Privacy & data management overview
How does Microsoft approach privacy for customers?
Microsoft is committed to protecting customer data as outlined in the Product Terms and the Data Protection Addendum (DPA). The foundation of Microsoft's approach to privacy for commercial customers is built on the following principles: you control your data, knowing where your data is located and how it’s used, security of your data at rest and in transit, and defending data from third party access.
How does Microsoft implement its privacy commitments?
Microsoft upholds its privacy commitments through the Microsoft Corporate Privacy Policy and the Microsoft Privacy Standard. To ensure consistent and compliant adoption of these requirements, Microsoft has established governance councils, boards, and committees. Our privacy program uses a "hub and spoke" governance model, where compliance responsibilities are shared across the company. The "hub" is the CELA (Corporate, External, and Legal Affairs) group, which includes the Chief Privacy Officer, accountable for privacy governance. Additionally, we have a designated European Union (EU) Data Protection Officer (DPO) to meet EU-specific privacy requirements. The “spokes” are within our engineering and functional groups and are responsible for implementing the privacy requirements.
Microsoft meets its privacy requirements through third-party audits and certifications, such as ISO 27018 and ISO 27701.
How does Microsoft collect and process customer data?
The DPA defines three data categories: Customer Data, Personal Data, and Professional Services Data.
Microsoft processes data from these categories to provide products and services as per customers' documented instructions and for business operations. Simply put, Microsoft processes data for service delivery, troubleshooting, maintenance, and improvement. The data is not used for user profiling, advertising, or market research.
Detailed descriptions of these activities are in the DPA sections “Processing to Provide Customer the Products and Services” and “Processing for Business Operations Incident to Providing the Products and Services to Customer.”
How does Microsoft ensure the confidentiality of customer data?
Microsoft’s privacy governance model ensures privacy controls protect the confidentiality of customer data. These controls are detailed in our third-party reports, such as ISO 27001 and 27701, accessible through the Service Trust Portal. These reports cover controls on data minimization, retention/deletion, location and transfer, and sharing, among others.
A few key measures to note are:
- Access to data: Microsoft assumes all customer data includes personal data and applies appropriate safeguards without accessing the data to verify its content.
- Data Processing: Microsoft pseudonymizes and aggregates data to protect confidentiality. Refer to the DPA for more details.
- Data Isolation: Microsoft uses data isolation techniques to separate cloud tenants, ensuring customers can only access their own data. To learn about how customer content is isolated or segregated, please visit the Architecture overview article. Additionally, Microsoft prohibits using customer data in testing environments.
What does Microsoft do to secure customer data?
As outlined in the DPA, Microsoft has safeguards to protect customer data. Several articles in Service Assurance provide an overview of these safeguards. Please refer to sections such as Encryption, Access Management, Datacenter and Network Security, Personnel and Supplier Management, and Vulnerability Management.
How does Microsoft handle third-party sharing of data?
Third-party sharing is the sharing or onward disclosure of data to third parties. Microsoft will only share data when authorized by the customer or required to do so by applicable law. Microsoft does not give any government (including law enforcement or other government entities) direct or unfettered access to customer data. For more information, see the Law Enforcement Request Report and U.S. National Security Order Report to learn how Microsoft responds to government requests to access data.
Does Microsoft use subprocessors or subcontractors?
For information on how Microsoft manages suppliers, see Supplier Management page.
Who has access to customer data within Microsoft?
To learn how Microsoft manages access to customer data, see Identity and Access Management page.
Where is customer data located?
For Core Online Services, see our commitments outlined in the Product Terms and the DPA to find the most up to date information on location of customer data.
As described in the DPA for the Core Online Services, Microsoft stores Customer Data at rest within certain major geographic areas (each, a Geo) as set forth in the Product Terms. For commercial services in scope for the Microsoft EU Data Boundary, Microsoft stores and processes Customer Data within the European Union as set forth in the Product Terms. Microsoft does not control or limit the regions from which Customer or Customer’s end users may access or move Customer Data.
