Who can access your data and on what terms
Microsoft business cloud services take strong measures to help protect your customer data from inappropriate access or use by unauthorized persons. This includes restricting access by Microsoft personnel and subcontractors, and carefully defining requirements for responding to government requests for customer data. However, you can access your own customer data at any time and for any reason.
- You can access your customer data at all times
- How we limit access to customer data
- We limit access to your customer data by Microsoft personnel
The information on this page does not apply to Microsoft Cognitive Services and Windows.
You can access your customer data at all times
During the term of your subscription to Microsoft business services, you can access and extract your customer data. Customers of Azure, Dynamics 365, Intune, and Office 365 in-scope services can retrieve a copy of their customer data at any time and for any reason without the need to notify Microsoft or ask for assistance. Also, you can take your customer data with you if you end your subscription.
How we limit access to customer data
We take strong measures to help protect customer data from inappropriate access or use by unauthorized persons, either external or internal, and to prevent customers from gaining access to one another’s data.
- The operational processes that govern access to customer data in Microsoft business cloud services are
protected by strong controls and authentication, which fall into two categories: physical and logical.
- Access to physical datacenter facilities is guarded by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, multifactor access control, integrated alarm systems, and around-the-clock video surveillance by the operations center.
- Virtual access to customer data is restricted based on business need by role-based
access control, multifactor authentication, minimizing standing access to production data, and other
controls. Access to customer data is also strictly logged, and both Microsoft and third parties perform
regular audits (as well as sample audits) to attest that any access is appropriate.
In addition, Microsoft uses encryption to safeguard customer data and help you maintain control over it. When data moves over a network—between user devices and Microsoft datacenters or within datacenters themselves—Microsoft products and services use industry-standard secure transport protocols. To help protect data at rest, Microsoft offers a range of built-in encryption capabilities.
- Most Microsoft business cloud services are multitenant services, meaning that your data, deployments, and virtual machines may be stored on the same physical hardware as that of other customers. Microsoft uses logical isolation to segregate storage and processing for different customers through specialized technology engineered to help ensure that your customer data is not combined with anyone else’s.
- Business cloud services with audited certifications such as ISO 27001 are regularly verified by Microsoft and accredited audit firms, which perform sample audits to attest that access is only for legitimate business purposes.
We limit access to your customer data by Microsoft personnel
Microsoft operations and support personnel are located around the globe to help ensure that appropriate personnel are available 24 hours a day, 365 days a year. We have automated a majority of our service operations so that only a small set requires human interaction.
- Microsoft engineers do not have default access to cloud customer data. Instead, they are granted access, under management oversight, only when necessary.
- Microsoft personnel will use customer data only for purposes compatible with providing you the contracted services, such as troubleshooting and improving features, such as protection from malware.
We limit access to your customer data by subcontractors
Microsoft may hire other companies to provide limited services on its behalf. Subcontractors can access customer data only to deliver the services we have hired them to provide, and are prohibited from using customer data for any other purpose. They are required to maintain the confidentiality of our customers’ information and are contractually obligated to meet our privacy requirements.
To ensure subcontractor accountability, we require all Microsoft vendors who handle customer personal information to join the Microsoft Supplier Security and Privacy Assurance Program. This initiative is designed to standardize and strengthen the handling of customer personal information, and to bring vendor business processes and systems into compliance with those of Microsoft.
- Subcontractors who handle customer data must enter into additional agreements with Microsoft that are as stringent as Microsoft’s own data-protection terms. For example, subcontractors with access to customer data must agree to the EU Model Clauses for services for which Microsoft offers them.
- Subcontractors who work in facilities or on equipment controlled by Microsoft are contractually obligated to follow our privacy standards and undergo regular privacy training. Those who handle Microsoft customer data in their own facilities are required to set up and follow privacy standards equivalent to our own.
Lists of subcontractors who have access to customer data
Microsoft discloses the names of subcontractors who have access to customer data and provides advance notice of new subcontractors.
- The Microsoft Online Services Subcontractor List covers the subcontractors for all the online services offered under the Data Processing Terms section of our Online Services Terms. As detailed in those terms, this includes most services in Azure, Dynamics 365, Intune, Office 365, and Power BI. Microsoft publishes the names of any new subcontractors six months in advance of their authorization to perform services that may involve access to customer data.
- Microsoft Commercial Support Contractors is a separate list that covers the subcontractors used by our global support organization for all Microsoft products, including Microsoft Online Services. These subcontractors have access only to customer data that customers choose to share during their support interactions. New subcontractors will be listed with 14 days’ advance notice.
How we respond to government requests for customer data
In the case of government surveillance, Microsoft has taken steps to ensure that there are no “back doors” and no direct or unfettered government access to your data. We impose carefully defined requirements for government and law enforcement requests for customer data.
- We will not disclose data hosted in Microsoft business services to a government agency unless required by law.
- If we are compelled by law to disclose customer data, we will promptly notify the customer and provide a copy of the request, unless we are legally prohibited from doing so.
- Online Services Terms
- Microsoft Online Services Privacy Statement
- Microsoft and the EU-U.S. Privacy Shield
- Protecting data and privacy in the cloud (page 6, “Protecting data in service operations”)
- The Microsoft approach to cloud transparency
- Microsoft Azure security, privacy, and compliance
- Microsoft Intune privacy and data protection overview
- Data access in Dynamics 365 and Office 365