Skip to main content
Licensing
Please provide feedback on the new Product Terms site using the feedback button below. You may continue to access prior and current versions of the Product Terms and Online Services Terms documents here.
Search Terms


Privacy & Security Terms


General

The Privacy & Security Terms were formerly contained in Attachment 1 to the Online Services Terms.

The Data Protection Addendum, or DPA (defined in the Glossary) sets forth the parties obligations with respect to the processing and security of Customer Data, Professional Services Data, and Personal Data by the Products. The Data Protection Addendum can be downloaded here https://aka.ms/DPA. In the event of any conflict or inconsistency between the DPA and any other terms in Customer’s licensing agreement (including these terms), the DPA shall prevail.

Online Services excluded from the DPA

Except as provided in the Product-Specific Terms, the terms of the DPA do not apply to: Bing Maps Mobile Asset Management Platform, Bing Maps Transactions and Users, Bing Search Services, Azure AI Services in containers installed on Customer's dedicated hardware, Microsoft Copilot with commercial data protection (formerly known as Bing Chat Enterprise), GitHub Offerings, LinkedIn Sales Navigator, Microsoft Defender for IoT (excluding any cloud-connected features), Azure SQL Edge, Azure Stack HCI, Azure Stack Hub, Microsoft Graph data connect for ISVs, Microsoft Genomics, and Visual Studio App Center Test. Each of these Online Services are governed by the privacy and security terms in the applicable Product-Specific Terms.

Software Products excluded from the DPA

Except as provided in the Product-Specific Terms, the terms of the DPA do not apply to: Internet based features in Software Products, Windows Desktop Operating System, Windows Server, and these Software Products as part of other Products. Each of these Products are governed by the privacy and security terms in the applicable Product-Specific Terms.

Non-Microsoft Products

Separate terms, including different privacy and security terms, govern Customer’s use of Non-Microsoft Products (as defined in the Universal License Terms for Online Services).

DPA Terms Geography Exclusions

For Dynamics 365 and Power Platform online services, the specific terms of the DPA as noted in Appendix A stating “Microsoft stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located.” do not apply to the following geographies: United Arab Emirates and South Africa.

Core Online Services

The term “Core Online Services” applies only to the services in the table below, excluding any Previews. 

