Data protection and privacy
At Microsoft, we value, protect, and defend data privacy. We believe in transparency, so that people and organizations can control their data and have meaningful choices in how it's used. We empower and defend the data privacy choices of every person who uses our products and services.
You control your data
Our time-tested approach to data privacy is grounded in our commitment to give you control over the data you put in the cloud. In other words, you control your data. Microsoft guarantees this with the contractual commitments we make to you.
Your data belongs to you
Your data is your business, and you may access, modify, or delete it at any time. Microsoft will not use your data without your agreement, and when we have your agreement, we will use your data to provide only the services you have chosen.
Stay protected by privacy laws
Your control over your data is reinforced by Microsoft compliance with broadly applicable privacy laws, such as GDPR and privacy standards. These include the world’s first international code of practice for cloud privacy, ISO/IEC 27018.
Independent audit reports
You have access to independent audit reports of our compliance with privacy standards. These audit reports also help you meet your own privacy obligations.
Data processing only with consent
We only process your data based on your agreement and in accordance with the strict policies and procedures that we have contractually agreed to. We don’t share your data with advertiser-supported services or mine it for any purposes, such as marketing research or advertising.
Data restrictions for subcontractors
Subcontractors or subprocessors deployed by Microsoft to perform work that requires access to your data can perform only the functions they were hired to provide. They’re bound by the same contractual privacy commitments that Microsoft makes to you. The Microsoft Online Services Subprocessor List identifies authorized subprocessors who have been audited in advance against a stringent set of security and privacy requirements.
Know where your data is located and how it’s used
When you use Microsoft commercial cloud services, we’ll help you choose the service and data location that’s right for your business.
Choose a datacenter
Use the tools and options available with Microsoft online services such as Microsoft Azure, Microsoft Dynamics 365 and Power Platform, and Microsoft 365 to determine where you want to store your data.
Choose where your data resides
Microsoft offers data residency around the world, helping to ensure that resiliency and compliance requirements can be honored within geographic boundaries. We back these capabilities with contractual commitments and transparency regarding how we store and process your data.
We secure your data at rest and in transit
With advanced encryption, Microsoft helps protect your data both at rest and in transit. Our encryption protocols erect barriers against unauthorized access to the data, including two or more independent encryption layers to safeguard against compromises of any one layer.
Data at rest
The Microsoft Cloud employs a wide range of encryption capabilities up to AES-256, giving you the flexibility to choose the solution that’s best for your business.
Data in transit
Microsoft uses and enables the use of industry-standard encrypted transport protocols, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec).
All Microsoft-managed encryption keys are properly secured and offer the use of technologies such as Azure Key Vault to help you control access to passwords, encryption keys, and other secrets.
We defend your data
Microsoft defends your data through clearly defined and well-established response policies and processes, strong contractual commitments, and if necessary, the courts. We believe all government requests for your data should be addressed to you. We don’t give any government direct or unfettered access to customer data.
How we respond to data requests
We will not disclose data to a government or law enforcement agency, except as you direct or where required by law. Microsoft scrutinizes all government demands to ensure they are legally valid and appropriate.
How we handle law enforcement requests
If Microsoft receives a request for your data, we will promptly notify you and provide a copy of the request unless legally prohibited from doing so. Moreover, we will direct the requesting party to seek the data directly from you.
Our contractual commitments
Our contractual commitments to our enterprise and public sector customers include defending your data, which builds on our existing protections. We will challenge every government request for commercial and public sector customer data where we can lawfully do so. We have a proven track record of successfully challenging government demands in the courts when those demands are inconsistent with the rule of law, and we are transparent about the number of US national security orders we receive.
We stand behind the strength of our GDPR compliance and other data protection safeguards. To provide added reassurance against liability for our commercial and public sector customers, we will provide monetary compensation if we disclose their data in response to a government request in violation of the EU’s GDPR.
Our promise to you
We are transparent about the specific policies, operational practices, and technologies that help ensure the privacy of your data in every Microsoft commercial cloud service.
And we don’t just state these promises—we guarantee them in our standard contracts for commercial and public sector customers.