the EU Data Boundary.

Learn more at:

How does Microsoft delete customer data when a customer leaves the service?

The Microsoft Data Handling Standard specifies how long customer data is retained after deletion. When a customer ends their subscription, Microsoft retains customer data in a limited function account for 90 days to enable the customer to extract the data. After the 90-day retention period ends, Microsoft will delete customer data unless authorized to retain it or required to retain it by law. No more than 180 days after expiration or termination of a subscription to Microsoft online services, Microsoft disables the account and deletes all customer data from the account. Once the maximum retention period for any data has elapsed, the data is rendered commercially unrecoverable.

Microsoft also deletes all service-generated and diagnostic data as part of the standard Microsoft data lifecycle unless the data is required to maintain the security and stability of the service. For any subscription, a subscriber can contact Microsoft Support and request expedited subscription de-provisioning. When a customer uses this process, all user data is deleted 3 days after the administrator enters the lockout code provided by Microsoft. This deletion includes data in SharePoint Online and Exchange Online under hold or stored in inactive mailboxes.

Microsoft follows NIST SP-800-88 guidelines for the destruction of devices that are capable of holding data, as described in the Data-bearing device destruction article.

Related external regulations & certifications

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to privacy.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27018

Statement of Applicability
Certificate		 A-2.1: Public cloud PII processor's purpose November 6, 2023
ISO 27701

Statement of Applicability
Certificate		 All controls November 6, 2023
SOC 1 DS-15: Customer subscription termination/expiration
SDL-1: Security Development Lifecycle (SDL) methodology
LA-4: Protection of confidential customer data		 November 17, 2023
SOC 2
SOC 3		 DS-15: Customer subscription termination/expiration
SDL-1: Security Development Lifecycle (SDL) methodology
LA-4: Protection of confidential customer data
SOC2-1: Asset classification
SOC2-7: Published confidentiality and security obligations		 November 17, 2023

Microsoft 365

External audits Section Latest report date
ISO 27018

Statement of Applicability
Certificate		 A-2.1: Public cloud PII processor's purpose March 2024
ISO 27701

Statement of Applicability
Certificate		 All controls March 2024
SOC 2 CA-12: Service level agreements (SLAs)
CA-17: Microsoft security policy
CA-25: Control framework updates		 January 23, 2024

Resources