Online Services
Microsoft Dynamics 365 Core ServicesThe following services, each as a standalone service or as included in a Dynamics 365 branded plan or application: Dynamics 365 Customer Service, Dynamics 365 Customer Insights, Dynamics 365 Field Service, Dynamics 365 Business Central, Dynamics 365 Supply Chain Management, Dynamics 365 Intelligent Order Management, Dynamics 365 Finance, Dynamics 365 Commerce, Dynamics 365 Human Resources, Dynamics 365 Project Operations, and Dynamics 365 Sales. Dynamics 365 Core Services do not include (1) Dynamics 365 Services for supported devices or software, which includes but is not limited to Dynamics 365 for apps, tablets, phones, or any of these; (2) LinkedIn Sales Navigator; or (3) except as expressly defined in the licensing terms for the corresponding service, any other separately-branded service made available with or connected to Dynamics 365 Core Services.
Office 365 ServicesThe following services, each as a standalone service or as included in an Office 365 or Microsoft 365-branded plan or suite: Cortana, Customer Lockbox, Exchange Online Archiving, Exchange Online Protection, Exchange Online, Microsoft Bookings, Microsoft Forms, Microsoft Planner, Microsoft Stream (Classic), Microsoft Teams,  Microsoft To-Do, Microsoft Defender for Office 365, Office for the web, OneDrive for Business, Project, SharePoint, Sway, Viva Insights, Whiteboard, Yammer Enterprise, and Microsoft Copilot for Microsoft 365. Office 365 Services do not include Microsoft 365 Apps for enterprise, any portion of a PSTN service that operates outside of Microsoft's control, any client software, or any separately branded service made available with an Office 365 or Microsoft 365-branded plan or suite, such as a Bing or a service branded "for Office 365."
Microsoft 365 Compliance ServicesThe following services, each as a standalone service or as included in a Microsoft 365-branded plan or suite: Microsoft Purview Customer Lockbox, Microsoft Purview Data Loss Prevention, Microsoft Purview Customer Key, Microsoft Purview Data Lifecycle Management, Microsoft Purview Information Barriers, Microsoft Purview Privileged Access Management, Microsoft Purview Compliance Manager, Microsoft Purview Information Protection, Microsoft Information Governance, Microsoft Purview-Insider Risk Management, Microsoft Purview Communication Compliance, Microsoft Purview Records Management, Microsoft Purview eDiscovery, and Microsoft Purview Audit, Microsoft Priva Privacy Risk Management, and Microsoft Priva Subject Rights Request.
Microsoft Azure Core ServicesAzure AI, Azure Active Directory B2C, Anomaly Detector, API Management, App Service (API Apps, Logic Apps, Mobile Apps, WebJobs, Functions), Lab Services, Application Gateway, Azure Monitor, Automation, Azure API for FHIR, Azure App Configuration, Azure AI Bot Service, Azure Cache for Redis, Azure AI Search, Azure Container Apps, Azure Container Instances, Azure Container Registry (ACR), Azure Cosmos DB, Azure Data Explorer,  Azure Database for MySQL, Azure Database for PostgreSQL, Azure Databricks, Azure DevOps, Azure DNS, Microsoft Entra ID, Azure Event Grid, Microsoft Fabric, Azure Firewall, Azure AI Document Intelligence, Azure Health Data Services,  Azure AI Immersive Reader, Azure Kubernetes Service, Azure Managed Grafana, Azure Machine Learning, Azure AI Metrics Advisor, Azure NetApp Files, Azure OpenAI Service, Azure Red Hat OpenShift, Azure VMware Solution, Microsoft Purview Data Map, Microsoft Purview Data Catalog, Microsoft Purview Data Estate Insights, Microsoft Purview Data Policies, Microsoft Purview Data Sharing, Azure Resource Manager, Azure Spring Apps, Azure Time Series Insights, Azure AI Video Indexers, Azure Web PubSub, Backup, Batch, Cloud Services, Computer Vision, Content Moderator, Azure AI Custom Vision, Data Factory, Data Lake Analytics, Data Lake Store, Event Hubs, Express Route, Face,  HDInsight, Import/Export, IoT Hub, Key Vault, Language Understanding, Load Balancer, Azure Machine Learning Studio (classic), Media Services, Microsoft Azure Portal, Notification Hubs, Azure AI Personalizer, Power BI Embedded, QnA Maker, Microsoft Defender for Cloud, Service Bus, Service Connector, Service Fabric, Azure SignalR Service, Site Recovery, Speech Services, SQL Database, SQL Managed Instance, SQL Server Stretch Database, Storage, StorSimple, Stream Analytics, Synapse Analytics, Text Analytics, Traffic Manager, Azure AI Translator, Virtual Machines, Virtual Machine Scale Sets, Virtual Network, and VPN Gateway.
Microsoft Defender for Cloud AppsThe cloud service portion of Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security).
Microsoft Intune Online ServicesThe cloud service portion of Microsoft Intune.
Microsoft Power Platform Core ServicesThe following services, each as a standalone service or as included in an Office 365 or Microsoft Dynamics 365 branded plan or suite: Microsoft Power BI, Microsoft Power Apps, Microsoft Power Automate, Microsoft Power Pages, and Microsoft Copilot Studio. Microsoft Power Platform Core Services do not include any client software, including but not limited to Power BI Report Server, the Power BI, PowerApps or Microsoft Power Automate mobile applications, Power BI Desktop, or Power Apps Studio.
Microsoft Defender for Endpoint ServicesThe cloud services portion of Microsoft Defender for Endpoint.
Microsoft Defender XDRThe cloud service portion of Microsoft Defender XDR.
Windows 365The cloud service portion of Windows 365, excluding the Windows operating system running on Windows 365 Cloud PCs.

