Privacy & Security Terms
General
The Privacy & Security Terms were formerly contained in Attachment 1 to the Online Services Terms.
The Data Protection Addendum, or DPA (defined in the Glossary) sets forth the parties obligations with respect to the processing and security of Customer Data, Professional Services Data, and Personal Data by the Products. The Data Protection Addendum can be downloaded here https://aka.ms/DPA. In the event of any conflict or inconsistency between the DPA and any other terms in Customer’s licensing agreement (including these terms), the DPA shall prevail.
Online Services excluded from the DPA
Except as provided in the Product-Specific Terms, the terms of the DPA do not apply to: Bing Maps Mobile Asset Management Platform, Bing Maps Transactions and Users, Bing Search Services, Cognitive Services in containers installed on Customer's dedicated hardware, GitHub Offerings, LinkedIn Sales Navigator, Microsoft Defender for IoT (excluding any cloud-connected features), Azure SQL Edge, Azure Stack HCI, Azure Stack Hub, Microsoft Graph data connect for ISVs, Microsoft Genomics, and Visual Studio App Center Test. Each of these Online Services are governed by the privacy and security terms in the applicable Product-Specific Terms.
Software Products excluded from the DPA
Except as provided in the Product-Specific Terms, the terms of the DPA do not apply to: Internet based features in Software Products, Windows Desktop Operating System, Windows Server, and these Software Products as part of other Products. Each of these Products are governed by the privacy and security terms in the applicable Product-Specific Terms.
Non-Microsoft Products
Separate terms, including different privacy and security terms, govern Customer’s use of Non-Microsoft Products (as defined in the Universal License Terms for Online Services).
DPA Terms Geography Exclusions
For Dynamics 365 and Power Platform online services, the specific terms of the DPA as noted in Appendix A stating “Microsoft stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located.” do not apply to the following geographies: United Arab Emirates and South Africa.
Core Online Services
The term “Core Online Services” applies only to the services in the table below, excluding any Previews.
| Online Services | |
|---|---|
| Microsoft Dynamics 365 Core Services | The following services, each as a standalone service or as included in a Dynamics 365 branded plan or application: Dynamics 365 Customer Service, Dynamics 365 Customer Insights, Dynamics 365 Customer Service Insights, Dynamics 365 Field Service, Dynamics 365 Business Central, Dynamics 365 Supply Chain Management, Dynamics 365 Finance, Dynamics 365 Marketing, Dynamics 365 Commerce, Dynamics 365 Human Resources, and Dynamics 365 Sales. Dynamics 365 Core Services do not include (1) Dynamics 365 Services for supported devices or software, which includes but is not limited to Dynamics 365 for apps, tablets, phones, or any of these; (2) LinkedIn Sales Navigator; or (3) except as expressly defined in the licensing terms for the corresponding service, any other separately-branded service made available with or connected to Dynamics 365 Core Services. |
| Office 365 Services | The following services, each as a standalone service or as included in an Office 365-branded plan or suite: Cortana, Customer Lockbox, Exchange Online Archiving, Exchange Online Protection, Exchange Online, Microsoft Bookings, Microsoft Forms, Microsoft Planner, Microsoft StaffHub, Microsoft Stream, Microsoft Teams (including Bookings, Lists, and Shifts), Microsoft To-Do, Microsoft Defender for Office 365, Office 365 Video, Office for the web, OneDrive for Business, Project, SharePoint Online, Skype for Business Online, Sway, Viva Insights, Whiteboard, Yammer Enterprise and, for Kaizala Pro, Customer’s organizational groups managed through the admin portal and chats between two members of Customer’s organization. Office 365 Services do not include Microsoft 365 Apps for enterprise, any portion of a PSTN service that operates outside of Microsoft’s control, any client software, or any separately branded service made available with an Office 365-branded plan or suite, such as a Bing or a service branded “for Office 365.” |
