Microsoft Dynamics 365 is the next generation of intelligent business applications that enable your organization to grow,
evolve, and transform to meet the needs of your customers and capture new opportunities. It joins our current customer
relationship management (CRM) and enterprise resource planning (ERP) cloud services into a single service with new purpose-built
apps to help manage specific business functions.
Software Development Lifecycle. Dynamics 365 is built using the Security Development Lifecycle, a mandatory
Microsoft process that embeds security requirements into every phase of the development process.
Identity and access management. Azure Active Directory helps protect Dynamics 365 from unauthorized
access by simplifying the management of users and groups and enabling you to assign and revoke privileges easily.
Encryption. Microsoft uses encryption technology to protect your data while at rest in a Microsoft
database and when it travels between user devices and our datacenters.
Increase network security and defend against threats. Dynamics 365 production environments are monitored
to help protect against online threats using distributed denial-of-service (DDoS) attack prevention and regular penetration
testing to help validate security controls. At the interface with the public network, Microsoft uses special-purpose
security devices for firewall, NAT, and IP filtering functions.
If you ever choose to leave the service, you can take your data with you.
Microsoft is the custodian or processor of your data
We use your data only for purposes consistent with providing the services to which you subscribe.
If a government approaches us for access to your data, we redirect the inquiry to you, the customer, whenever possible.
We have challenged and will challenge in court any invalid legal demand that prohibits disclosure of a government
request for customer data.
Privacy controls help you configure who in your organization has access to the service and what they can access.
We prevent mingling of your data with that of other organizations.
Compliance responsibilities. Microsoft complies with leading data protection and privacy laws applicable
to cloud services, and our compliance with world-class industry standards is verified by third parties. This enables
Dynamics 365 to help customers comply with the national, regional, and industry-specific laws and regulations unique
Compliance framework. We offer a comprehensive framework to help you comply with your specific requirements.
Dynamics 365 meets many international and industry-specific compliance standards including ISO/IEC 27001, ISO/IEC 27018,
FedRAMP (for Dynamics 365 U.S. Government), and SOC 1 and SOC 2 Type 2 Reports.
Compliance availability. As an ERP system, Dynamics 365 for Operations includes features and functionality
designed to help organizations meet specific tax, accounting, or financial reporting requirements. Get the details
Product availability, localization, and translation guide.
We are accountable to you. If you have requested notifications, we will notify you about changes in
our service operations. As an administrator, you will receive service and compliance notifications regarding datacenter
location changes, in addition to security, privacy, and audit information.
Microsoft Azure has passed the audit for the Content Delivery and Security Association Content Protection and Security
standard for compliance with antipiracy procedures governing digital media.
Canadian Privacy Laws
Microsoft Azure has implemented technical and organization security safeguards to help our customers protect individual’s
privacy when they use our cloud service.
Information System Classified Security Protection (DJCP)
Azure and Office 365 operated by 21Vianet have been rated at Level 3 Classification by the evaluation organizations
authorized by the Ministry of Public Security (MPS) for GB/T 22239-2008. Registration certifications are issued to
China GB 18030
Microsoft Azure is certified by the China Electronics Standardization Institute as compliant with GB 18030, the encoding
standard mandated by the Chinese government for the Chinese ideographic character set.
Microsoft Azure operated by 21Vianet adheres to Multi-Level Protection Scheme, a Chinese state cloud security standard issued by the Ministry of Public Security.Learn more (Chinese)
Microsoft Azure Government, Microsoft Office 365 U.S. Government, and Microsoft Dynamics 365 U.S. Government adhere
to the CJIS Security Policy, required to access the FBI's Criminal Justice Information Services (CJIS) database through
CS Mark (Gold)
The Cloud Security Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS
Gold Mark for all three service classifications: Microsoft Azure for IaaS and PaaS, and Microsoft Office 365 for SaaS.
CSA STAR Attestation
Based on the rigorous independent assessment by a CSA-approved auditor, Microsoft Azure and Microsoft Intune have been awarded Cloud Security Alliance (CSA) STAR Attestation.
CSA STAR Certification
Based on a rigorous assessment by an accredited independent CSA certification body, Microsoft Azure, Microsoft Intune, and Microsoft Power BI have been awarded the Cloud Security Alliance (CSA) STAR Certification at the Gold level.
