Microsoft Dynamics CRM Online is a customer relationship management solution with built-in capabilities for enterprise-grade security,
privacy and compliance. The Dynamics CRM Online service is based on the following trust principles.
Software Development Lifecycle. Dynamics CRM Online is built using the Security Development Lifecycle,
a mandatory process that embeds security requirements into every phase of the development process.
Encryption. We provide options to protect your data by encryption while it is at rest in Microsoft
datacenters and we encrypt all data while it travels between user devices and our datacenters.
Identity and access management. Microsoft Azure Active Directory simplifies the management of users
and groups, enables you to assign and revoke privileges easily, and helps protect Dynamics CRM Online from unauthorized
Learn more by reading Microsoft Dynamics CRM Online security.
You own your data. Your data is not mined for advertising purposes. You can remove your data at any
time from Dynamics CRM Online.
You are in control of your customer data. We use your data only for the services mutually agreed
upon. Learn here
how we use your data. When governments or law enforcement make a lawful request for customer data from Microsoft, we
are committed to transparency and limit what we disclose.
Data privacy controls. Dynamics CRM Online keeps your customer data separate from that of other customers.
We provision you with your own database to maximize the security and integrity of your data.
Learn more by reading the Microsoft Online Services Privacy Statement.
Compliance responsibilities. Microsoft maintains compliance with leading data protection and privacy
laws applicable to cloud services. This enables Dynamics CRM Online to help customers comply with the national, regional,
and industry-specific laws and regulations unique to you. Our compliance with world-class industry standards is verified
by third parties.
Compliance framework. We offer a comprehensive framework to help you comply with your specific requirements.
Dynamics CRM Online meets many international and industry-specific compliance standards including ISO/IEC 27001, ISO/IEC
27018, FedRAMP (for Dynamics CRM Online for Government), and SOC 1 and SOC 2 Type 2 Reports.
Data location and access. You know
where your data is stored and how we determine data location. We are transparent about who can access your customer data and under
Learn more about administrative access to your data.
We are accountable to you. We will notify you (if you have requested notifications) about changes
in our service operations. As an administrator, you will receive service and compliance notifications regarding datacenter
location changes, in addition to security, privacy, and audit information.
Microsoft Azure has passed the audit for the Content Delivery and Security Association Content Protection and Security
standard for compliance with antipiracy procedures governing digital media.
Canadian Privacy Laws
Microsoft Azure has implemented technical and organization security safeguards to help our customers protect individual’s
privacy when they use our cloud service.
China GB 18030
Microsoft Azure is certified by the China Electronics Standardization Institute as compliant with GB 18030, the encoding standard mandated by the Chinese government for the Chinese ideographic character set. Learn more (Chinese)
Microsoft Azure operated by 21Vianet adheres to Multi-Level Protection Scheme, a Chinese state cloud security standard issued by the Ministry of Public Security.Learn more (Chinese)
Microsoft Azure Government, Microsoft Office 365 U.S. Government, and Microsoft Dynamics CRM Online Government adhere
to the CJIS Security Policy, required to access the FBI's Criminal Justice Information Services (CJIS) database through
Our Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) response details how Microsoft cloud services fulfill
the security, privacy, compliance, and risk management requirements defined in the CSA CCM version 3.0.1.
CS Mark (Gold)
The Cloud Security Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS
Gold Mark for all three service classifications: Microsoft Azure for IaaS and PaaS, and Microsoft Office 365 for SaaS.
Based on FedRAMP authorizations, the Defense Information Systems Agency Cloud Service Support has granted an Impact
Level 4 Provisional Authorization (PA) for one Microsoft enterprise cloud service, and an Impact Level 2 PA for others.
EU Model Clauses
Microsoft offers European Union Standard Contractual Clauses that provide contractual guarantees around transfers of
personal data. Microsoft was the first cloud service provider to gain approval from the EU’s Article 29 Working Party
for contractual commitments.
EU-U.S. Privacy Shield
Microsoft complies with the EU-U.S. Privacy Shield Framework as set forth and certified to the US Department of Commerce
regarding the collection, use, and retention of personal information transferred from the European Union to the United
FDA CFR Title 21 Part 11
Microsoft helps customers comply with US Food and Drug Administration Code of Federal Regulations Title 21 Part 11,
which details security requirements for the electronic records of companies that sell food and drugs in the United
FedRAMP is mandatory for cloud services used by U.S. federal agencies. Azure maintains a FedRAMP P-ATO at the Moderate
Impact Level, and Azure Government has received a P-ATO at the High Impact Level. Dynamics CRM Online Government and
Office 365 U.S. Government have received FedRAMP ATOs at the Moderate Impact Level.
Microsoft enterprise cloud services align with the requirements of the Family Educational Rights and Privacy Act, a
US federal law that protects the privacy of students’ education records.
Microsoft certifies that the underlying cryptographic modules used in Microsoft products, including Microsoft enterprise
cloud services, comply with the Federal Information Processing Standard Publication 140-2, a US government standard.
Microsoft Azure and Microsoft Office 365 have been independently assessed as meeting the requirements for the Center
for Financial Industry Information Systems Version 8 standard security for banking computer systems in Japan.
Microsoft Azure Government and Microsoft Office 365 Government cloud services provide a contractual commitment that
they have the appropriate controls in place to meet the requirements of US Internal Revenue Service Publication 1075.
Microsoft is the first hyperscale cloud service provider to receive the ISO 22301 certification for business continuity management. An independent certification body, BSI, awarded it to Azure, Azure Government, Intune, and Power BI.