| Microsoft 365 Compliance Services | The following services, each as a standalone service or as included in a Microsoft 365-branded plan or suite: Compliance Manager, Microsoft Information Protection, Microsoft Information Governance, Insider Risk Management, Communication Compliance, eDiscovery and Audit. |
| Microsoft Azure Core Services | Anomaly Detector, API Management, App Service (API Apps, Logic Apps, Mobile Apps, Web Apps), Application Gateway, Azure Monitor, Automation, Azure Active Directory (including Multi-Factor Authentication), Azure API for FHIR, Azure App Configuration, Azure Bot Service, Azure Cache for Redis, Azure Cognitive Search, Azure Container Registry (ACR), Azure Cosmos DB, Azure Data Explorer, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Databricks, Azure DevOps Services, Azure DevTest Labs, Azure DNS, Azure Event Grid, Azure Firewall, Azure Form Recognizer, Azure Health Data Services, Azure Immersive Reader, Azure Information Protection (including Azure Rights Management), Azure Kubernetes Service, Azure Machine Learning, Azure Metrics Advisor, Azure NetApp Files, Azure OpenAI Service, Azure Red Hat OpenShift, Microsoft Purview, Azure Resource Manager, Azure Spring Cloud, Azure Time Series Insights, Azure Video Analyzer for Media, Backup, Batch, Cloud Services, Computer Vision, Content Moderator, Custom Vision, Data Catalog, Data Factory, Data Lake Analytics, Data Lake Storage, Event Hubs, Express Route, Face, Functions, HDInsight, Import/Export, IoT Hub, Key Vault, Language Understanding, Load Balancer, Azure Machine Learning Studio (classic), Media Services, Microsoft Azure Portal, Notification Hubs, Personalizer, Power BI Embedded, QnA Maker, Microsoft Defender for Cloud, Service Bus, Service Fabric, SignalR Service, Site Recovery, Speech Services, SQL Database, SQL Managed Instance, SQL Server Stretch Database, Storage, StorSimple, Stream Analytics, Synapse Analytics, Text Analytics, Traffic Manager, Translator, Virtual Machines, Virtual Machine Scale Sets, Virtual Network, and VPN Gateway. |
| Microsoft Defender for Cloud Apps | The cloud service portion of Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). |
| Microsoft Intune Online Services | The cloud service portion of Microsoft Intune such as the Microsoft Intune Add-on Product or a management service provided by Microsoft Intune such as Mobile Device Management for Office 365. |
| Microsoft Power Platform Core Services | The following services, each as a standalone service or as included in an Office 365 or Microsoft Dynamics 365 branded plan or suite: Microsoft Power BI, Microsoft Power Apps, and Microsoft Power Automate, and Microsoft Power Virtual Agents. Microsoft Power Platform Core Services do not include any client software, including but not limited to Power BI Report Server, the Power BI, PowerApps or Microsoft Power Automate mobile applications, Power BI Desktop, or Power Apps Studio. |
| Microsoft Defender for Endpoint Services | The cloud services portion of Microsoft Defender for Endpoint. |
| Microsoft 365 Defender | The cloud service portion of Microsoft 365 Defender. |
| Windows 365 | The cloud service portion of Windows 365, excluding the Windows operating system running on Windows 365 Cloud PCs. |
Security Practices and Policies for Core Online Services
In addition to the security practices and policies for Online Services in the DPA, each Core Online Service also complies with the control standards and frameworks shown in the table below and implements and maintains the security measures set forth in Appendix A of the DPA for the protection of Customer Data.
| Online Service | SSAE 18 SOC 1 Type II | SSAE 18 SOC 2 Type II |
|---|---|---|
| Office 365 Services | Yes | Yes |
| Microsoft 365 Compliance Services | Yes | Yes |
| Microsoft Dynamics 365 Core Services | Yes | Yes |
| Microsoft Azure Core Services | Varies* | Varies* |
| Microsoft Defender for Cloud Apps | Yes | Yes |
| Microsoft Intune Online Services | Yes | Yes |
| Microsoft Power Platform Core Services | Yes | Yes |
| Microsoft Defender for Endpoint Services | Yes | Yes |
| Microsoft 365 Defender | Yes | Yes |
| Windows 365 | Yes | Yes |
*Current scope is detailed in the audit report and summarized in the Microsoft Trust Center.
