Who can access your data and on what terms

Microsoft operations and support personnel are located around the globe to help ensure that appropriate personnel are available 24 hours a day, 365 days a year. We have automated a majority of our service operations so that only a small set requires human interaction.

Microsoft engineers do not have default access to cloud customer data. Instead, they are granted access, under management oversight, only when necessary.

Microsoft personnel will use customer data only for purposes compatible with providing you the contracted services, such as troubleshooting and improving features, such as protection from malware.

Microsoft’s business cloud services process various categories of data, including customer data and personal data. Where Microsoft hires a subcontractor to perform work that may require access to such data, they are considered a subprocessor. Microsoft discloses these subprocessors below.

Subprocessors may access data only to deliver the online services Microsoft has hired them to provide and are prohibited from using data for any other purpose. They are required to maintain the confidentiality of this data and are contractually obligated to meet strict privacy requirements that are equivalent to or stronger than the contractual commitments Microsoft makes to its customers. Subprocessors are also required to meet EU General Data Protection Regulation (GDPR) requirements, including those related to employing appropriate technical and organizational measures to protect personal data.

Microsoft requires subprocessors to join the Microsoft Supplier Security and Privacy Assurance Program. This program is designed to standardize and strengthen data handling practices, and to ensure supplier business processes and systems are consistent with those of Microsoft.

Subprocessors who handle customer data (including personal data therein) are subject to heightened requirements. Subprocessors of customer data must agree to the EU Model Clauses for services for which Microsoft offers its customers the EU Model Clauses.

Subprocessors can perform work in any of the following capacities:

• Subprocessors who provide technologies to power certain Microsoft Core Online Services Subprocessor identified for a specific service may process, store, or otherwise access customer data (including personal data contained therein) in the course of helping to provide that service.
• Subprocessors who provide ancillary services to support Microsoft Online Services Subprocessor may process, store, or otherwise access limited customer data (including personal data contained therein) in the course of providing their ancillary services.
• Subprocessors who provide contract staff Contract staff that work in close coordination with Microsoft employees to help support, operate, and maintain the Microsoft Core Online Services and in the course of doing so may be exposed to customer data (including personal data contained therein). In such cases, customer data still resides only in Microsoft facilities, on Microsoft systems, and subject to Microsoft policies and supervision.   For example, a subprocessor may perform remote troubleshooting on a Microsoft server and in the course of doing so may be exposed to snippets of customer data in a server crash dump log. Activities of these subprocessors are in scope for the applicable third party audits covering Core Online Services.