HIPAA / HITECH
Microsoft enterprise cloud services offer customers a Health Insurance Portability and Accountability Act Business Associate
Agreement that stipulates adherence to HIPAA, which regulates patient Protected Health Information in the US.
Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 are accredited for the Certified Cloud Services
List, which identifies cloud services that have successfully completed an IRAP assessment by the Australian Signals
The ISO/IEC 27001 certificate validates that Microsoft enterprise cloud services have implemented the internationally
recognized information security controls defined in the ISO/IEC 27001 standard.
The ISO/IEC 27017:2015 certificate validates that Microsoft enterprise cloud services have implemented the internationally
recognized code of practice for information security controls based on the ISO/IEC 27002 standard for cloud services.
Microsoft was the first cloud provider to adhere to the ISO/IEC 27018 code of practice, which covers privacy protections
for the processing of personal information by cloud service providers.
IT Grundschutz Compliance Workbook
Microsoft Azure Germany has published an IT Grundschutz Compliance Workbook developed by Hisolutions AG. This supports our clients in achieving their IT Grundschutz certification for solutions on Microsoft Azure Germany.
Azure Government supports customers building ITAR-capable systems on Azure Government.
Microsoft Azure and Microsoft Azure Government comply with the Minimum Acceptable Risk Standards for Exchanges (MARS-E)
for information security regulations for health-based exchanges under the Patient Protection and Affordable Care Act
(ACA) of 2010.
The Motion Picture Association of America offers guidance and control frameworks for studio partners to help ensure
the security of digital film assets. Microsoft Azure was the first hyperscale, multitenant cloud service to successfully
complete a formal MPAA assessment.
Microsoft was the first global CSP to receive MTCS 584:2013 certification across all three MTCS security levels. Furthermore,
Microsoft Azure services (IaaS and PaaS) and Microsoft Office 365 services (SaaS) were certified at Level 3 and Microsoft
Dynamics CRM Online services (SaaS) were certified at Level 2.
Microsoft Azure, Microsoft Azure Government, Dynamics CRM Online Government, Office 365 MT, and Office 365 US Government
conform to the requirements set forth in NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations.
NZ CC Framework
The New Zealand Government Chief Information Officer published a cloud computing framework of 100+ questions on the
security, privacy, and sovereignty aspects of cloud services. Microsoft NZ demonstrates how Microsoft addresses these
PCI DSS Level 1 Service Provider
Microsoft Azure complies with Payment Card Industry Data Security Standards Level 1 version 3.1, the global certification
standard for organizations that accept most payment cards and store, process, or transmit cardholder data.
SOC 1 & 2 Type 2 Reports
Service Organization Controls (SOC) are a series of accounting standards that measure the control of financial information
for a service organization. Azure’s SOC 1 and SOC 2 Type 2 audit reports attest to the effectiveness of the design
and operation of its security controls.
Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA)
Service Organization Controls 1 standards for design and operational security.
Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA)
Service Organization Controls Type 2 standards for design and operational security.
Microsoft Azure and Microsoft Intune in-scope services have been successfully audited against American Institute of
Certified Public Accountants (AICPA) Service Organization Controls 3 standards for design and operational security.
The UK Crown Commercial Service has renewed the classification of Microsoft’s in-scope cloud services to Government
Cloud v6, covering all four of its offerings at the OFFICIAL level.
Section 508 / VPATs
Microsoft cloud services offer Voluntary Product Accessibility Templates, a standardized form documenting whether a
product meets the accessibility requirements of Section 508, an amendment to the Rehabilitation Act of 1973.
The US Department of Defense Information Assurance Certification and Accreditation Process was replaced with the NIST
800-37 Risk Management Framework and DoD 8510.01. Microsoft Azure demonstrates compliance through its FedRAMP accreditation.
The European Network and Information Security Agency Information Assurance Framework requirements have been mapped to
Microsoft Azure through the CSA CCM. Customers can refer to the CSA CCM response version 3.0.1.
Azure, Azure Government, and Office 365 Government have a Provisional Authority to Operate for FedRAMP, the successor
of the Federal Information Security Management Act for US government cloud solutions.
Microsoft demonstrates the alignment of Microsoft Azure with the Shared Assessments Program—a vendor-risk management
toolset—through the CSA CCM version 3.0.1.
Argentina Personal Data Protection Act 25,326
Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 have implemented the security measures in the Argentina Personal Data Protection Act.
Japan My Number Act
The My Number Act assigns a unique number to each resident of Japan. Companies using Microsoft cloud services can be assured that Microsoft does not have standing access to My Number data. Learn more (Japanese)Learn more (English)
Azure operated by 21Vianet in China has passed the Trusted Cloud Service certification developed by the Data Center Alliance and tested by the China Academy of Information and Communications Technology. Learn more (Chinese)
The Federation Against Copyright Theft in the UK developed a certification scheme based on ISO 27001 that focuses on
physical and digital security to protect against theft of intellectual property. Microsoft Azure was the first multitenant
public cloud to achieve FACT certification.
Spain's Esquema Nacional de Seguridad (National Security Framework) provides ICT security guidance to public administrations
and cloud service providers (CSPs). Microsoft was the first hyperscale CSP to receive this ENS certification—for Microsoft
Azure and Microsoft Office 365.
Customers can use the Azure, Azure Government, and Office 365 for applications that have requirements under Good Clinical,
Laboratory and Manufacturing Practices (GxP) and US Food and Drug Administration CFR Title 21 Part 11.