Leadership in Transparency
As a Microsoft Support customer, you will know where your data resides, who can access it, and what we do with it.
You know where your data is stored and where our personnel are located.
Who & What
We offer clear information on who has access to your data and under what circumstances they access it.
Microsoft Customer Service and Support (“CSS”) utilizes a global network of specialists and facilities to help ensure that the highest quality and fastest response services are available to our customers. Our goal is to optimize our services for quality, speed and cost control by leveraging our worldwide footprint.
Global support model
When you provide data to CSS for support purposes, your data is stored on customer support systems in data centers located in the United States. These customer support systems are used when providing phone, email and web support. This data may then be transferred to, stored and processed in systems that reside in other countries where we or our Affiliates or subcontractors maintain facilities. For certain customers located in the European Economic Area (“EEA”), we also offer a tailored Premier Support option, allowing EEA customers to restrict storage of their data to data centers located in the EEA.
We also use support personnel in multiple locations around the world to provide timely and consistent support to our customers, day and night. Support personnel may, in certain cases, need to escalate or transfer issues to CSS support engineers in other locations, based on factors like service center uptime, language skills and technical expertise, allowing us to provide optimum service to our customers.
CSS abides by the U.S.-European Union (“EU”) Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from the EEA and Switzerland. This allows us to transfer personal data from the EEA to locations within the United States for processing by our customer support systems.
Frequently asked questions
Microsoft Customer Service and Support (“CSS”) is committed to helping customers comply with their regulatory obligations with respect to security and privacy.
Our customers around the world are subject to many different data protection laws and regulations. We understand that legal requirements in one country or industry may be different from legal requirements applicable elsewhere. As a provider of global support services, we provide our services with common operational practices across multiple industries and jurisdictions.
To help our customers comply with their own security and privacy obligations, we build our services with common globally applicable data protection requirements in mind. However, it is ultimately up to our customers to evaluate CSS offerings against their own requirements, and to determine if our services satisfy their regulatory obligations. We are committed to providing our customers with detailed information about our support services to help them with their own regulatory compliance assessments.
Frequently asked questions
- How does Microsoft CSS help me comply with my regulatory obligations?
Although it is ultimately the responsibility of our customers to comply with applicable regulatory requirements with respect to security and privacy, CSS is committed to helping customers with their compliance efforts by providing meaningful information, and engages in practices that respect security and privacy requirements worldwide.
For instance, a customer may be required to encrypt certain data before it can be transferred to a third party. If this customer engages CSS for troubleshooting a support case, it is up to that customer to ensure it has complied with the encryption requirement before such data is shared with CSS.
At the same time, to support our customers' compliance efforts, we have addressed many privacy and security requirements, such as the European Union Data Protection Directive (“EU DPD”), in the design and operation of our services for normal use, and we continually look for opportunities to improve privacy and security practices.
We also abide by the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Economic Area (“EEA”) and Switzerland. Participation in these frameworks allows us to transfer customer “personal data” outside these jurisdictions to the U.S. in order to provide CSS Support Services. Microsoft's Safe Harbor certification can be found at http://safeharbor.export.gov/.
- Will Microsoft CSS sign additional data protection contract terms?
Microsoft offers a comprehensive Data Processing Agreement (“DPA”) to all its enterprise CSS customers that addresses specific commitments with respect to the privacy, security, and handling of customer data. The terms of this DPA may help customers to comply with their local requirements. In addition, our customers who are covered entities under the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. may sign a Business Associate Agreement with Microsoft for CSS services.
- Is Microsoft CSS independently audited, with third party certification?
Microsoft has secured ISO 27001:2005 certification from the British Standards Institute (BSI) for technical support of our cloud services through 2016. This includes support for Office 365, Microsoft Azure, Dynamics CRM and Windows Intune. This certification represents third-party validation that the covered information security management system, including security and privacy safeguards and controls, has met a rigorous set of international data protection standards.
Microsoft Customer Service and Support (“CSS”) uses subcontractors to perform a variety of support services. CSS holds its subcontractors to security and privacy standards equivalent to our own. Our subcontractors handle your data only when required to provide or maintain support services.
Frequently asked questions
- In what circumstances is my data disclosed to subcontractors, and how do they use it?
We will only disclose your data to subcontractors so they can deliver the services we have retained them to provide. Subcontractors are prohibited from using your data for any other purpose and are required to maintain the security and confidentiality of your data. Subcontractors that work in facilities or on equipment controlled by Microsoft must follow CSS data protection standards. All other subcontractors are contractually obligated to follow data protection standards equivalent to our own.
- How does CSS ensure subcontractors comply with Microsoft’s data protection requirements?
We require subcontractors, regardless of their role, to join Microsoft’s Vendor Privacy Assurance Program (“VPA”) which obligates subcontractors to comply with Microsoft security and privacy requirements with respect to any customer data that they collect, store, or process on Microsoft’s behalf. As part of the VPA Program, subcontractors must conduct an annual audit of their security and privacy controls, and must also undergo regular privacy training.