Privacy & data management overview
How does Microsoft approach privacy for customers?
The foundation of Microsoft's approach to privacy is built on the following six principles: customer control, transparency, security, strong legal protections for privacy, no content-based targeting, and benefits to customers from any data we collect. The Security Development Lifecycle (SDL) and Privacy Statement provide details on our development process as part of our transparent privacy practices for protecting our customers. In addition, Microsoft details our respective obligations around processing data in the Online Services Data Protection Addendum (DPA).
How does Microsoft implement its privacy commitments?
Microsoft maintains the Microsoft Corporate Privacy Policy and Microsoft Privacy Standard to ensure we meet our privacy commitments across the enterprise. To support these commitments, the Microsoft Customer Data Governance Board (CDBG) maintains a Taxonomy and Framework to ensure appropriate categorization of data and specify security and privacy requirements for each data categorization. The related Data Handling Standards provide guidance on how to manage each data classification type within specific activities or scenarios, including requirements to meet the obligations outlined in the OST/DPA and other standards and regulations.
How does Microsoft collect and process customer data?
The data lifecycle describes how Microsoft processes data based on customer guidance and in compliance with applicable security and privacy law. Stages of the data lifecycle include collection, processing, third-party sharing (where applicable), retention, and destruction. Microsoft's approach to privacy informs each stage of the data lifecycle to protect the privacy of our customers.
Microsoft limits collection of customer data to four specific data categories: Customer data, Service-generated data, Diagnostic data, and Professional services data. Microsoft uses data from these categories to perform a limited set of legitimate business operations (LBOs) required for us to provide services to our customers. When data is collected and processed to perform LBOs, Microsoft protects individual customers and users by pseudonymizing diagnostic data and aggregating data prior to use. We do not access the contents of customer data to determine which specific pieces of data might be considered personal. Instead, we assume that all customer data and all professional services data contain personal data and protect the data accordingly.
How does Microsoft handle third-party sharing?
Third-party sharing is the sharing or onward disclosure of data to third parties. Microsoft will only share data when authorized by the customer or required to do so by applicable law. Microsoft does not give any government (including law enforcement or other government entities) direct or unfettered access to customer data. Microsoft complies with international data protection laws regarding transfers of customer data across borders.
How does Microsoft delete customer data when a customer leaves the service?
The Microsoft Data Handling Standard specifies how long customer data is retained after deletion. When a customer ends their subscription, Microsoft retains customer data in a limited function account for 90 days to enable the customer to extract the data. After the 90-day retention period ends, Microsoft will delete customer data unless authorized to retain it or required to retain it by law. No more than 180 days after expiration or termination of a subscription to Microsoft online services, Microsoft disables the account and deletes all customer data from the account. Once the maximum retention period for any data has elapsed, the data is rendered commercially unrecoverable.
Microsoft also deletes all service-generated and diagnostic data as part of the standard Microsoft data lifecycle unless the data is required to maintain the security and stability of the service. For any subscription, a subscriber can contact Microsoft Support and request expedited subscription de-provisioning. When a customer uses this process, all user data is deleted three days after the administrator enters the lockout code provided by Microsoft. This deletion includes data in SharePoint Online and Exchange Online under hold or stored in inactive mailboxes.
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to privacy.
Azure and Dynamics 365
| External audits | Section | Latest report date |
|---|---|---|
| ISO 27018 Statement of Applicability Certificate |
A-2.1: Public cloud PII processor's purpose | November 7, 2022 |
| ISO 27701 Statement of Applicability Certificate |
All controls | November 7, 2022 |
| SOC 1 | DS-15: Customer subscription termination/expiration SDL-1: Security Development Lifecycle (SDL) methodology LA-4: Protection of confidential customer data |
May 6, 2022 |
| SOC 2 SOC 3 |
DS-15: Customer subscription termination/expiration SDL-1: Security Development Lifecycle (SDL) methodology LA-4: Protection of confidential customer data SOC2-1: Asset classification SOC2-7: Published confidentiality and security obligations |
November 23, 2022 |
Office 365
| External audits | Section | Latest report date |
|---|---|---|
| ISO 27018 Statement of Applicability Certificate |
A-2.1: Public cloud PII processor's purpose | March 2022 |
| ISO 27701 Statement of Applicability Certificate |
All controls | March 2022 |
| SOC 2 | CA-12: Service level agreements (SLAs) CA-17: Microsoft security policy CA-25: Control framework updates |
January 3, 2023 |
Resources
- Microsoft Trust Center: Privacy Principles
Feedback
Submit and view feedback for