Visit Microsoft Privacy - Where is Your Data Located to learn more.
For Azure and M365 services, visit Azure data residency and M365 data locations.
Other services data locations:
- Azure DevOps Services
- Microsoft Entra ID
- Microsoft Commerce
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity Personal Data Policy
- Microsoft Dynamics 365
- Microsoft Intune
- Microsoft Power Platform
- Microsoft Professional Services
- Microsoft Threat Protection
What is the Microsoft EU Data Boundary?
The EU Data Boundary is a commitment by Microsoft Online Services that provides customers in the EU and EFTA with greater control and transparency over where their data is stored and processed. Beginning on January 1, 2023, Microsoft will offer customers the ability to store and process their customer data within the EU Data Boundary for Microsoft 365, Azure, Power Platform and Dynamics 365 services. With this release, Microsoft expands on existing local storage and processing commitments, greatly reducing data flows out of Europe and building on our industry-leading data residency solutions.
In coming phases of the EU Data Boundary, Microsoft will expand the EU Data Boundary solution to include the storage and processing of additional categories of personal data, including data provided when receiving technical support.
Learn more at:
How does Microsoft delete customer data when a customer leaves the service?
When a customer ends their subscription, Microsoft retains customer data in a limited function account for 90 days, allowing the customer to extract the data. After this period, Microsoft deletes the data unless retention is authorized or required by law. No more than 180 days after a subscription ends, Microsoft disables the account and deletes all data, rendering it unrecoverable.
Microsoft also deletes personal data in system generated logs. For any subscription, a subscriber can contact Microsoft Support and request expedited subscription de-provisioning. When a customer uses this process, all user data is deleted 3 days after the administrator enters the lockout code provided by Microsoft. This deletion includes data in SharePoint Online and Exchange Online under hold or stored in inactive mailboxes.
Microsoft follows NIST SP-800-88 guidelines for the destruction of devices that are capable of holding data, as described in the Data-bearing device destruction article.
Does Microsoft provide guidance to customers on compliance with GDPR?
Microsoft maintains guidance documentation to assist customers in their role as the data controller. Some key GDPR resources to note can be found below; however, customers should consult their own legal and compliance professionals to understand and implement their GDPR obligations.
- General Data Protection Regulation Overview
- Data Protection Impact Analysis
- Data Subject Requests
- Breach Notification
- Data Protection Impact Assessment (DPIA)
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to privacy.
Azure and Dynamics 365
External audits | Section | Latest report date |
---|---|---|
ISO 27018 Statement of Applicability Certificate |
A-2.1: Public cloud PII processor's purpose | April 8, 2024 |
ISO 27701 Statement of Applicability Certificate |
All controls | April 8, 2024 |
SOC 1 | DS-15: Customer subscription termination/expiration SDL-1: Security Development Lifecycle (SDL) methodology LA-4: Protection of confidential customer data |
August 16, 2024 |
SOC 2 SOC 3 |
DS-15: Customer subscription termination/expiration SDL-1: Security Development Lifecycle (SDL) methodology LA-4: Protection of confidential customer data SOC2-1: Asset classification SOC2-7: Published confidentiality and security obligations |
May 20, 2024 |
Microsoft 365
External audits | Section | Latest report date |
---|---|---|
ISO 27018 Statement of Applicability Certificate |
A-2.1: Public cloud PII processor's purpose | March 2024 |
ISO 27701 Statement of Applicability Certificate |
All controls | March 2024 |
SOC 2 | CA-12: Service level agreements (SLAs) CA-17: Microsoft security policy CA-25: Control framework updates |
January 23, 2024 |
Resources
- Microsoft Trust Center: Privacy Principles: Privacy Principles
- Compliance with EU transfer requirements for personal data in the Microsoft Cloud
- Microsoft Professional Services privacy and data protection information
- Data Transfer Impact Assessment FAQ
- Data Residency, Data Sovereignty, and Compliance in the Microsoft Cloud