Data management at Microsoft

How we manage and protect customer data

Where your data is located

As a customer of Microsoft business services, you know where your data is stored.

It is particularly important for customers who operate in highly regulated industries, or in countries with data protection laws, to know the geographic location of the data that they have entrusted to a Microsoft cloud service. Microsoft also understands that some customers must maintain their data in a specific geographic location, such as within the European Union (EU). To that end, Microsoft maintains an ever-expanding network of datacenters around the globe, and verifies that each datacenter meets stringent security requirements.

  • Customer data may be replicated within a selected geographic area for enhanced data durability in case of a major datacenter disaster, and in some cases, will not be replicated outside it.
  • Microsoft also complies with international data protection laws regarding transfers of customer data across borders. For example:
    • To allow for the continuous flow of information required by international business (including the cross-border transfer of personal data), many Microsoft business cloud services offer customers EU Standard Contractual Clauses that provide additional contractual guarantees around transfers of personal data for in-scope cloud services. Our implementation of the EU Model Clauses has been validated by EU data protection authorities as being in line with the rigorous privacy standards that regulate international data transfers by companies operating in its member states.
    • In addition to our commitments under the Standard Contractual Clauses and other model contracts, Microsoft is certified to the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU to the United States. Microsoft participation in the Privacy Shield applies to all personal data that is subject to the Microsoft Privacy Statement and is received from the EU, European Economic Area, and Switzerland. Microsoft also abides by Swiss data protection law regarding the processing of personal data from the European Economic Area and Switzerland.
    • Microsoft will not transfer to any third party (not even for storage purposes) data that you provide to Microsoft through the use of our business cloud services that are covered under the Microsoft Online Services Terms.

Note that no matter where customer data is stored, Microsoft does not control or limit the locations from which customers or their end users may access their data.

The information on this page applies to Windows Defender Advanced Threat Protection but does not apply to other Windows services.

Cloud service data residency and transfer policies

Here are details on data residency and transfer policies specific to Microsoft cloud services:

Recommended Resources