Transparency

You have visibility into our practices

Microsoft believes that you have a right to as much information as possible about how we handle your customer data in the cloud.

We provide you with clear explanations about where your data is stored and how we help secure it, as well as who can access it and under what circumstances. And you don’t have to take our word for it. You can review a wide range of evidence, including independent audit reports and certifications for most of our business cloud services, to confirm that we meet the standards we set.

How we work to secure your data

With decades of experience in building enterprise software and running some of the largest online services in the world, Microsoft implements and continuously improves security-aware software development, operations, and threat mitigation practices that are essential to the strong protection of the Microsoft services you use and your data in the cloud.

We build security into Microsoft business products and cloud services from the ground up, starting with the Security Development Lifecycle, a process that Microsoft has made publicly available since 2004. This mandatory development process embeds security requirements into the entire software lifecycle, from planning through deployment.

In addition, you have access to information about the wide range of technologies we use to help secure your data, including identity and access management, expanded use of encryption, threat management, and physical datacenter security measures.

Where your data is stored

The Online Services Terms, our business cloud service agreement, delineates the data protection policies and practices that govern the location and use of customer data. The straightforward language of the Microsoft Online Services Privacy Statement or Microsoft Privacy Statement (as applicable) reinforces this agreement.

Microsoft business customers know where their customer data is stored and the location of our datacenters around the world. Each of our business cloud services has specific data residency and transfer policies:

How we manage your data

  • Microsoft does not use customer data for advertising—we do not share it with our advertiser-supported services or mine it for marketing. This policy was reaffirmed by the adoption of the first international code of practice for cloud privacy, ISO/IEC 27018, by many of our services.
  • We use customer data only for purposes that are compatible with providing services like troubleshooting or improving features (such as protection from malware).
  • If you end your subscription to a service (other than free trials), you can extract your customer data before you leave. Strict standards and specific processes then govern how we remove cloud customer data from systems under Microsoft control.

The information in this section does not apply to Microsoft Cognitive Services.

Who can access your data and on what terms

You have access to information about the strong measures we take to protect your customer data from inappropriate access or unauthorized use. These operational processes and controls are backed by the Online Services Terms, which offer contractual commitments that govern access to your customer data.

  • Microsoft engineers do not have default access to your customer data in the cloud. Instead, they are granted access, under management oversight, only when necessary. That access is carefully controlled and logged, and revoked as soon as it is no longer needed.
  • Microsoft may hire other companies to provide limited services on its behalf. Subcontractors may access customer data only to deliver the services we have hired them to provide, and they are prohibited from using it for any other purpose.

Of course, you can always access your own customer data at any time and for any reason.

The information in this section does not apply to Microsoft Cognitive Services.

How we respond to government requests for your data

When a government or law enforcement entity makes a lawful demand for customer data from Microsoft, we limit what we disclose as part of our commitment to transparency.

  • Microsoft does not give any third party (including law enforcement, government entities, or civil litigant) direct or unfettered access to customer data, unless directed by you.
  • When we receive a government or law enforcement request for customer data:
    • We always attempt to redirect that request to our customer. We also promptly notify the customer of any such request and give them a copy, unless legally prohibited from doing so.
    • For valid requests that we are unable to redirect to the customer, we disclose information only when we are legally compelled to do so, and provide only the data specified in the legal order.

To help you evaluate those requests, we publish a semiannual Law Enforcement Requests Report on the Microsoft Transparency Hub. The report includes the number of demands we received, and discloses how many demands we complied with and whether we provided content or non-content data.

Microsoft Government Security Program

Microsoft’s Government Security Program (GSP) builds trust through transparency. The GSP provides participants with the confidential security information and resources they need to trust Microsoft’s products and services. GSP participants currently include over 40 countries and international organizations represented by more than 70 agencies. Participation enables controlled access to source code, exchange of threat and vulnerability information, engaging on technical content about Microsoft’s products and services and access to five globally-distributed Transparency Centers, which are located in the United States, Belgium, Singapore, Brazil, and China.

How we help you meet compliance requirements

Microsoft services meet many key international, regional, and industry-specific compliance standards. Rigorous third-party audits, such as those conducted by BSI and Deloitte, provide independent validation of Microsoft adherence to the strict requirements these standards mandate.

Many of these certifications and attestations are publicly available, and copies of many auditors’ reports are free to customers and trial customers of Azure, Dynamics 365, and Office 365 through the Service Trust Portal. You can use the portal to request audit reports so that your auditors can compare Microsoft cloud services results with your own legal and regulatory requirements.

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Looking for general technical support?

Contact Microsoft support