CSA STAR Self-Assessment
Our Cloud Security Alliance (CSA) STAR Self-Assessment details how Microsoft cloud services fulfill the security, privacy,
compliance, and risk management requirements defined in the CSA Cloud Controls Matrix (CCM) and the Consensus Assessment
Initiative Questionnaire (CAIQ).
Based on FedRAMP authorizations, the Defense Information Systems Agency Cloud Service Support has granted a DoD Impact
Level 4 Provisional Authorization (PA) for one Microsoft enterprise cloud service, and a DoD Impact Level 2 PA for
EU Model Clauses
Microsoft offers European Union Standard Contractual Clauses that provide contractual guarantees around transfers of
personal data. Microsoft was the first cloud service provider to gain approval from the EU’s Article 29 Working Party
for contractual commitments.
EU-U.S. Privacy Shield
Microsoft complies with the EU-U.S. Privacy Shield Framework as set forth and certified to the US Department of Commerce
regarding the collection, use, and retention of personal information transferred from the European Union to the United
FDA CFR Title 21 Part 11
Microsoft helps customers comply with US Food and Drug Administration Code of Federal Regulations Title 21 Part 11,
which details security requirements for the electronic records of companies that sell food and drugs in the United
FedRAMP is mandatory for cloud services used by U.S. federal agencies. Azure maintains a FedRAMP P-ATO at the Moderate
Impact Level, and Azure Government has received a P-ATO at the High Impact Level. Dynamics 365 U.S. Government, Office
365, and Office 365 U.S. Government have received FedRAMP ATOs at the Moderate Impact Level.
Microsoft enterprise cloud services align with the requirements of the Family Educational Rights and Privacy Act, a
US federal law that protects the privacy of students’ education records.
Microsoft certifies that the underlying cryptographic modules used in Microsoft products, including Microsoft enterprise
cloud services, comply with the Federal Information Processing Standard Publication 140-2, a US government standard.
Microsoft Azure and Microsoft Office 365 have been independently assessed as meeting the requirements of the Center for Financial Industry Information Systems Version 8 standard for the security of banking computer systems in Japan.
Microsoft Azure Government and Microsoft Office 365 Government cloud services provide a contractual commitment that
they have the appropriate controls in place to meet the requirements of US Internal Revenue Service Publication 1075.
Microsoft is the first hyperscale cloud service provider to receive the ISO 22301 certification for business continuity
management. An independent certification body, BSI, awarded it to Azure, Azure Government, Intune, and Power BI.
HIPAA / HITECH
Microsoft enterprise cloud services offer customers a Health Insurance Portability and Accountability Act Business Associate
Agreement that stipulates adherence to HIPAA, which regulates patient Protected Health Information in the US.
Microsoft Azure is one of the first hyperscale cloud services to receive certification for the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF). Coalfire, a HITRUST assessor firm performed the assessment based on Azure’s implementation of security, privacy, and regulatory requirements to protect sensitive information.
Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365 are accredited for the Certified Cloud Services List,
which identifies cloud services that have successfully completed an IRAP assessment by the Australian Signals Directorate.
The ISO/IEC 27001 certificate validates that Microsoft enterprise cloud services have implemented the internationally
recognized information security controls defined in the ISO/IEC 27001 standard.
The ISO/IEC 27017:2015 certificate validates that Microsoft enterprise cloud services have implemented the internationally
recognized code of practice for information security controls based on the ISO/IEC 27002 standard for cloud services.
Microsoft was the first cloud provider to adhere to the ISO/IEC 27018 code of practice, which covers privacy protections
for the processing of personal information by cloud service providers.
Azure Government supports customers building ITAR-capable systems on Azure Government.
IT Grundschutz Compliance Workbook
Microsoft Azure Germany has published an IT Grundschutz Compliance Workbook developed by Hisolutions AG. This supports
our clients in achieving their IT Grundschutz certification for solutions on Microsoft Azure Germany.
Microsoft Azure and Microsoft Azure Government comply with the Minimum Acceptable Risk Standards for Exchanges (MARS-E)
for information security regulations for health-based exchanges under the Patient Protection and Affordable Care Act
(ACA) of 2010.
