Privacy & Security Terms
General
The Privacy & Security Terms were formerly contained in Attachment 1 to the Online Services Terms.
The Data Protection Addendum, or DPA (defined in the Glossary) sets forth the parties obligations with respect to the processing and security of Customer Data, Professional Services Data, and Personal Data by the Products. The Data Protection Addendum can be downloaded here https://aka.ms/DPA. In the event of any conflict or inconsistency between the DPA and any other terms in Customer’s licensing agreement (including these terms), the DPA shall prevail.
Exceptions to the DPA
The Privacy and Security Terms in the table below modify or supplement the DPA for each of the identified Online Services.
Product Family | Online Service | Privacy & Security Terms |
---|---|---|
Microsoft Azure | Azure AI Services | Services in Containers Because the operating environment of containers installed on Customer's dedicated hardware is not under Microsoft's control, the terms of the DPA do not apply to those containers, except to the extent a) any Personal Data is collected in connection with a billing endpoint, or b) Customer Data is provided to Microsoft for custom model training prior to download of the Service operating in the container. |
Inactive Services Configurations and Custom Models For the purposes of data retention and deletion, a Services configuration or custom model that has been inactive may at Microsoft's discretion be treated as an Online Service for which the Customer's subscription has expired. A configuration or custom model is inactive if for 90 days (1) no calls are made to it; (2) it has not been modified and does not have a current key assigned to it and; (3) Customer has not signed in to it. | ||
Multi-Cloud Scanning Connectors for Microsoft Purview | To enable interoperability with Customer's deployments with other cloud providers, Microsoft may operate within such other clouds certain optional, discrete data scanner functionality for Customer's data hosted in such other clouds (the "Multi-Cloud Scanning Connectors for Microsoft Purview"). Microsoft will disclose in its documentation how Customer may enable and use the Multi-Cloud Scanning Connectors for Microsoft Purview. For clarity, the Multi-Cloud Scanning Connectors for Microsoft Purview is a separate add-on to Microsoft Purview. The Multi-Cloud Scanning Connectors for Microsoft Purview is not a Microsoft Azure Core Service and the following sections of the DPA do not apply to the Multi-Cloud Scanning Connectors for Microsoft Purview: "Educational Institutions", "CJIS Customer Agreement", "HIPAA Business", and "Appendix A - Security Measures". With respect solely to the Multi-Cloud Scanning Connectors for Microsoft Purview, the following modifications to the DPA apply:
Standard data protection terms offered by those other cloud providers govern your use of the Multi-Cloud Scanning Connectors for Microsoft Purview while the add-on is hosted in such other clouds. | |
Visual Studio App Center | The privacy statement located at https://aka.ms/actestprivacypolicy applies to Customer’s use of Visual Studio App Center Test. Customer may not use Visual Studio App Center Test to store or process Personal Data. | |
SQL Managed Instance enabled by Azure Arc | The terms of the DPA do not apply to processing of data in SQL Managed Instance enabled by Azure Arc running in an environment outside of Microsoft's control, except to the extent any Personal Data is collected to enable Azure management services and to meter usage for billing purposes. | |
Microsoft Genomics | The Microsoft Privacy Statement located at https://aka.ms/privacy applies to Customer's use of Microsoft Genomics and not the DPA, except that this Microsoft Genomics section controls to the extent it conflicts with the Microsoft Privacy Statement. Broad License Terms Microsoft Genomics includes access to the Genetic Analysis Toolkit (GATK) from the Broad Institute, Inc. ("Broad"). Use of the GATK and any related documentation as part of Microsoft Genomics is also subject to Broad's GATK End User License Agreement ("Broad EULA" located here https://software.broadinstitute.org/gatk/eula/index?p=Azure). Microsoft may collect and share with Broad certain statistical and technical information regarding Customer's usage of the GATK. Customer authorizes Microsoft to report to Broad Customer's status as a user of the GATK in Microsoft Genomics. | |
Azure SQL Edge | The terms of the DPA do not apply to Azure SQL Edge installed on Customer’s IoT Device, except to the extent any Personal Data is collected to enable Azure management services and to meter usage for billing purposes, because the operating environment of such IoT Devices is not under Microsoft’s control. | |
Azure Stack HCI | Microsoft will be a controller of Personal Data when customers turn on collection of Windows diagnostic data as described in product documentation. When Microsoft is a controller, Microsoft will handle this Personal Data in accordance with the Microsoft Privacy Statement at aka.ms/privacy, and the DPA terms do not apply. | |
