• Microsoft Dynamics CRM Online

        Your data is in your control

    Microsoft Dynamics CRM Online is a customer relationship management solution with built-in capabilities for enterprise-grade security, privacy and compliance. The Dynamics CRM Online service is based on the following trust principles.


    • Software Development Lifecycle. Dynamics CRM Online is built using the Security Development Lifecycle, a mandatory process that embeds security requirements into every phase of the development process.
    • Encryption. We provide options to protect your data by encryption while it is at rest in Microsoft datacenters and we encrypt all data while it travels between user devices and our datacenters.
    • Identity and access management. Microsoft Azure Active Directory simplifies the management of users and groups, enables you to assign and revoke privileges easily, and helps protect Dynamics CRM Online from unauthorized access.

    Arrow | Navigate To Microsoft Dynamics CRM Online securityLearn more by reading Microsoft Dynamics CRM Online security.

    • You own your data. Your data is not mined for advertising purposes. You can remove your data at any time from Dynamics CRM Online.
    • You are in control of your customer data.  We use your data only for the services mutually agreed upon. Learn here how we use your data.  When governments or law enforcement make a lawful request for customer data from Microsoft, we are committed to transparency and limit what we disclose.
    • Data privacy controls. Dynamics CRM Online keeps your customer data separate from that of other customers. We provision you with your own database to maximize the security and integrity of your data.

    Arrow | Navigate To Microsoft Online Services Privacy StatementLearn more by reading the Microsoft Online Services Privacy Statement.

    • Compliance responsibilities. Microsoft maintains compliance with leading data protection and privacy laws applicable to cloud services. This enables Dynamics CRM Online to help customers comply with the national, regional, and industry-specific laws and regulations unique to you. Our compliance with world-class industry standards is verified by third parties.

      Arrow | Navigate To ComplianceLearn more about regulatory compliance.

    • Compliance framework. We offer a comprehensive framework to help you comply with your specific requirements. Dynamics CRM Online meets many international and industry-specific compliance standards including ISO/IEC 27001, ISO/IEC 27018, FedRAMP (for Dynamics CRM Online for Government), and SOC 1 and SOC 2 Type 2 Reports.

      Arrow | Navigate To ComplianceLearn more about compliance.

    • Data location and access. You know where your data is stored and how we determine data location. We are transparent about who can access your customer data and under what conditions.

      Arrow | Navigate To Privacy NoticeLearn more about administrative access to your data.

    • We are accountable to you. We will notify you (if you have requested notifications) about changes in our service operations. As an administrator, you will receive service and compliance notifications regarding datacenter location changes, in addition to security, privacy, and audit information.

    Certifications

    HIPAAMTCS
    EUccsl
    HIPAAMTCS
    EUccsl
    Close

    CDSA

    Microsoft Azure has passed the audit for the Content Delivery and Security Association Content Protection and Security standard for compliance with antipiracy procedures governing digital media.

    arrow
    Close

    Canadian Privacy Laws

    Microsoft Azure has implemented technical and organization security safeguards to help our customers protect individual’s privacy when they use our cloud service.

    arrow
    Close

    China GB 18030

    Microsoft Azure is certified by the China Electronics Standardization Institute as compliant with GB 18030, the encoding standard mandated by the Chinese government for the Chinese ideographic character set. Learn more (Chinese)

    Close

    China MLPS

    Microsoft Azure operated by 21Vianet adheres to Multi-Level Protection Scheme, a Chinese state cloud security standard issued by the Ministry of Public Security.Learn more (Chinese)

    Close

    CJIS

    Microsoft Azure Government, Microsoft Office 365 U.S. Government, and Microsoft Dynamics CRM Online Government adhere to the CJIS Security Policy, required to access the FBI's Criminal Justice Information Services (CJIS) database through the cloud.

    arrow
    Close

    CSA CCM

    Our Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) response details how Microsoft cloud services fulfill the security, privacy, compliance, and risk management requirements defined in the CSA CCM version 3.0.1.

    arrow
    Close

    CS Mark (Gold)

    The Cloud Security Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS Gold Mark for all three service classifications: Microsoft Azure for IaaS and PaaS, and Microsoft Office 365 for SaaS.