Government of India MeitY
Microsoft is one of the first global cloud service providers to have successfully achieved a Provisional Accreditation
by MeitY (Ministry of Electronics and Information Technology), the governing body under the Ministry of Communications
and IT, Government of India.
The Motion Picture Association of America offers guidance and control frameworks for studio partners to help ensure
the security of digital film assets. Microsoft Azure was the first hyperscale, multitenant cloud service to successfully
complete a formal MPAA assessment.
Microsoft was the first global CSP to receive MTCS 584:2013 certification across all three MTCS service classifications. Certifications were granted at Level 3 for Microsoft Azure services (IaaS and PaaS), Microsoft Dynamics 365 services (SaaS), and Microsoft Office 365 services (SaaS).
Microsoft Azure, Microsoft Azure Government, Dynamics 365 U.S. Government, Office 365 MT, and Office 365 US Government
conform to the requirements set forth in NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations.
NZ CC Framework
The New Zealand Government Chief Information Officer published a cloud computing framework of 100+ questions on the
security, privacy, and sovereignty aspects of cloud services. Microsoft NZ demonstrates how Microsoft addresses these
PCI DSS Level 1 Service Provider
Microsoft Azure complies with Payment Card Industry Data Security Standards Level 1 version 3.1, the global certification
standard for organizations that accept most payment cards and store, process, or transmit cardholder data.
SOC 1 & 2 Type 2 Reports
Service Organization Controls (SOC) are a series of accounting standards that measure the control of financial information
for a service organization. Azure’s SOC 1 and SOC 2 Type 2 audit reports attest to the effectiveness of the design
and operation of its security controls.
Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA)
Service Organization Controls 1 standards for design and operational security.
Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA)
Service Organization Controls Type 2 standards for design and operational security.
Microsoft Azure and Microsoft Intune in-scope services have been successfully audited against American Institute of
Certified Public Accountants (AICPA) Service Organization Controls 3 standards for design and operational security.
The UK Crown Commercial Service has renewed the classification of Microsoft’s in-scope cloud services to Government
Cloud v6, covering all four of its offerings at the OFFICIAL level.
Section 508 / VPATs
Microsoft cloud services offer Voluntary Product Accessibility Templates, a standardized form documenting whether a
product meets the accessibility requirements of Section 508, an amendment to the Rehabilitation Act of 1973.
The US Department of Defense Information Assurance Certification and Accreditation Process was replaced with the NIST
800-37 Risk Management Framework and DoD 8510.01. Microsoft Azure demonstrates compliance through its FedRAMP accreditation.
The European Network and Information Security Agency Information Assurance Framework requirements have been mapped to
Microsoft Azure through the CSA CCM. Customers can refer to the CSA CCM response version 3.0.1.
Azure, Azure Government, and Office 365 Government have a Provisional Authority to Operate for FedRAMP, the successor
of the Federal Information Security Management Act for US government cloud solutions.
Microsoft demonstrates the alignment of Microsoft Azure with the Shared Assessments Program—a vendor-risk management
toolset—through the CSA CCM version 3.0.1.
Argentina Personal Data Protection Act 25,326
Microsoft Azure, Microsoft Dynamics 365, and Microsoft Office 365 have implemented the security measures in the Argentina Personal Data Protection Act.
Japan My Number Act
The My Number Act assigns a unique number to each resident of Japan. Companies using Microsoft cloud services can be assured that Microsoft does not have standing access to My Number data. Learn more (Japanese)Learn more (English)
Azure operated by 21Vianet in China has passed the Trusted Cloud Service certification developed by the Data Center
Alliance and tested by the China Academy of Information and Communications Technology.
The Federation Against Copyright Theft in the UK developed a certification scheme based on ISO 27001 that focuses on
physical and digital security to protect against theft of intellectual property. Microsoft Azure was the first multitenant
public cloud to achieve FACT certification.
Spain's Esquema Nacional de Seguridad (National Security Framework) provides ICT security guidance to public administrations
and cloud service providers (CSPs). Microsoft was the first hyperscale CSP to receive this ENS certification—for Microsoft
Azure and Microsoft Office 365.
Customers can use the Azure, Azure Government, and Office 365 for applications that have requirements under Good Clinical,
Laboratory and Manufacturing Practices (GxP) and US Food and Drug Administration CFR Title 21 Part 11.