Azure Stack Hub | Microsoft will be a controller of Personal Data when customers turn on collection of Windows diagnostic data as described in the Product documentation. When Microsoft is a controller, Microsoft will handle this Personal Data in accordance with the Microsoft Privacy Statement at aka.ms/privacy, and the DPA terms do not apply. If a Microsoft Cloud Agreement or Microsoft Customer Agreement Customer uses Azure Stack Hub software or services that are hosted by a Reseller, such use will be subject to Reseller’s privacy practices, which may differ from Microsoft’s. | |
Azure VMware Solution | Professional Services Data Transfer to VMware If customer contacts Microsoft for technical support relating to Azure VMware Solution and Microsoft must engage VMware for assistance with the issue, Microsoft will transfer the Professional Services Data and the Personal Data contained in the support case to VMware. The transfer is made subject to the terms of the Support Transfer Agreement between VMware and Microsoft, which establishes Microsoft and VMware as independent processors of the Professional Services Data. Before any transfer of Professional Services Data to VMware will occur, Microsoft will obtain and record consent from customer for the transfer. VMware Data Processing Agreement Once Professional Services Data is transferred to VMware (pursuant to the above section), the processing of Professional Services Data, including the Personal Data contained the support case, by VMware as an independent processor will be governed by the VMware Data Processing Agreement for Microsoft AVS Customers Transferred for L3 Support (https://rc.portal.azure.com/verifyLink?href=https%3A%2F%2Fwww.vmware.com%2Fvmware-dpa-for-avs-customers.html&id=Microsoft_Azure_Marketplace). Customer also gives authorization to allow its representative(s) who request technical support for Azure VMware Solution to provide consent on its behalf to Microsoft for the transfer of the Professional Services Data to VMware. | |
Bing | Bing | The Data Protection Addendum does not apply to Bing Search Services or to any use of Bing within a Product. For any component of a Product that is powered by Bing, as disclosed in the product documentation, the Microsoft Privacy Statement (https://privacy.microsoft.com/privacystatement) applies. |
GitHub | GitHub Offerings | Notwithstanding anything to the contrary in Customer's volume licensing agreement (including these Product Terms and the DPA), the GitHub Privacy Statement available at https://aka.ms/github_privacy and the GitHub Data Protection Agreement at https://aka.ms/github_dpa will apply to Customer's use of GitHub Offerings, including GitHub Enterprise licensed standalone or as Visual Studio Enterprise or Professional with GitHub Enterprise. |
Office 365 Services | Office 365 Education | If Customer is provisioned outside of the EU or EFTA, and Customer has an Office 365 Education subscription but has not purchased an Advanced Data Residency for Education add-on, then notwithstanding the "Location of Customer Data at Rest for Core Online Services" section of the Product Terms, Microsoft may provision Customer's Office 365 Education tenant in, transfer Customer Data to, and store Customer Data at rest anywhere within the European Union or North America. If Customer is provisioned in the EU or EFTA, and Customer has an Office 365 Education subscription but has not purchased an Advanced Data Residency for Education add-on, then notwithstanding the "Location of Customer Data at Rest for Core Online Services" section of the Product Terms, Microsoft may provision Customer's Office 365 Education tenant in, transfer Customer Data to, and store Customer Data at rest anywhere within the European Union. |
Microsoft Dynamics 365 Services | Dynamics 365 Business Central and Dynamics 365 Finance in Denmark | Bookkeeping Laws and Regulations These terms apply only to Customers with an enterprise in Denmark as required under the Bookkeeping Act. The DPA governs how Microsoft handles Customer Data in Dynamics 365 Business Central and Dynamics 365 Finance, except for the retention, deletion, and disclosure of Accounting Materials. In the event of any conflict or inconsistency between the DPA and any other terms in Customer's licensing agreement, these terms shall prevail. Definitions "Accounting Materials" means all documents that comprise bookkeeping, including any recorded transactions and receipts and other data (including Personal Data) for an enterprise that Customer provides or is provided on behalf of Customer in a Digital Standard Bookkeeping System, as required by the Bookkeeping Act. Data Retention and Deletion of Accounting Materials By using Dynamics 365 Business Central or Dynamics 365 Finance, Customer agrees that Microsoft