Location of Customer Data at Rest for Core Online Services
For the Core Online Services, Microsoft will store Customer Data at rest within certain major geographic areas (each, a Geo) as follows except as otherwise provided in the Online Service-specific terms:
- Office 365 Services. If Customer provisions its tenant in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, (3) files uploaded to OneDrive for Business, and (4) Microsoft Teams chat messages (including private messages, channel messages, meeting messages and images used in chats), and for customers using Microsoft Stream (on SharePoint), meeting recordings. If Customer purchases an Advanced Data Residency subscription, then Microsoft will store certain Customer Data at rest in the applicable Geo in accordance with this section and the “Advanced Data Residency Commitments” section of the product documentation at https://aka.ms/adroverview.
- Microsoft Intune Online Services. When Customer provisions a Microsoft Intune tenant account to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Intune Trust Center.
- Microsoft Power Platform Core Services. When Customer provisions a Power Platform Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Power Platform Trust Center.
- Microsoft Azure Core Services. If Customer configures a particular service to be deployed within a Geo then, for that service, Microsoft will store Customer Data at rest within the specified Geo. Certain services may not enable Customer to configure deployment in a particular Geo or outside the United States and may store backups in other locations. Refer to the Microsoft Trust Center (which Microsoft may update from time to time, but Microsoft will not add exceptions for existing Services in general release) for more details.
- Microsoft Defender for Cloud Apps. If Customer provisions its tenant in the European Union or the United States, Microsoft will store Customer Data at rest only within that Geo, except as described in the Microsoft Defender for Cloud Apps Trust Center.
- Microsoft Dynamics 365 Core Services. When Customer provisions a Dynamics 365 Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Dynamics 365 Trust Center.
- Microsoft Defender for Endpoint Services. When Customer provisions a Microsoft Defender for Endpoint tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Defender for Endpoint Trust Center.
- Microsoft 365 Defender. When Customer provisions a Microsoft 365 Defender tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft 365 Defender Trust Center.
- Windows 365. When a Windows 365 tenant is deployed within an available Geo, then, for that tenant, Microsoft will store Customer Data at rest within that specified Geo. If Customer provisions Windows 365 Cloud PCs within the same tenant to different available Geos, then, for each Cloud PC, Microsoft will store Cloud PC Customer Data at rest within that specified Geo.
EU Data Boundary Services
The term “EU Data Boundary” means the Microsoft computers, computing environment, and physical data centers located solely in the European Union (EU) and the European Free Trade Association (EFTA). The term "EU Data Boundary Services" applies only to the Online Services in the table below, excluding any Previews.
