Data management at Microsoft

How we manage and protect customer data

How we manage your data

With Microsoft, you are the owner of your customer data.

Microsoft will use your customer data only to provide the services we have agreed upon, and for purposes that are compatible with providing those services. We do not share your data with our advertiser-supported services, nor do we mine it for marketing or advertising. If you leave the service, we take the necessary steps to ensure the continued ownership of your data.

The information on this page applies to Windows Defender Advanced Threat Protection but does not apply to other Windows services and to Bing Search Services.

Your data is your business. Microsoft does not share business customer data with our advertiser-supported services, nor do we mine it for marketing or advertising. This policy is backed by our agreements and reaffirmed by the adoption by many Microsoft services of the world’s first international code of practice for cloud privacy, ISO/IEC 27018.

We use customer data only to provide you the service and for compatible purposes including day-to-day operations and the following:

  • Troubleshooting, which is aimed at preventing, detecting, and repairing problems affecting the operation of services.
  • Ongoing improvement of features, such as increasing those that improve the reliability of our services or involve detection of, and protection against, threats to the services or customer data (for example, malware or spam).
  • Providing personalized customer experiences.

Microsoft is governed by strict standards and follows specific processes for removing cloud customer data from systems under our control, overwriting storage resources before reuse, and purging or destroying decommissioned hardware.

Data retention

In our Online Services Terms, Microsoft contractually commits to specific processes when a customer leaves a cloud service or the subscription expires. This includes deleting customer data from systems under our control.

  • If you terminate a cloud subscription or it expires (except for free trials), Microsoft will store your customer data in a limited-function account for 90 days (the “retention period”) to give you time to extract the data or renew your subscription. During this period, Microsoft provides multiple notices, so you will be amply forewarned of the upcoming deletion of data.
  • After this 90-day retention period, Microsoft will disable the account and delete the customer data, including any cached or backup copies. For in-scope services, that deletion will occur within 90 days after the end of the retention period. (In-scope services are defined in the Data Processing Terms section of our Online Services Terms.)

When customer data is hosted in the multitenant environments of Microsoft business cloud services, we take careful measures to logically separate customer data. This helps prevent one customer’s data from leaking into that of another customer, which also helps to block any customer from accessing another customer’s deleted data.

Review additional details for each service:

Data deletion on physical storage devices

  • If a disk drive used for storage suffers a hardware failure, it is securely erased or destroyed before Microsoft returns it to the manufacturer for replacement or repair. The data on the drive is completely overwritten to ensure that the data cannot be recovered by any means.
  • When such devices are decommissioned, they are purged or destroyed according to NIST 800-88 Guidelines for Media Sanitation.

Recommended Resources