or its affiliates, in accordance with their legal obligation, can copy, store, and retain Customer's Accounting Materials for 5 years from the end of the financial year of the related recorded transactions and receipts ("Retention Period"), even if Customer changes its bookkeeping system, goes bankrupt, or is liquidated, as required by the Bookkeeping Act. Microsoft will store Customer's Accounting Materials at rest in a Microsoft-managed storage in the same location as the primary computer equipment processing the Customer Data for these services or the European Union. During the Retention Period, Customer cannot access, extract, correct, or delete any of its Accounting Materials from this storage. Microsoft will use the same security measures to protect Customer's Accounting Materials as it uses to protect other Customer Data. After the Retention Period ends, Microsoft will delete Customer's Accounting Materials. Microsoft has no liability for the deletion of Customer's Accounting Materials. Disclosure of Accounting Materials Microsoft will disclose or provide access to Customer's Accounting Materials to Danish Authorities as necessary to satisfy a request compelling such disclosure as required by the Bookkeeping Act. Other data a Customer stores in these Digital Standard Bookkeeping Systems is not subject to disclosure. The Danish Authorities are only authorized to request Accounting Materials from providers of Digital Standard Bookkeeping Systems if obtaining the information directly from the enterprise is not possible. Microsoft has no liability for the disclosure of Customer's Accounting Materials to any Danish Authority. |
Microsoft Relationship Sales | LinkedIn Sales Navigator LinkedIn Sales Navigator is provided by LinkedIn Corporation. Customer may use the LinkedIn Sales Navigator Service only to generate sales leads. Each user of LinkedIn Sales Navigator must be a member of LinkedIn and agree to be bound by the LinkedIn User Agreement available at https://www.linkedin.com/legal/preview/user-agreement. Despite anything to the contrary in Customer's volume licensing agreement (including these Product Terms), the LinkedIn Privacy Policy available at https://www.linkedin.com/legal/privacy-policy will apply to Customer's use of the LinkedIn Sales Navigator service. LinkedIn Corporation (as data processor) and Customer (as data controller) will comply with the terms of the LinkedIn Data Processing Agreement located at https://legal.linkedin.com/dpa. | |
Microsoft 365 | Legacy Glint Services | Customer's access to and use of Legacy Glint Services are governed by the terms set forth in Customer's most recently active LinkedIn Order Form(s) for Legacy Glint Services. No Microsoft terms, including without limitation the Microsoft Product Terms, DPA, or any agreements between Customer and Microsoft shall apply to Legacy Glint Services. |
Other Online Services | Microsoft Intune | If Intune Company Portal App is used to manage devices, the terms that apply to Microsoft Intune Online Services (as defined in the Core Online Services table in these Privacy & Security Terms) apply to the use of Intune Company Portal App. Microsoft’s commitments related to Intune Company Portal App do not extend to data processing, policies, or practices of third-party providers of mobile platforms on which Intune Company Portal App operates (e.g., Apple, Google). |
Managed Devices and Applications | Microsoft Managed Desktop (MMD) integrates data (including Customer Data) between other Microsoft Products including Windows, Microsoft Entra ID, Microsoft Intune, Microsoft Defender for Endpoint, Office, and Online Services as configured by Customer, if any (collectively for purposes of this provision the "MMD Integrated Services"). Once data is transferred between the MMD Integrated Services, that data is governed by the Product Terms applicable to the service in which it resides. |
Software Products excluded from the DPA
Except as provided in the Product-Specific Terms, the terms of the DPA do not apply to: Internet based features in Software Products, Windows Desktop Operating System, Windows Server, and these Software Products as part of other Products. Each of these Products are governed by the privacy and security terms in the applicable Product-Specific Terms.
Non-Microsoft Products
Separate terms, including different privacy and security terms, govern Customer’s use of Non-Microsoft Products (as defined in the Universal License Terms for Online Services).
DPA Terms Geography Exclusions
For Dynamics 365 and Power Platform online services, the specific terms of the DPA as noted in Appendix A stating “Microsoft stores copies of Customer Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data is located.” do not apply to the following geographies: United Arab Emirates and South Africa.
Core Online Services
The term “Core Online Services” applies only to the services in the table below, excluding any Previews.
