Microsoft believes that for you to control your customer data in the cloud, you need to understand as much as possible about how that data is handled.
You need to know, through clearly stated and readily available policies and procedures, where your customer data is stored and how we help secure it, as well as who can access it and under what circumstances. And you don’t have to take our word for it: you can review a wide range of evidence, including third-party audit reports and certifications for most of our services, to verify that we meet the standards we set in Microsoft business cloud services.
Microsoft builds on its decades-long experience in building enterprise software and running some of the largest online services in the world to create a robust set of security technologies and practices that provide strong protection for Microsoft software, services, and data.
We start by building security into software code using the Security Development Lifecycle, a process that Microsoft has made publicly available since 2004. This company wide, mandatory development process embeds security requirements into the entire software lifecycle, from planning through deployment.
We build on that foundation with the Operational Security Assurance framework, which helps ensure that ongoing operational activities follow rigorous security guidelines, and validates that those guidelines are followed effectively. In addition, we use a wide range of mechanisms to help secure your data—identity and access management, encryption, secure infrastructure, threat management, and physical datacenter security. Microsoft engages in ongoing cooperation with the industry in openly sharing security information and best practices.
Learn more about how Microsoft secures your data in our products and services.
Our business cloud service agreement, Online Services Terms, delineates the data protection policies and practices that govern the location and use of customer data. The clear, straightforward language of the Microsoft Online Services Privacy Statement reinforces this agreement.
Microsoft business customers know the location, in our datacenters around the globe, where their customer data is stored. Each Microsoft service has its own location policies for customer data. Look below for the details of Microsoft data residency and transfer policies specific to these cloud services:
Microsoft does not use customer data for advertising—we do not share it with our advertiser-supported services or mine it for marketing. This policy was reaffirmed by the adoption by many of our services of the first international code of practice for cloud privacy, ISO/IEC 27018.
We use customer data only for purposes compatible with providing services like troubleshooting or improving features (such as protection from malware).
If you end your subscription to a service (other than free trials), you can extract your customer data before you leave. Once your subscription is ended, Microsoft is governed by strict standards and follows specific processes for removing cloud customer data from systems under our control.
Learn more about how we manage your data.
We take strong measures to protect your customer data from inappropriate access or use by unauthorized persons. These operational processes and controls are backed by the Online Services Terms, which offer contractual commitments that govern access to your customer data.
Business services with audited certifications such as ISO/IEC 27001 are regularly verified by Microsoft and accredited audit firms, which perform sample audits to attest that access is only for legitimate business purposes. Of course, you can always access your own customer data at any time and for any reason.
Learn more about how we access your data and under what conditions.
When a government or law enforcement make a lawful demand for customer data from Microsoft, we are committed to transparency and limit what we disclose.
In our commitment to transparency, we have launched the Microsoft Transparency Hub, which publishes in one place the reports we issue regularly on requests for customer data made by law enforcement, as well as government requests related to US national security.
Learn more about how we respond to government requests for your data.
Many Microsoft services meet key international and industry-specific compliance standards, such as ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1 and SOC 2. They also meet regional and country-specific standards and contractual commitments, including the EU Model Clauses, EU-U.S. Privacy Shield, UK G-Cloud, Singapore MTCS, and the CS Mark in Japan. In addition, rigorous third-party audits, such as by the British Standards Institution and Deloitte, provide independent validation of Microsoft adherence to the strict requirements these standards mandate.
Many of these certifications and attestations are publicly available, and copies of many auditors’ reports are free to customers and trial customers of Azure, Dynamics 365, and Office 365 through the Service Trust Portal. You can use the portal to request audit reports so that your auditors can compare Microsoft's cloud services results with your own legal and regulatory requirements.
Learn more about our industry-verified conformity with global standards.