    arrow
    Close

    DISA

    Based on FedRAMP authorizations, the Defense Information Systems Agency Cloud Service Support has granted an Impact Level 4 Provisional Authorization (PA) for one Microsoft enterprise cloud service, and an Impact Level 2 PA for others.

    arrow
    Close

    EU Model Clauses

    Microsoft offers European Union Standard Contractual Clauses that provide contractual guarantees around transfers of personal data. Microsoft was the first cloud service provider to gain approval from the EU’s Article 29 Working Party for contractual commitments.

    arrow
    Close

    FDA 21 CFR Part 11

    Microsoft Azure complies with the US Food and Drug Administration Code of Federal Regulations Title 21 Part 11, which details security requirements for the electronic records of companies that sell food and drugs in the US.

    arrow
    Close

    FedRAMP

    FedRAMP is mandatory for cloud services used by U.S. federal agencies. Azure maintains a FedRAMP P-ATO at the Moderate Impact Level, and Azure Government has received a P-ATO at the High Impact Level. Dynamics CRM Online Government and Office 365 U.S. Government have received FedRAMP ATOs at the Moderate Impact Level.

    arrow
    Close

    FERPA

    Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 comply with the Family Educational Rights and Privacy Act, a US federal law that protects the privacy of students’ education records.

    arrow
    Close

    FIPS 140-2

    Microsoft certifies that the underlying cryptographic modules used in Microsoft products, including Microsoft enterprise cloud services, comply with the Federal Information Processing Standard Publication 140-2, a US government standard.

    arrow
    Close

    FISC

    Microsoft Azure and Microsoft Office 365 have been independently assessed as meeting the requirements for the Center for Financial Industry Information Systems Version 8 standard security for banking computer systems in Japan.

    arrow
    Close

    IRS 1075

    Microsoft Azure Government and Microsoft Office 365 Government cloud services provide a contractual commitment that they have the appropriate controls in place to meet the requirements of US Internal Revenue Service Publication 1075.

    arrow
    Close

    HIPAA / HITECH

    Microsoft enterprise cloud services offer customers a Health Insurance Portability and Accountability Act Business Associate Agreement that stipulates adherence to HIPAA, which regulates patient Protected Health Information in the US.

    arrow
    Close

    CCSL (IRAP)

    Microsoft Azure and Microsoft Office 365 are accredited for the Certified Cloud Services List, which identifies cloud services that have successfully completed an IRAP assessment by the Australian Signals Directorate.

    arrow
    Close

    ISO/IEC 27001

    The ISO/IEC 27001 certificate validates that Microsoft enterprise cloud services have implemented the internationally recognized information security controls defined in the ISO/IEC 27001 standard.

    arrow
    Close

    ISO/IEC 27017

    The ISO/IEC 27017 certificate validates that Microsoft Azure has implemented the internationally recognized information technology – security techniques – code of practice for information security controls based on the ISO/IEC 27002 standard for cloud services.

    arrow
    Close

    ISO/IEC 27018

    Microsoft was the first cloud provider to adhere to the ISO/IEC 27018 code of practice, which covers privacy protections for the processing of personal information by cloud service providers.

    arrow
    Close

    ITAR

    Azure Government supports customers building ITAR-capable systems on Azure Government.

    arrow
    Close

    MPAA

    The Motion Picture Association of America offers guidance and control frameworks for studio partners to help ensure the security of digital film assets. Microsoft Azure was the first hyperscale, multitenant cloud service to successfully complete a formal MPAA assessment.

    arrow
    Close

    MTCS

    Microsoft was the first global CSP to receive MTCS 584:2013 certification across all three MTCS security levels. Furthermore, Microsoft Azure services (IaaS and PaaS) and Microsoft Office 365 services (SaaS) were certified at Level 3 and Microsoft Dynamics CRM Online services (SaaS) were certified at Level 2.

    arrow
    Close

    NIST 800-171

    Microsoft Azure, Microsoft Azure Government, Dynamics CRM Online Government, Office 365 MT, and Office 365 US Government conform to the requirements set forth in NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

    arrow
    Close

    NZ CC Framework

    The New Zealand Government Chief Information Officer published a cloud computing framework of 100+ questions on the security, privacy, and sovereignty aspects of cloud services. Microsoft NZ demonstrates how Microsoft addresses these questions.