Online Services | |
---|---|
Microsoft Dynamics 365 Core Services | The following services, each as a standalone service or as included in a Dynamics 365 branded plan or application: Dynamics 365 Customer Service, Dynamics 365 Customer Insights, Dynamics 365 Field Service, Dynamics 365 Business Central, Dynamics 365 Supply Chain Management, Dynamics 365 Intelligent Order Management, Dynamics 365 Finance, Dynamics 365 Commerce, Dynamics 365 Human Resources, Dynamics 365 Project Operations, and Dynamics 365 Sales. Dynamics 365 Core Services do not include (1) Dynamics 365 Services for supported devices or software, which includes but is not limited to Dynamics 365 for apps, tablets, phones, or any of these; (2) LinkedIn Sales Navigator; or (3) except as expressly defined in the licensing terms for the corresponding service, any other separately-branded service made available with or connected to Dynamics 365 Core Services. |
Office 365 Services | The following services, each as a standalone service or as included in an Office 365 or Microsoft 365-branded plan or suite: Customer Lockbox, Exchange Online Archiving, Exchange Online Protection, Exchange Online, Microsoft Bookings, Microsoft Forms, Microsoft Planner, Microsoft Stream (Classic), Microsoft Teams, Microsoft To-Do, Microsoft Defender for Office 365, Office for the web, OneDrive for Business, Project, SharePoint, Sway, Viva Insights, Whiteboard, Viva Engage, and Microsoft 365 Copilot. Office 365 Services do not include Microsoft 365 Apps for enterprise, any portion of a PSTN service that operates outside of Microsoft's control, any client software, or any separately branded service made available with an Office 365 or Microsoft 365-branded plan or suite, such as a Bing or a service branded "for Office 365." |
Microsoft 365 Compliance Services | The following services, each as a standalone service or as included in a Microsoft 365-branded plan or suite: Microsoft Purview Customer Lockbox, Microsoft Purview Data Loss Prevention, Microsoft Purview Customer Key, Microsoft Purview Data Lifecycle Management, Microsoft Purview Information Barriers, Microsoft Purview Privileged Access Management, Microsoft Purview Compliance Manager, Microsoft Purview Information Protection, Microsoft Information Governance, Microsoft Purview-Insider Risk Management, Microsoft Purview Communication Compliance, Microsoft Purview Records Management, Microsoft Purview eDiscovery, and Microsoft Purview Audit, Microsoft Priva Privacy Risk Management, and Microsoft Priva Subject Rights Request. |
Microsoft Azure Core Services | Azure AI, Azure AI Content Safety, Azure Active Directory B2C, Anomaly Detector, API Management, App Service (API Apps, Logic Apps, Mobile Apps, WebJobs, Functions), Lab Services, Application Gateway, Azure Monitor, Automation, Azure API for FHIR, Azure App Configuration, Azure Bastion, Azure AI Bot Service, Azure Cache for Redis, Azure AI Search, Azure Communication Services, Azure Container Apps, Azure Container Instances, Azure Container Registry (ACR), Azure Cosmos DB, Azure Data Explorer, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Databricks, Azure DDOS Protection, Azure DevOps, Azure DNS, Microsoft Entra ID, Azure Event Grid, Microsoft Fabric, Azure Firewall, Azure AI Document Intelligence, Azure Health Data Services, Azure AI Immersive Reader, Azure Kubernetes Service, Azure Managed Grafana, Azure Machine Learning, Azure AI Metrics Advisor, Azure NetApp Files, Azure OpenAI Service, Azure Red Hat OpenShift, Azure VMware Solution, Microsoft Purview Data Map (Classic), Microsoft Purview Data Catalog (Classic), Microsoft Purview Data Estate Insights (Classic), Microsoft Purview Data Policies (Classic), Azure Resource Manager, Azure Spring Apps, Azure Time Series Insights, Azure AI Video Indexers, Azure Web PubSub, Backup, Batch, Cloud Services, Computer Vision, Content Moderator, Azure AI Custom Vision, Data Factory, Data Lake Analytics, Data Lake Store, Event Hubs, Express Route, Face, HDInsight, Import/Export, IoT Hub, Key Vault, Language Understanding, Load Balancer, Azure Machine Learning Studio (classic), Media Services, Microsoft Azure Portal, Notification Hubs, Azure AI Personalizer, Power BI Embedded, QnA Maker, Microsoft Defender for Cloud, Service Bus, Service Connector, Service Fabric, Azure SignalR Service, Site Recovery, Speech Services, SQL Database, SQL Managed Instance, SQL Server Stretch Database, Storage, StorSimple, Stream Analytics, Synapse Analytics, Text Analytics, Traffic Manager, Azure AI Translator, Virtual Machines, Virtual Machine Scale Sets, Virtual Network, and VPN Gateway. |
