Privacy & data management overview

How does Microsoft approach privacy for customers?

The foundation of Microsoft's approach to privacy is built on the following six principles: customer control, transparency, security, strong legal protections for privacy, no content-based targeting, and benefits to customers from any data we collect. The Security Development Lifecycle (SDL) and Privacy Statement provide details on our development process as part of our transparent privacy practices for protecting our customers. In addition, Microsoft details our respective obligations around processing data in the Online Services Data Protection Addendum (DPA).

How does Microsoft implement its privacy commitments?

Microsoft maintains the Microsoft Corporate Privacy Policy and Microsoft Privacy Standard to ensure we meet our privacy commitments across the enterprise. To support these commitments, the Microsoft Customer Data Governance Board (CDBG) maintains a Taxonomy and Framework to ensure appropriate categorization of data and specify security and privacy requirements for each data categorization. The related Data Handling Standards provide guidance on how to manage each data classification type within specific activities or scenarios, including requirements to meet the obligations outlined in the OST/DPA and other standards and regulations.

How does Microsoft collect and process customer data?

The data lifecycle describes how Microsoft processes data based on customer guidance and in compliance with applicable security and privacy law. Stages of the data lifecycle include collection, processing, third-party sharing (where applicable), retention, and destruction. Microsoft's approach to privacy informs each stage of the data lifecycle to protect the privacy of our customers.

Microsoft limits collection of customer data to four specific data categories: Customer data, Service-generated data, Diagnostic data, and Professional services data. Microsoft uses data from these categories to perform a limited set of legitimate business operations (LBOs) required for us to provide services to our customers. When data is collected and processed to perform LBOs, Microsoft protects individual customers and users by pseudonymizing diagnostic data and aggregating data prior to use. We do not access the contents of customer data to determine which specific pieces of data might be considered personal. Instead, we assume that all customer data and all professional services data contain personal data and protect the data accordingly.

How does Microsoft handle third-party sharing?

Third-party sharing is the sharing or onward disclosure of data to third parties. Microsoft will only share data when authorized by the customer or required to do so by applicable law. Microsoft does not give any government (including law enforcement or other government entities) direct or unfettered access to customer data. Microsoft complies with international data protection laws regarding transfers of customer data across borders.

How does Microsoft delete customer data when a customer leaves the service?

The Microsoft Data Handling Standard specifies how long customer data is retained after deletion. When a customer ends their subscription, Microsoft retains customer data in a limited function account for 90 days to enable the customer to extract the data. After the 90-day retention period ends, Microsoft will delete customer data unless authorized to retain it or required to retain it by law. No more than 180 days after expiration or termination of a subscription to Microsoft online services, Microsoft disables the account and deletes all customer data from the account. Once the maximum retention period for any data has elapsed, the data is rendered commercially unrecoverable.

Microsoft also deletes all service-generated and diagnostic data as part of the standard Microsoft data lifecycle unless the data is required to maintain the security and stability of the service. For any subscription, a subscriber can contact Microsoft Support and request expedited subscription de-provisioning. When a customer uses this process, all user data is deleted three days after the administrator enters the lockout code provided by Microsoft. This deletion includes data in SharePoint Online and Exchange Online under hold or stored in inactive mailboxes.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to privacy.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27018

Statement of Applicability
Certificate
A-2.1: Public cloud PII processor's purpose November 7, 2022
ISO 27701

Statement of Applicability
Certificate
All controls November 7, 2022
SOC 1 DS-15: Customer subscription termination/expiration
SDL-1: Security Development Lifecycle (SDL) methodology
LA-4: Protection of confidential customer data
May 6, 2022
SOC 2
SOC 3
DS-15: Customer subscription termination/expiration
SDL-1: Security Development Lifecycle (SDL) methodology
LA-4: Protection of confidential customer data
SOC2-1: Asset classification
SOC2-7: Published confidentiality and security obligations
November 23, 2022

Office 365

External audits Section Latest report date
ISO 27018

Statement of Applicability
Certificate
A-2.1: Public cloud PII processor's purpose March 2022
ISO 27701

Statement of Applicability
Certificate
All controls March 2022
SOC 2 CA-12: Service level agreements (SLAs)
CA-17: Microsoft security policy
CA-25: Control framework updates
January 3, 2023

Resources