Microsoft believes that for you to control your customer data in the cloud, you need to understand as much as possible about how that data is handled.

    You need to know, through clearly stated and readily available policies and procedures, where your customer data is stored and how we help secure it, as well as who can access it and under what circumstances. And you don’t have to take our word for it: you can review a wide range of evidence, including third-party audit reports and certifications for most of our services, to verify that we meet the standards we set in Microsoft business cloud services.

    You know what we do to help secure your data

    Microsoft builds on its decades-long experience in building enterprise software and running some of the largest online services in the world to create a robust set of security technologies and practices that provide strong protection for Microsoft software, services, and data.

    We start by building security into software code using the Security Development Lifecycle, a process that Microsoft has made publicly available since 2004. This company wide, mandatory development process embeds security requirements into the entire software lifecycle, from planning through deployment.

    We build on that foundation with the Operational Security Assurance framework, which helps ensure that ongoing operational activities follow rigorous security guidelines, and validates that those guidelines are followed effectively. In addition, we use a wide range of mechanisms to help secure your data—identity and access management, encryption, secure infrastructure, threat management, and physical datacenter security. Microsoft engages in ongoing cooperation with the industry in openly sharing security information and best practices.

    Arrow | Navigate to how Microsoft secures your data in our products and servicesLearn more about how Microsoft secures your data in our products and services.

    You know where your data is stored and how we manage it

    Our business cloud service agreement, Online Services Terms, delineates the data protection policies and practices that govern the location and use of customer data. The clear, straightforward language of the Microsoft Online Services Privacy Statement reinforces this agreement.

    • Microsoft business customers know the location, in our datacenters around the globe, where their customer data is stored. Each Microsoft service has its own location policies for customer data. Look below for the details of Microsoft data residency and transfer policies specific to these cloud services:

    • Microsoft does not use customer data for advertising—we do not share it with our advertiser-supported services or mine it for marketing. This policy was reaffirmed by the adoption by many of our services of the first international code of practice for cloud privacy, ISO/IEC 27018.

    • We use customer data only for purposes compatible with providing services like troubleshooting or improving features (such as protection from malware).

    • If you end your subscription to a service (other than free trials), you can extract your customer data before you leave. Once your subscription is ended, Microsoft is governed by strict standards and follows specific processes for removing cloud customer data from systems under our control.

    Arrow | Navigate to how we manage your dataLearn more about how we manage your data.

    You know who can access your data and on what terms

    We take strong measures to protect your customer data from inappropriate access or use by unauthorized persons. These operational processes and controls are backed by the Online Services Terms, which offer contractual commitments that govern access to your customer data.

    • Microsoft engineers do not have default access to your customer data in the cloud. Instead, they are granted access, under management oversight, only when necessary. That access is carefully controlled and logged, and revoked as soon as it is no longer needed.
    • Microsoft may hire other companies to provide limited services on its behalf. Subcontractors may access customer data only to deliver the services we have hired them to provide, and they are prohibited from using it for any other purpose. Further, they are contractually bound to maintain the confidentiality of our customers’ information.

    Business services with audited certifications such as ISO/IEC 27001 are regularly verified by Microsoft and accredited audit firms, which perform sample audits to attest that access is only for legitimate business purposes. Of course, you can always access your own customer data at any time and for any reason.

    Arrow | Navigate to how we access your data and under what conditionsLearn more about how we access your data and under what conditions.

    We are transparent about how we respond to government requests for your data

    When a government or law enforcement make a lawful demand for customer data from Microsoft, we are committed to transparency and limit what we disclose.

    • Microsoft does not give any third party (including law enforcement, other government entity, or civil litigant) direct or unfettered access to customer data except as you direct.
    • When we receive a government or law enforcement request for customer data:
      • We always attempt to redirect that request to our customer. We also promptly notify the customer of any such request and give them a copy, unless legally prohibited from doing so.
      • For valid requests that we are not able to redirect to the customer, we disclose information only when we are legally compelled to do so, and provide only the data specified in the legal order.

    In our commitment to transparency, we have launched the Microsoft Transparency Hub, which publishes in one place the reports we issue regularly on requests for customer data made by law enforcement, as well as government requests related to US national security.

    Arrow | Navigate to how we respond to government requests for your dataLearn more about how we respond to government requests for your data.

    You can review the standards certifications for Microsoft services

    Many Microsoft services meet key international and industry-specific compliance standards, such as ISO/IEC 27001 and ISO/IEC 27018, FedRAMP, and SOC 1 and SOC 2. They also meet regional and country-specific standards and contractual commitments, including the EU Model Clauses, EU-U.S. Privacy Shield, UK G-Cloud, Singapore MTCS, and the CS Mark in Japan. In addition, rigorous third-party audits, such as by the British Standards Institution and Deloitte, provide independent validation of Microsoft adherence to the strict requirements these standards mandate.

    Many of these certifications and attestations are publicly available, and copies of many auditors’ reports are free to customers and trial customers of Azure, Dynamics 365, and Office 365 through the Service Trust Portal. You can use the portal to request audit reports so that your auditors can compare Microsoft's cloud services results with your own legal and regulatory requirements.

    Arrow | Navigate to industry-verified conformity with global standardsLearn more about our industry-verified conformity with global standards.