Microsoft Intune Online Services | The cloud service portion of Microsoft Intune. |
Microsoft Power Platform Core Services | The following services, each as a standalone service or as included in an Office 365 or Microsoft Dynamics 365 branded plan or suite: Microsoft Power BI, Microsoft Power Apps, Microsoft Power Automate, Microsoft Power Pages, and Microsoft Copilot Studio. Microsoft Power Platform Core Services do not include any client software, including but not limited to Power BI Report Server, the Power BI, PowerApps or Microsoft Power Automate mobile applications, Power BI Desktop, or Power Apps Studio. |
Microsoft Copilot | Microsoft Copilot, used with a work or school account. |
Microsoft Defender Experts | The cloud service portion of Microsoft Defender Experts. |
Microsoft Defender for Cloud Apps | The cloud service portion of Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security). |
Microsoft Defender for Endpoint Services | The cloud services portion of Microsoft Defender for Endpoint. |
Microsoft Defender for Identity | The cloud services portion of Microsoft Defender for Identity. |
Microsoft Defender XDR | The cloud service portion of Microsoft Defender XDR. |
Microsoft Sentinel | The cloud service portion of Microsoft Sentinel. |
Windows 365 | The cloud service portion of Windows 365, excluding the Windows operating system running on Windows 365 Cloud PCs. |
Security Practices and Policies for Core Online Services
In addition to the security practices and policies for Online Services in the DPA, each Core Online Service also complies with the control standards and frameworks shown in the table below and implements and maintains the security measures set forth in Appendix A of the DPA for the protection of Customer Data.
Online Service | SSAE 18 SOC 1 Type II | SSAE 18 SOC 2 Type II |
---|---|---|
Office 365 Services | Yes | Yes |
Microsoft 365 Compliance Services | Yes | Yes |
Microsoft Dynamics 365 Core Services | Yes | Yes |
Microsoft Azure Core Services | Varies* | Varies* |
Microsoft Intune Online Services | Yes | Yes |
Microsoft Power Platform Core Services | Yes | Yes |
Microsoft Copilot | Yes | Yes |
Microsoft Defender Experts | Varies* | Varies* |
Microsoft Defender for Cloud Apps | Yes | Yes |
Microsoft Defender for Endpoint Services | Yes | Yes |
Microsoft Defender for Identity | Yes | Yes |
Microsoft Defender XDR | Yes | Yes |
Microsoft Sentinel | Yes | Yes |
Windows 365 | Yes | Yes |
*Current scope is detailed in the audit report and summarized in the Microsoft Trust Center.
Location of Customer Data at Rest for Core Online Services
For the Core Online Services, Microsoft will store Customer Data at rest within certain major geographic areas (each, a Geo) as follows except as otherwise provided in the Online Service-specific terms:
- Office 365 Services. If Customer provisions its tenant in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, (3) files uploaded to OneDrive for Business, (4) Microsoft Teams chat messages (including private messages, channel messages, meeting messages and images used in chats), and for customers using Microsoft Stream (Classic) (on SharePoint) meeting recordings, and (5) any stored content of interactions with Microsoft 365 Copilot to the extent not included in the preceding commitments. If Customer purchases an Advanced Data Residency subscription, then Microsoft will store certain Customer Data at rest in the applicable Geo in accordance with this section and the “Advanced Data Residency Commitments” section of the product documentation at https://aka.ms/adroverview.
- Microsoft Intune Online Services. When Customer provisions a Microsoft Intune tenant account to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Intune Trust Center.
- Microsoft Power Platform Core Services. When Customer provisions a Power Platform Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Power Platform Trust Center.
- Microsoft Azure Core Services. If Customer configures a particular service to be deployed within a Geo then, for that service, Microsoft will store Customer Data at rest within the specified Geo. Certain services may not enable Customer to configure deployment in a particular Geo or outside the United States and may store backups in other locations. Refer to the Microsoft Trust Center (which Microsoft may update from time to time, but Microsoft will not add exceptions for existing Services in general release) for more details.