Security Practices and Policies for Core Online Services

In addition to the security practices and policies for Online Services in the DPA, each Core Online Service also complies with the control standards and frameworks shown in the table below and implements and maintains the security measures set forth in Appendix A of the DPA for the protection of Customer Data.

Online ServiceSSAE 18 SOC 1 Type IISSAE 18 SOC 2 Type II
Office 365 ServicesYesYes
Microsoft 365 Compliance ServicesYesYes
Microsoft Dynamics 365 Core ServicesYesYes
Microsoft Azure Core ServicesVaries*Varies*
Microsoft Defender for Cloud AppsYesYes
Microsoft Intune Online ServicesYesYes
Microsoft Power Platform Core ServicesYesYes
Microsoft Defender for Endpoint ServicesYesYes
Microsoft Defender XDRYesYes
Windows 365YesYes

*Current scope is detailed in the audit report and summarized in the Microsoft Trust Center. 

Location of Customer Data at Rest for Core Online Services

For the Core Online Services, Microsoft will store Customer Data at rest within certain major geographic areas (each, a Geo) as follows except as otherwise provided in the Online Service-specific terms:

  • Office 365 Services. If Customer provisions its tenant in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, (3) files uploaded to OneDrive for Business, (4) Microsoft Teams chat messages (including private messages, channel messages, meeting messages and images used in chats), and for customers using Microsoft Stream (Classic) (on SharePoint) meeting recordings, and (5) any stored content of interactions with Microsoft Copilot for Microsoft 365 to the extent not included in the preceding commitments. If Customer purchases an Advanced Data Residency subscription, then Microsoft will store certain Customer Data at rest in the applicable Geo in accordance with this section and the “Advanced Data Residency Commitments” section of the product documentation at https://aka.ms/adroverview
  • Microsoft Intune Online Services. When Customer provisions a Microsoft Intune tenant account to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Intune Trust Center.
  • Microsoft Power Platform Core Services. When Customer provisions a Power Platform Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Power Platform Trust Center.
  • Microsoft Azure Core Services. If Customer configures a particular service to be deployed within a Geo then, for that service, Microsoft will store Customer Data at rest within the specified Geo. Certain services may not enable Customer to configure deployment in a particular Geo or outside the United States and may store backups in other locations. Refer to the Microsoft Trust Center (which Microsoft may update from time to time, but Microsoft will not add exceptions for existing Services in general release) for more details.
  • Microsoft Defender for Cloud Apps. If Customer provisions its tenant in the European Union or the United States, Microsoft will store Customer Data at rest only within that Geo, except as described in the Microsoft Defender for Cloud Apps Trust Center.
  • Microsoft Dynamics 365 Core Services. When Customer provisions a Dynamics 365 Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Dynamics 365 Trust Center.
  • Microsoft Defender for Endpoint Services. When Customer provisions a Microsoft Defender for Endpoint tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Defender for Endpoint Trust Center.
  • Microsoft Defender XDR. When Customer provisions a Microsoft Defender XDR tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Defender XDR Trust Center.
  • Windows 365. When a Windows 365 tenant is deployed within an available Geo, then, for that tenant, Microsoft will store Customer Data at rest within that specified Geo. If Customer provisions Windows 365 Cloud PCs within the same tenant to different available Geos, then, for each Cloud PC, Microsoft will store Cloud PC Customer Data at rest within that specified Geo.

EU Data Boundary Services

The term “EU Data Boundary” means the Microsoft computers, computing environment, and physical data centers located solely in the European Union (EU) and the European Free Trade Association (EFTA). The term "EU Data Boundary Services" applies only to the Online Services in the table below, excluding any Previews. 

