Privacy & Security Terms
The Privacy & Security Terms were formerly contained in Attachment 1 to the Online Services Terms.
The Data Protection Addendum, or DPA (defined in the Glossary) sets forth the parties obligations with respect to the processing and security of Customer Data, Professional Services Data, and Personal Data by the Products. The Data Protection Addendum can be downloaded here https://aka.ms/DPA. In the event of any conflict or inconsistency between the DPA and any other terms in Customer’s licensing agreement (including these terms), the DPA shall prevail.
Online Services excluded from the DPA
Except as provided in the Product-Specific Terms, the terms of the DPA do not apply to: Bing Maps Mobile Asset Management Platform, Bing Maps Transactions and Users, Bing Search Services, Cognitive Services in containers installed on Customer's dedicated hardware, GitHub Offerings, LinkedIn Sales Navigator, Azure Defender for IoT (excluding any cloud-connected features), Azure SQL Edge, Azure Stack HCI, Azure Stack Hub, Microsoft Graph data connect for ISVs, Microsoft Genomics, and Visual Studio App Center Test. Each of these Online Services are governed by the privacy and security terms in the applicable Product-Specific Terms.
Software Products excluded from the DPA
Except as provided in the Product-Specific Terms, the terms of the DPA do not apply to: Internet based features in Software Products, Windows Desktop Operating System, Windows Server, and these Software Products as part of other Products. Each of these Products are governed by the privacy and security terms in the applicable Product-Specific Terms.
Separate terms, including different privacy and security terms, govern Customer’s use of Non-Microsoft Products (as defined in the Universal License Terms for Online Services).
DPA Terms Geography Exclusions
For Dynamics 365 and Power Platform online services, the specific terms of the DPA as noted in Appendix A stating “Microsoft stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located.” do not apply to the following geographies: United Arab Emirates and South Africa.
Core Online Services
The term “Core Online Services” applies only to the services in the table below, excluding any Previews.
|Microsoft Dynamics 365 Core Services||The following services, each as a standalone service or as included in a Dynamics 365 branded plan or application: Dynamics 365 Customer Service, Dynamics 365 Customer Insights, Dynamics 365 Customer Service Insights, Dynamics 365 Field Service, Dynamics 365 Business Central, Dynamics 365 Supply Chain Management, Dynamics 365 Finance, Dynamics 365 Marketing, Dynamics 365 Commerce, Dynamics 365 Human Resources, and Dynamics 365 Sales. Dynamics 365 Core Services do not include (1) Dynamics 365 Services for supported devices or software, which includes but is not limited to Dynamics 365 for apps, tablets, phones, or any of these; (2) LinkedIn Sales Navigator; or (3) except as expressly defined in the licensing terms for the corresponding service, any other separately-branded service made available with or connected to Dynamics 365 Core Services.|
|Office 365 Services||The following services, each as a standalone service or as included in an Office 365-branded plan or suite: Cortana, Customer Lockbox, Exchange Online Archiving, Exchange Online Protection, Exchange Online, Microsoft Bookings, Microsoft Forms, Microsoft MyAnalytics, Microsoft Planner, Microsoft StaffHub, Microsoft Stream, Microsoft Teams (including Bookings, Lists, and Shifts), Microsoft To-Do, Microsoft Defender for Office 365, Office 365 Video, Office for the web, OneDrive for Business, Project, SharePoint Online, Skype for Business Online, Sway, Whiteboard, Yammer Enterprise and, for Kaizala Pro, Customer’s organizational groups managed through the admin portal and chats between two members of Customer’s organization. Office 365 Services do not include Microsoft 365 Apps for enterprise, any portion of a PSTN service that operates outside of Microsoft’s control, any client software, or any separately branded service made available with an Office 365-branded plan or suite, such as a Bing or a service branded “for Office 365.”|
|Microsoft 365 Compliance Services||The following services, each as a standalone service or as included in a Microsoft 365-branded plan or suite: Compliance Manager, Microsoft Information Protection, Microsoft Information Governance, Insider Risk Management, Communication Compliance, eDiscovery and Audit.|