| EU Data Boundary Services | |
|---|---|
| Azure | Azure services that enable deployment in a region within the EU Data Boundary and the following non-regional services: Azure Advisor, Azure Bot Service, Azure Communication Services, Azure Data Box, Azure DNS, Azure Kubernetes Service on Azure Stack HCI, Azure Lighthouse, Azure Migrate, Azure Monitor, Azure Resource Mover, Azure Service Health, Azure Sphere, Azure Stack Edge, Azure Stack HCI, Azure Stack Hub, Azure Virtual Desktop, Azure VM Image Builder, Power BI Embedded, Traffic Manager, Translator |
| Dynamics 365 | Dynamics 365 Business Central, Dynamics 365 Commerce, Dynamics 365 Customer Insights, Dynamics 365 Customer Service, Dynamics 365 Customer Voice, Dynamics 365 Field Service, Dynamics 365 Finance, Dynamics 365 Guides, Dynamics 365 Intelligent Order Management, Dynamics 365 Marketing, Dynamics 365 Project Operations, Dynamics 365 Remote Assist, Dynamics 365 Sales, Dynamics 365 Supply Chain Management |
| Microsoft 365 | Cortana, Customer Lockbox, Exchange Online, Exchange Online Archiving for Exchange Online, Microsoft Bookings, Microsoft Forms, Microsoft MyAnalytics, Microsoft Planner, Microsoft StaffHub, Microsoft Stream (on SharePoint), Microsoft Teams, Microsoft To-Do, Office for the web, Online Services provided as part of Microsoft 365 Apps, OneDrive for Business, SharePoint Online, Sway, Whiteboard, Yammer Enterprise, Communications Compliance, eDiscovery and Audit, Insider Risk Management, Information Barriers, Microsoft Purview Data Loss Prevention, Microsoft Intune, Priva Privacy Risk Management, Priva Subject Rights Management, Microsoft Viva Answers, Microsoft Viva Connections, Microsoft Viva Engage, Microsoft Viva Goals, Microsoft Viva Insights, Microsoft Viva Learning, Microsoft Viva Sales, and Microsoft Viva Topics |
| Power Platform | Microsoft Power Apps, Microsoft Power Automate, Microsoft Power BI, Microsoft Power Pages, Microsoft Power Virtual Agents |
Location of Customer Data for EU Data Boundary Services
For EU Data Boundary Services, Microsoft will store and process Customer Data (including any Personal Data contained therein) within the EU Data Boundary as detailed below.
Customer must configure EU Data Boundary Services as follows:
- For Azure, Customer must deploy the service into an Azure region located within the EU Data Boundary. See Data Residency in Azure (https://azure.microsoft.com/explore/global-infrastructure/data-residency) for more information. For services that do not enable deployment into a specified Azure region, Customer must follow the instructions at Configuring Azure non-regional services for the EU Data Boundary (https://learn.microsoft.com/privacy/eudb/eu-data-boundary-configure-azure-nonregional-services).
- For Dynamics 365 and Power Platform, if Customer provisions a tenant with a billing address in the EU or EFTA, that tenant will be in-scope for the EU Data Boundary if Customer also creates all of its environments within a Geo inside the EU Data Boundary.
- For Microsoft 365, if Customer provisions a tenant with a billing address in the EU or EFTA, that tenant will be in-scope for the EU Data Boundary, except for those tenants where Customer has also purchased the Microsoft 365 Multi-Geo Capabilities add-on that enables customers to expand Microsoft 365 tenant presence to multiple geographic regions or countries (https://learn.microsoft.com/microsoft-365/enterprise/microsoft-365-multi-geo?view=o365-worldwide).
Use of EU Data Boundary Services may result in limited transfers of Customer Data outside the EU Data Boundary, as set forth below and further detailed in transparency documentation for the EU Data Boundary located at https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn or successor location. Any such transfers will be conducted in accordance with the Data Protection Addendum and the Product Terms.
- Remote Access. Microsoft personnel located outside the EU Data Boundary may remotely access data processing systems in the EU Data Boundary as necessary to operate, troubleshoot, and secure the EU Data Boundary Services.
- Customer-Initiated Transfers. Customers may initiate transfers outside the EU Data Boundary, such as by accessing EU Data Boundary Services from locations outside the EU Data Boundary, sending an email to a recipient located outside the EU Data Boundary, or use of EU Data Boundary Services in combination with other services not in the EU Data Boundary.
- Protecting Customers. Microsoft transfers limited data outside of the EU Data Boundary as necessary to detect and protect Customers against security threats.
- Directory Data. Microsoft may replicate limited directory data from Azure Active Directory (including username and email address) outside the EU Data Boundary to provide the service.
- Network Transit. To reduce routing latency and to maintain routing resiliency, Microsoft uses variable network paths that may occasionally result in transit of data outside the EU Data Boundary.
- Service-Specific Transfers. See transparency documentation referenced above for information about transfers applicable to specific EU Data Boundary Services.