Trust Center: Security, Privacy and Compliance Information for Office 365 and Microsoft Dynamics CRM Online
Yes. Our Office 365 and Microsoft Dynamics CRM Online customers around the world are subject to many different laws and regulations. Legal requirements in one country or industry may be inconsistent with legal requirements applicable elsewhere. As a provider of global cloud services, we must run our services with common operational practices and features across multiple customers and jurisdictions. To help our customers comply with their own requirements, we build our services with common privacy and security requirements in mind, and our built-in capabilities help enable compliance with a wide range of regulations and privacy mandates.
However, it is ultimately up to our customers to evaluate our offerings against their own requirements, so they can determine whether our services satisfy their regulatory needs. We are committed to providing our customers detailed information about our cloud services to help them make their own regulatory assessments.
Information on certifications that may assist in regulatory compliance is located in the Security, audits, and certification section.
It is your obligation to comply with your regulatory obligations. We provide you with information to help you do so.
We commit to compliance with data protection and privacy laws generally applicable to IT service providers. If you are subject to industry or jurisdictional requirements, you will need to make your own assessment of your ability to comply, but customers in many industries and geographies have found they can use Office 365 and Microsoft Dynamics CRM Online in a manner that remains in compliance with applicable regulations, provided they utilize the services in a manner appropriate to their particular circumstances.
For example, organizations covered by the EU Data Protection Directive should have their own policies, security, and training program in place to ensure their personnel do not use Office 365 or Microsoft Dynamics CRM Online services in a way that violates the Directive. Office 365 and Microsoft Dynamics CRM Online will do our part by abiding by the contractual promises we have made, thereby helping you remain compliant.
For example, a European Union (EU) customer may store a customer list that includes contact information. Office 365 and Microsoft Dynamics CRM Online have security procedures in place to ensure that Microsoft personnel do not inappropriately access or disclose this information. However, one of the customer’s employees, who is a user of Microsoft Exchange Online, might use the service to send such a customer list to a marketer without appropriate consent. Any resulting violation of EU data protection requirements arising from Office 365 and Microsoft Dynamics CRM Online having followed the direction of the customer—namely, by causing an email to be sent in the ordinary course of providing the services—is the customer's responsibility.
Under the EU Data Protection Directive and our contractual commitments, Office 365 and Microsoft Dynamics CRM Online act as the custodian of your data, essentially a subcontractor (the law calls us the "data processor").
You, the customer, have ownership of your data and the responsibility under the law for making sure that we are following the rules and that it is legal for you to be sending personal data to us (the law calls you the "data controller"). You must determine for your business in your particular situation if you may use our services to process and store your personal data.
Requirements of the EU Data Protection Directive have been accounted for in the design and operation of our services for normal use, and we continually monitor this area for changes relevant to the evolution of the services.
Microsoft is also self-certified under the U.S.–EU Safe Harbor and nearly identical U.S.–Switzerland Safe Harbor programs, as agreed to by the U.S. Department of Commerce and the EU and Switzerland, respectively. As a result, we are obligated to comply with the requirements of the EU Data Protection Directive, and we can legally transfer data outside of the EU to provide Office 365 and Microsoft Dynamics CRM Online services. The Microsoft Safe Harbor certification can be found at http://safeharbor.export.gov/. We understand that some customers need assurances that are more robust than what Safe Harbor self-certification can provide, which is why we are willing to sign the EU Model Clauses (also known as the “Standard Contractual Clauses”) with all customers. For more information on transfer of data outside the EU, see the Data Maps section of the Trust Center.
In some countries, we also adhere to the security requirements for storage of sensitive personal data, as defined by law. If you have concerns because of the rules in your country or the type of data you are storing, or would like more information about the practices and supported features of Office 365 or Microsoft Dynamics CRM Online, and if you are otherwise unable to find that information in the service documentation, you can contact Support. To the extent that it does not weaken our security to reveal helpful information, we will do so in order to help you make your own determination regarding the acceptability of the implementation of Office 365 or Microsoft Dynamics CRM Online against your requirements.
You should read the Compliance common questions and understand that just because Office 365 and Microsoft Dynamics CRM Online support your organization’s compliance with privacy laws, this does not mean that your organization is compliant; there may be additional steps you need to implement, such as putting the right company policies in place and training employees in good privacy practices. Also, depending on your country, there may be additional steps you need to take to comply with local law, such as filing information with your data protection agency.
No, Office 365 and Microsoft Dynamics CRM Online, as data processors, do not register with EU authorities the customer data that we process on behalf of our customers.
We help our customers comply with HIPAA and are willing to sign a HIPAA BAA with all customers. Please see the HIPAA/HITECH FAQ for more information.
Office 365 and Microsoft Dynamics CRM Online help customers comply with the security requirements of GLBA by providing technical and organizational safeguards to help customers maintain security and prevent unauthorized usage.
Microsoft can provide customers, on request, a summary report of a third-party certification by an independent auditor.
Office 365 and Microsoft Dynamics CRM Online do not support the processing, transmitting, or storing of PCI governed data, such as credit card numbers.
The PCI standard is not applicable to Office 365 or Microsoft Dynamics CRM Online because credit card processing and data storage is not a function offered by Office 365 or Microsoft Dynamics CRM Online. Office 365 and Microsoft Dynamics CRM Online do apply applicable security policies and controls defined by industry best practices, such as ISO 27001 and others.
Please note, however, that the Office 365 and Microsoft Dynamics CRM Online ordering, billing, and payment systems that handle credit card data are Level One PCI Compliant, and customers can use credit cards to pay for the services with confidence.
Is Office 365 compliant with FERPA?
While an educational institution has many varied obligations under FERPA, Microsoft stipulates the key contractual terms that govern the use and disclosure of education records that may be stored in Office 365, allowing educational institutions to use Office 365 as part of a broader FERPA compliance strategy.
FERPA requires any educational agency or institution that receives funding from the U.S. Department of Education to protect privacy rights of students by safeguarding “education records” from use or disclosure without consent. Department of Education guidance makes clear that email communications are considered education records subject to FERPA and that cloud email providers should be similarly restricted in how they use or disclose information in emails and documents.
FERPA requires that a cloud provider agree that “education records” contained in faculty, staff, and student emails and other electronic documents will be used only for the narrow purpose of providing the cloud service and that such information will not be scanned or used to support and maintain commercial activities such as advertising. Microsoft provides educational institutions with a route to FERPA compliance by agreeing to be deemed a “school official” subject to FERPA with “legitimate educational interests” in the institution’s data, and by agreeing to abide by the limitations and requirements imposed by FERPA on school officials, including agreeing that it will not scan institution emails or documents for advertising purposes.