|Microsoft Azure Core Services||Anomaly Detector, API Management, App Service (API Apps, Logic Apps, Mobile Apps, Web Apps), Application Gateway, Application Insights, Automation, Azure Active Directory (including Multi-Factor Authentication), Azure API for FHIR, Azure App Configuration, Azure Bot Services, Azure Cache for Redis, Azure Cognitive Search, Azure Container Registry (ACR), Azure Container Service, Azure Cosmos DB (formerly DocumentDB), Azure Data Explorer, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Databricks, Azure DevOps Services, Azure DevTest Labs, Azure DNS, Azure Event Grid, Azure Firewall, Azure Health Data Services, Azure Information Protection (including Azure Rights Management), Azure Kubernetes Service, Azure NetApp Files, Microsoft Purview, Azure Resource Manager, Azure Spring Cloud, Azure Time Series Insights, Azure Video Analyzer for Media, Backup, Batch, BizTalk Services, Cloud Services, Computer Vision, Content Moderator, Custom Vision, Data Catalog, Data Factory, Data Lake Analytics, Data Lake Store, Event Hubs, Express Route, Face, Functions, HDInsight, Import/Export, IoT Hub, Key Vault, Language Understanding, Load Balancer, Log Analytics (formerly Operational Insights), Azure Machine Learning Studio, Media Services, Microsoft Azure Portal, Notification Hubs, Personalizer, Power BI Embedded, QnA Maker, Scheduler, Security Center, Service Bus, Service Fabric, SignalR Service, Site Recovery, Speech Services, SQL Data Warehouse, SQL Database, SQL Managed Instance, SQL Server Stretch Database, Storage, StorSimple, Stream Analytics, Synapse Analytics, Text Analytics, Traffic Manager, Translator, Virtual Machines, Virtual Machine Scale Sets, Virtual Network, and VPN Gateway|
|Microsoft Defender for Cloud Apps||The cloud service portion of Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security).|
|Microsoft Intune Online Services||The cloud service portion of Microsoft Intune such as the Microsoft Intune Add-on Product or a management service provided by Microsoft Intune such as Mobile Device Management for Office 365.|
|Microsoft Power Platform Core Services||The following services, each as a standalone service or as included in an Office 365 or Microsoft Dynamics 365 branded plan or suite: Microsoft Power BI, Microsoft Power Apps, and Microsoft Power Automate, and Microsoft Power Virtual Agents. Microsoft Power Platform Core Services do not include any client software, including but not limited to Power BI Report Server, the Power BI, PowerApps or Microsoft Power Automate mobile applications, Power BI Desktop, or Power Apps Studio.|
|Microsoft Defender for Endpoint Services||The cloud services portion of Microsoft Defender for Endpoint.|
|Microsoft 365 Defender||The cloud service portion of Microsoft 365 Defender.|
Security Practices and Policies for Core Online Services
In addition to the security practices and policies for Online Services in the DPA, each Core Online Service also complies with the control standards and frameworks shown in the table below and implements and maintains the security measures set forth in Appendix A of the DPA for the protection of Customer Data.
|Online Service||SSAE 18 SOC 1 Type II||SSAE 18 SOC 2 Type II|
|Office 365 Services||Yes||Yes|
|Microsoft 365 Compliance Services||Yes||Yes|
|Microsoft Dynamics 365 Core Services||Yes||Yes|
|Microsoft Azure Core Services||Varies*||Varies*|
|Microsoft Defender for Cloud Apps||Yes||Yes|
|Microsoft Intune Online Services||Yes||Yes|
|Microsoft Power Platform Core Services||Yes||Yes|
|Microsoft Defender for Endpoint Services||Yes||Yes|
|Microsoft 365 Defender||Yes||Yes|
*Current scope is detailed in the audit report and summarized in the Microsoft Trust Center.
Location of Customer Data at Rest for Core Online Services
For the Core Online Services, Microsoft will store Customer Data at rest within certain major geographic areas (each, a Geo) as follows except as otherwise provided in the Online Service-specific terms:
- Office 365 Services. If Customer provisions its tenant in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, and (3) files uploaded to OneDrive for Business.
- Microsoft Intune Online Services. When Customer provisions a Microsoft Intune tenant account to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Intune Trust Center.
- Microsoft Power Platform Core Services. When Customer provisions a Power Platform Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Power Platform Trust Center.
- Microsoft Azure Core Services. If Customer configures a particular service to be deployed within a Geo then, for that service, Microsoft will store Customer Data at rest within the specified Geo. Certain services may not enable Customer to configure deployment in a particular Geo or outside the United States and may store backups in other locations. Refer to the Microsoft Trust Center (which Microsoft may update from time to time, but Microsoft will not add exceptions for existing Services in general release) for more details.
- Microsoft Defender for Cloud Apps. If Customer provisions its tenant in the European Union or the United States, Microsoft will store Customer Data at rest only within that Geo, except as described in the Microsoft Defender for Cloud Apps Trust Center.
- Microsoft Dynamics 365 Core Services. When Customer provisions a Dynamics 365 Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Dynamics 365 Trust Center.
- Microsoft Defender for Endpoint Services. When Customer provisions a Microsoft Defender for Endpoint tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Defender for Endpoint Trust Center.
- Microsoft 365 Defender. When Customer provisions a Microsoft 365 Defender tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft 365 Defender Trust Center.