Who can access your data and on what terms

You can access your own customer data at any time, for any reason. However, Microsoft business cloud services take strong measures to help protect data from unauthorized access and inappropriate use.

Who can access your data

Microsoft business cloud services take strong measures to help protect your customer data from inappropriate access or use by unauthorized persons. This includes restricting access by Microsoft personnel and subcontractors, and carefully defining requirements for responding to government requests for customer data. However, you can access your own customer data at any time and for any reason.

Access your customer data anytime

You can access your data anytime during your Microsoft subscription. Azure, Dynamics 365, Intune, and Office 365 subscribers can retrieve data without notification. Keep your data if you end your subscription.


Limited access to customer data

We take strong measures to help protect customer data from inappropriate access or use by unauthorized persons, either external or internal, and to prevent customers from gaining access to one another’s data.

|

The operational processes that govern access to customer data in Microsoft business cloud services are protected by strong controls and authentication, which fall into two categories: physical and logical.


Access to physical datacenter facilities is guarded by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, multifactor access control, integrated alarm systems, and around-the-clock video surveillance by the operations center.

Virtual access to customer data is restricted based on business need by role-based access control, multifactor authentication, minimizing standing access to production data, and other controls. Access to customer data is also strictly logged, and both Microsoft and third parties perform regular audits (as well as sample audits) to attest that any access is appropriate.

In addition, Microsoft uses encryption to safeguard customer data and help you maintain control over it. When data moves over a network—between user devices and Microsoft datacenters or within datacenters themselves—Microsoft products and services use industry-standard secure transport protocols. To help protect data at rest, Microsoft offers a range of built-in encryption capabilities.

 

Most Microsoft business cloud services are multitenant services, meaning that your data, deployments, and virtual machines may be stored on the same physical hardware as that of other customers. Microsoft uses logical isolation to segregate storage and processing for different customers through specialized technology engineered to help ensure that your customer data is not combined with anyone else’s.

 

Business cloud services with audited certifications such as ISO 27001 are regularly verified by Microsoft and accredited audit firms, which perform sample audits to attest that access is only for legitimate business purposes.

Microsoft operations and support personnel are located around the globe to help ensure that appropriate personnel are available 24 hours a day, 365 days a year. We have automated a majority of our service operations so that only a small set requires human interaction.

 

Microsoft engineers do not have default access to cloud customer data. Instead, they are granted access, under management oversight, only when necessary.

 

Microsoft personnel will use customer data only for purposes compatible with providing you the contracted services, such as troubleshooting and improving features, such as protection from malware.

Microsoft’s business cloud services process various categories of data, including customer data and personal data. Where Microsoft hires a subcontractor to perform work that may require access to such data, they are considered a subprocessor. Microsoft discloses these subprocessors below.

 

Subprocessors may access data only to deliver the online services Microsoft has hired them to provide and are prohibited from using data for any other purpose. They are required to maintain the confidentiality of this data and are contractually obligated to meet strict privacy requirements that are equivalent to or stronger than the contractual commitments Microsoft makes to its customers. Subprocessors are also required to meet EU General Data Protection Regulation (GDPR) requirements, including those related to employing appropriate technical and organizational measures to protect personal data.

 

Microsoft requires subprocessors to join the Microsoft Supplier Security and Privacy Assurance Program. This program is designed to standardize and strengthen data handling practices, and to ensure supplier business processes and systems are consistent with those of Microsoft.

 

Subprocessors who handle customer data (including personal data therein) are subject to heightened requirements. Subprocessors of customer data must agree to the EU Model Clauses for services for which Microsoft offers its customers the EU Model Clauses.

 

Subprocessors can perform work in any of the following capacities:

  • Subprocessors who provide technologies to power certain Microsoft Core Online Services Subprocessor identified for a specific service may process, store, or otherwise access customer data (including personal data contained therein) in the course of helping to provide that service.

  • Subprocessors who provide ancillary services to support Microsoft Online Services Subprocessor may process, store, or otherwise access limited customer data (including personal data contained therein) in the course of providing their ancillary services.   

  • Subprocessors who provide contract staf Contract staff that work in close coordination with Microsoft employees to help support, operate, and maintain the Microsoft Core Online Services and in the course of doing so may be exposed to customer data (including personal data contained therein). In such cases, customer data still resides only in Microsoft facilities, on Microsoft systems, and subject to Microsoft policies and supervision. For example, a subprocessor may perform remote troubleshooting on a Microsoft server and in the course of doing so may be exposed to snippets of customer data in a server crash dump log. Activities of these subprocessors are in scope for the applicable third party audits covering Core Online Services.

Microsoft’s contractual commitments to customers define customer data as all the data provided to Microsoft through your use of our business cloud services (see how Microsoft categorizes data). Some customer data is personal data as defined under GDPR. Microsoft also accesses and processes some personal data that is not contained within customer data. Microsoft publishes lists to address both customer data (and the personal data therein) and personal data (not otherwise included in the first list). GDPR requires disclosure of subprocessors with access to personal data.

Microsoft publishes the names of any new subprocessors for its Core Online Services at least six months in advance of their authorization to perform services that may involve access to customer data. Microsoft publishes the names of any new subprocessors for personal data at least 14 days in advance of their authorization to perform services that may involve access to such data.2

 

To receive notifications regarding updates to these Subprocessor lists, please follow the instructions that describe “My library” functionality.

Government requests for customer data

Microsoft ensures there are no “back doors” and no direct or unfettered government access to your data. We impose special requirements for government and law enforcement requests for customer data.

Additional data access resources

Graphic icon of two rectangles stacked with a magnifying glass to represent data and privacy

Microsoft Online Services Privacy Statement

Learn about the personal data Microsoft processes, how we process it, and for what purposes.

Graphic icon with two rectangular shapes representing documents, the one in front with horizontal lines representing information

Microsoft licensing terms and documentation

Access licensing terms, conditions, and supplemental information relevant to the use of products and services licensed through Microsoft Volume Licensing programs.

Graphic icon representing a device screen with symbols representing data

Data collection information

Learn about the kinds of data we collect.

1 The information on this page applies to Windows Defender Advanced Threat Protection but does not apply to other Windows services and to Bing Search Services.
2 Note: For information about how subprocessors are used when Microsoft provides commercial support or other professional services, including in support of online services, please see the Microsoft Professional Services and suppliers section of the Trust Center.