    arrow
    Close

    PCI DSS Level 1 Service Provider

    Microsoft Azure complies with Payment Card Industry Data Security Standards Level 1 version 3.1, the global certification standard for organizations that accept most payment cards and store, process, or transmit cardholder data.

    arrow
    Close

    SOC 1 & 2 Type 2 Reports

    Service Organization Controls (SOC) are a series of accounting standards that measure the control of financial information for a service organization. Azure’s SOC 1 and SOC 2 Type 2 audit reports attest to the effectiveness of the design and operation of its security controls.

    arrow
    Close

    SOC 1

    Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls 1 standards for design and operational security.

    arrow
    Close

    SOC 2

    Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls Type 2 standards for design and operational security.

    arrow
    Close

    SOC 3

    Microsoft Azure and Microsoft Intune in-scope services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls 3 standards for design and operational security.

    arrow
    Close

    UK G-Cloud

    The UK Crown Commercial Service has renewed the classification of Microsoft’s in-scope cloud services to Government Cloud v6, covering all four of its offerings at the OFFICIAL level.

    arrow
    Close

    Section 508 / VPATs

    Microsoft cloud services offer Voluntary Product Accessibility Templates, a standardized form documenting whether a product meets the accessibility requirements of Section 508, an amendment to the Rehabilitation Act of 1973.

    arrow
    Close

    DIACAP

    The US Department of Defense Information Assurance Certification and Accreditation Process was replaced with the NIST 800-37 Risk Management Framework and DoD 8510.01. Microsoft Azure demonstrates compliance through its FedRAMP accreditation.

    arrow
    Close

    ENISA IAF

    The European Network and Information Security Agency Information Assurance Framework requirements have been mapped to Microsoft Azure through the CSA CCM. Customers can refer to the CSA CCM response version 3.0.1.

    arrow
    Close

    FISMA

    Azure, Azure Government, and Office 365 Government have a Provisional Authority to Operate for FedRAMP, the successor of the Federal Information Security Management Act for US government cloud solutions.

    arrow
    Close

    SHARED ASSESSMENTS

    Microsoft demonstrates the alignment of Microsoft Azure with the Shared Assessments Program—a vendor-risk management toolset—through the CSA CCM version 3.0.1.

    arrow
    Close

    Argentina Personal Data Protection Act 25,326

    Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 have implemented the security measures in the Argentina Personal Data Protection Act. Learn more (Spanish)

    Close

    Japan My Number Act

    The My Number Act assigns a unique number to each resident of Japan. Companies using Microsoft cloud services can be assured that Microsoft does not have standing access to My Number data. Learn more (Japanese)Learn more (English)

    Close

    China TRUCS

    Azure operated by 21Vianet in China has passed the Trusted Cloud Service certification developed by the Data Center Alliance and tested by the China Academy of Information and Communications Technology. Learn more (Chinese)

    Close

    FACT

    The Federation Against Copyright Theft in the UK developed a certification scheme based on ISO 27001 that focuses on physical and digital security to protect against theft of intellectual property. Microsoft Azure was the first multitenant public cloud to achieve FACT certification.

    arrow
    Close

    ENS Spain

    Spain's Esquema Nacional de Seguridad (National Security Framework) provides ICT security guidance to public administrations and cloud service providers (CSPs). Microsoft was the first hyperscale CSP to receive this ENS certification—for Microsoft Azure and Microsoft Office 365.

    arrow
    Close

    GxP

    Customers can use the Azure, Azure Government, and Office 365 for applications that have requirements under Good Clinical, Laboratory and Manufacturing Practices (GxP) and regulations enforced by the US Food and Drug Administration (FDA) under 21 CFR Part 11.

    arrow
    Close

    arrow

    Update March 1, 2016:

    Microsoft Dynamics Marketing has achieved ISO 27001 (BSI Certificate) and ISO 27018 (BSI Certificate) certifications.  Additionally, Microsoft can now offer Microsoft Dynamics Marketing under the European Union Model Clauses.