EU Data Boundary Services
AzureAzure services that enable deployment in a region within the EU Data Boundary and the following non-regional services: Azure Active Directory B2C, Azure Advisor, Azure Bot Service, Cloud Shell, Azure Communication Services, Azure Data Box, Azure DNS, Microsoft Entra ID, Microsoft Fabric, Azure Kubernetes Service on Azure Stack HCI, Azure Lighthouse, Azure Migrate, Azure Monitor, Azure Resource Mover, Azure Service Health, Azure Sphere, Azure Stack Edge, Azure Stack HCI, Azure Stack Hub, Azure Virtual Desktop, Azure VM Image Builder, Power BI Embedded, Traffic Manager, Translator
Dynamics 365Dynamics 365 Business Central, Dynamics 365 Commerce, Dynamics 365 Customer Insights, Dynamics 365 Customer Service, Dynamics 365 Customer Voice, Dynamics 365 Field Service, Dynamics 365 Finance, Dynamics 365 Guides, Dynamics 365 Intelligent Order Management, Dynamics 365 Project Operations, Dynamics 365 Remote Assist, Dynamics 365 Sales, Dynamics 365 Supply Chain Management
Microsoft 365Cortana, Customer Lockbox, Exchange Online, Exchange Online Archiving for Exchange Online, Microsoft Bookings, Microsoft Forms, Microsoft MyAnalytics, Microsoft Planner, Microsoft StaffHub, Microsoft Stream (Classic) (on SharePoint), Microsoft Teams,  Microsoft To-Do,  Office for the web, Online Services provided as part of Microsoft 365 Apps, OneDrive for Business, SharePoint Online, Sway, Whiteboard, Yammer Enterprise, Microsoft Copilot for Microsoft 365, Communications Compliance, eDiscovery and Audit, Insider Risk Management, Information Barriers, Microsoft Purview Data Loss Prevention, Microsoft Intune, Priva Privacy Risk Management, Priva Subject Rights Management, Microsoft Viva Answers, Microsoft Viva Connections, Microsoft Viva Engage, Microsoft Viva Glint, Microsoft Viva Goals, Microsoft Viva Insights, Microsoft Viva Learning, Microsoft Copilot for Sales, and Microsoft Viva Topics
Power PlatformMicrosoft Power Apps, Microsoft Power Automate, Microsoft Power BI, Microsoft Power Pages, Microsoft Copilot Studio

Location of Customer Data for EU Data Boundary Services

For EU Data Boundary Services, Microsoft will store and process Customer Data and Personal Data within the EU Data Boundary as detailed below.

Customer must configure EU Data Boundary Services as follows:

Use of EU Data Boundary Services may result in limited transfers of Customer Data or Personal Data outside the EU Data Boundary, as set forth below and further detailed in transparency documentation for the EU Data Boundary located at https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn or successor location. Any such transfers will be conducted in accordance with the Data Protection Addendum and the Product Terms.

  • Remote Access. Microsoft personnel located outside the EU Data Boundary may remotely access data processing systems in the EU Data Boundary as necessary to operate, troubleshoot, and secure the EU Data Boundary Services.
  • Customer-Initiated Transfers. Customers may initiate transfers outside the EU Data Boundary, such as by accessing EU Data Boundary Services from locations outside the EU Data Boundary, sending an email to a recipient located outside the EU Data Boundary, or use of EU Data Boundary Services in combination with other services not in the EU Data Boundary.
  • Protecting Customers. Microsoft transfers limited data outside of the EU Data Boundary as necessary to detect and protect Customers against security threats.
  • Directory Data. Microsoft may replicate limited Microsoft Entra directory data from Microsoft Entra ID (including username and email address) outside the EU Data Boundary to provide the service.
  • Network Transit. To reduce routing latency and to maintain routing resiliency, Microsoft uses variable network paths that may occasionally result in transit of data outside the EU Data Boundary. 
  • Service and Platform Quality and Management. When required to monitor and maintain service quality or to ensure accuracy of statistical measures of service use or performance, pseudonymized Personal Data may be transferred outside of the EU Data Boundary.
  • Service-Specific Transfers. See transparency documentation referenced above for information about transfers applicable to specific EU Data Boundary Services.
Back To Top