Latest information

Microsoft Dynamics CRM Online conforms to ISO/IEC 27018, the only international set of privacy controls in the cloud

Microsoft is the first major cloud provider to be independently verified as having adopted ISO/IEC 27018, the world's first international cloud privacy standard. The adoption of ISO/IEC 27018 by Dynamics CRM Online is part of a broader commitment from Microsoft to protecting the privacy of our customers, as described in a Microsoft on the Issues post from Brad Smith, General Counsel and Executive Vice President. In addition to Microsoft Azure, Office 365 and Microsoft Intune have adopted ISO/IEC 27018.

Principle #1: Your privacy matters   

We respect the privacy of your data.

No advertising
Microsoft Dynamics CRM Online does not build advertising products out of customer data. We don't scan your documents or files for building or advertising. Learn more.

No mingling
Microsoft Dynamics CRM Online always allows you to keep your customer data separate from other customers' data. We provision you with your own database to maximize the security and integrity of your data. Download our privacy white paper.

Data portability
Microsoft Dynamics CRM Online customer data belongs to the customer. You can remove your data whenever you choose. Read a post on The Official Microsoft Blog about protecting customer data from government snooping.

Principle #2: Leadership in transparency

As a Microsoft Dynamics CRM Online customer, you know where your data resides, who can access it, and what we do with it.

Where
You know where the Microsoft major datacenters are located and the logic used to determine where your data is stored. Learn more.

Who and what
We offer clear information on who can access your Microsoft Dynamics CRM Online customer data and under what circumstances they access it. Learn more.

How
Microsoft notifies you, if requested, about changes in our service operations. As an administrator, you will receive service notifications and compliance notifications regarding datacenter location changes, in addition to security, privacy, and audit information. Learn about holistic datacenter efficiency.

Principle #3: Relentless on security

We offer excellence in cutting-edge security practices.

Deep experience
We have developed our practices and policies as a result of more than 15 years of experience in providing security for online data. Learn more.

Security Development Lifecycle
The Microsoft Security Development Lifecycle helps ensure that security and privacy is incorporated by design—from software development through service operations. Download the security and service continuity guide.

Five layers of security
Data is secured in five different layers: data, application, host, network, and physical.

Proactive monitoring
We proactively monitor to help identify potential unknown threats by predicting malicious behavior and monitoring for irregular events that may indicate threats.

Access restriction
Access to production servers is restricted to a small list of operations personnel.

Principle #4: Independently verified

Compliance with world-class industry standards is verified by third parties. Learn more.

Certified for ISO 27001
ISO 27001 is one of the best security benchmarks available across the world.

ISO 27018

Published on July 30, 2014, by the International Organization for Standardization (ISO), as a new component of the ISO 27001 standard, ISO/IEC 27018 sets forth a code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors. Microsoft is the first major cloud provider to be independently verified as having adopted ISO/IEC 27018, the world's first international cloud privacy standard. Learn more.

EU Model Clauses 

In addition to European Union EU Safe Harbor, Microsoft Dynamics CRM Online will sign the standard contractual clauses created by the European Union (called the EU Model Clauses) which address international transfer of data. Request a signed copy of the EU Model Clauses from Microsoft. Learn how privacy authorities across Europe approve the cloud commitments of Microsoft.

HIPAA Business Associate Agreement
Microsoft Dynamics CRM Online assists customers in procuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act by offering to execute a Business Associate Agreement (BAA) with customers, upon request. HIPAA/HITECH is a set of US laws that apply to healthcare entities, such as doctors' offices, which the law calls Covered Entities. HIPAA/HITECH governs the use, disclosure, and safeguarding of protected health information (PHI) and imposes requirements on Covered Entities to sign BAAs with their vendors that use and disclose PHI.

Service Organization Control 1 (SOC1) Statement on Standards for Attestation Engagements No. 16
Dynamics CRM Online is committed to annual Statement on Standards for Attestation Engagements (SSAE) 16/International Standard on Assurance Engagements (ISAE) 3402 attestation. The Dynamics CRM Online service and supporting infrastructure has an SSAE 16 - SOC 1 Type 2 report available, by request, through Microsoft employees on behalf of current and prospective customers through SOC distribution. Due to contractual commitments with the third-party auditor, external and third parties must be under NDA to receive a copy.

FedRAMP roadmap
Dynamics CRM submitted application for a FedRAMP Authority to Operate (ATO), as of October 2013. We do not yet have a forecast date on when a FedRAMP ATO might be granted. To learn more about the FedRAMP process, please visit the U.S. General Services Administration.

Data Processing Terms
Microsoft offers customers a comprehensive set of security and privacy safeguards incorporated in the Online Services Terms that addresses privacy, security, and handling of customer data. Our standard Data Processing Terms enable customers to comply with their regulatory requirements concerning the protection and privacy of Personally Identifiable Information.

Learn more about how Microsoft Dynamics CRM Online meets world-class industry standards and how Microsoft is committed to helping you comply with your regulatory requirements. 

The Cloud Security Alliance suggests that every customer ask their cloud service provider a  broad range of security and privacy questions. Because your trust is important to us, we have proactively answered these questions. We also have additional information about the products that are covered by the Trust Center content.