Last updated: January 2015
Privacy is one of the foundations of Microsoft’s Trustworthy Computing. Microsoft has a longstanding commitment to privacy, which is an integral part of our product and service lifecycle. We work to be transparent in our privacy practices, offer customers meaningful privacy choices, and manage responsibly the data we store. The Microsoft Privacy Principles, our specific privacy statements, and our internal privacy standards guide how we collect, use, and protect customer data. General information about cloud privacy is available from the Microsoft Privacy website. We also published a white paper Privacy in the Cloud to explain how Microsoft is addressing privacy in the realm of cloud computing.
Microsoft currently operates Intune in data centers around the world. In this section, we address common customer inquiries about access and location of Customer Data.
During the initial sign-up for services, the customer’s administrator creates a tenant account and inputs the customer’s country or region. The customer’s selected geographic area ("geo" and "region") determines the storage for the Customer Data. For example, if the administrator inputs United Kingdom, the Customer Data processed as part of the Intune subscription will be stored in a datacenter located in Europe. Available geos and regions are shown below.
Microsoft will not transfer Customer Data outside the selected geo(s) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where customer configures an account to enable such transfer of Customer Data, including through the use of:
Microsoft does not control or limit the geos from which customers or their end users may access Customer Data.
Your Services’ data may be transferred to, stored and processed in the United States or any other country where Microsoft or its affiliates, subsidiaries or service providers maintain facilities. Microsoft abides by the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from the European Economic Area, and Switzerland.
See also the E.U. Data Protection Directive section below for information on the regulatory framework under which Microsoft transfers data.
The E.U. Data Protection Directive (95/46/EC) sets a baseline for handling personal data in the European Union. The E.U. has stricter privacy rules than the U.S. and most other countries. To allow for the continuous flow of information required by international business (including cross border transfer of personal data), the European Commission reached an agreement with the U.S. Department of Commerce whereby U.S. organizations can self-certify as complying with the Safe Harbor Framework. Microsoft (including, for this purpose, all of our U.S. subsidiaries) is Safe Harbor certified under the U.S. Department of Commerce. In addition to the E.U. Member States, members of the European Economic Area (Iceland, Liechtenstein, and Norway) also recognize organizations certified under the Safe Harbor program as providing adequate privacy protection to justify trans-border transfers from their countries to the U.S. Switzerland has a nearly identical agreement (“Swiss-U.S. Safe Harbor”) with the U.S. Department of Commerce to legitimize transfers from Switzerland to the U.S., to which Microsoft has also certified.
The Safe Harbor certification allows for the legal transfer of E.U. personal data outside E.U. to Microsoft for processing. Under the E.U. Data Protection Directive and our contractual agreement, Microsoft acts as the data processor, whereas the customer is the data controller with the final ownership of the data and responsibility under the law for making sure that data can be legally transferred to Microsoft. It is important to note that Microsoft will transfer E.U. Customer Data outside the E.U. only under very limited circumstances. See the Location of Data section for details.
Microsoft also offers additional contractual commitments to its customers:
Please contact your Microsoft account manager or Microsoft Volume Licensing for details.
All the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the Services. For example, Customer Data includes data that you upload for storage or processing in the Service and applications that you or your end users upload for distribution in the Service.
The information about administrators (including account contact and subscription administrators) provided during sign-up, purchase, or administration of the Services, such as name, address, phone number, and e-mail address.
Includes service side configuration and technical settings and information.
Used to manage access to other types of data or functions within Intune. It includes passwords, security certificates, and other authentication-related data.