- Microsoft Defender for Cloud Apps. If Customer provisions its tenant in the European Union or the United States, Microsoft will store Customer Data at rest only within that Geo, except as described in the Microsoft Defender for Cloud Apps Trust Center.
- Microsoft Dynamics 365 Core Services. When Customer provisions a Dynamics 365 Core Service to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo, except as described in the Microsoft Dynamics 365 Trust Center.
- Microsoft Defender for Endpoint Services. When Customer provisions a Microsoft Defender for Endpoint tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Defender for Endpoint Trust Center.
- Microsoft Defender for Identity. When Customer provisions a Microsoft Defender for Identity tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Defender for Identity Trust Center.
- Microsoft Defender XDR. When Customer provisions a Microsoft Defender XDR tenant to be deployed within an available Geo, then, for that service, Microsoft will store Customer Data at rest within that specified Geo except as noted in the Microsoft Defender XDR Trust Center.
- Windows 365. When a Windows 365 tenant is deployed within an available Geo, then, for that tenant, Microsoft will store Customer Data at rest within that specified Geo. If Customer provisions Windows 365 Cloud PCs within the same tenant to different available Geos, then, for each Cloud PC, Microsoft will store Cloud PC Customer Data at rest within that specified Geo.
EU Data Boundary Services
The term “EU Data Boundary” means the Microsoft computers, computing environment, and physical data centers located solely in the European Union (EU) and the European Free Trade Association (EFTA). The term "EU Data Boundary Services" applies only to the Online Services in the table below, excluding any Previews.
EU Data Boundary Services | |
---|---|
Azure | Azure services that enable deployment in a region within the EU Data Boundary and the following non-regional services: Azure Active Directory B2C, Azure Advisor, Azure Bot Service, Cloud Shell, Azure Communication Services, Azure Data Box, Azure DNS, Microsoft Entra ID, Microsoft Fabric, Azure Kubernetes Service on Azure Stack HCI, Azure Lighthouse, Azure Migrate, Azure Monitor, Azure Resource Mover, Azure Service Health, Azure Sphere, Azure Stack Edge, Azure Stack HCI, Azure Stack Hub, Azure Virtual Desktop, Azure VM Image Builder, Power BI Embedded, Traffic Manager, Translator |
Dynamics 365 | Dynamics 365 Business Central, Dynamics 365 Commerce, Dynamics 365 Customer Insights, Dynamics 365 Customer Service, Dynamics 365 Customer Voice, Dynamics 365 Field Service, Dynamics 365 Finance, Dynamics 365 Guides, Dynamics 365 Intelligent Order Management, Dynamics 365 Project Operations, Dynamics 365 Remote Assist, Dynamics 365 Sales, Dynamics 365 Supply Chain Management |
Microsoft 365 | Customer Lockbox, Exchange Online, Exchange Online Archiving for Exchange Online, Microsoft Bookings, Microsoft Forms, Microsoft MyAnalytics, Microsoft Planner, Microsoft StaffHub, Microsoft Stream (Classic) (on SharePoint), Microsoft Teams, Microsoft To-Do, Office for the web, Online Services provided as part of Microsoft 365 Apps, OneDrive for Business, SharePoint Online, Sway, Whiteboard, Viva Engage, Microsoft 365 Copilot, Communications Compliance, eDiscovery and Audit, Insider Risk Management, Information Barriers, Microsoft Purview Data Loss Prevention, Microsoft Intune, Priva Privacy Risk Management, Priva Subject Rights Management, Microsoft Viva Answers, Microsoft Viva Connections, Microsoft Viva Engage, Microsoft Viva Glint, Microsoft Viva Goals, Microsoft Viva Insights, Microsoft Viva Learning, Microsoft Viva Pulse, Microsoft 365 Copilot for Sales, and Microsoft Viva Topics |
Power Platform | Microsoft Power Apps, Microsoft Power Automate, Microsoft Power BI, Microsoft Power Pages, Microsoft Copilot Studio |
Location of Customer Data for EU Data Boundary Services
For EU Data Boundary Services, Microsoft will store and process Customer Data and Personal Data within the EU Data Boundary as detailed below.
Customer must configure EU Data Boundary Services as follows:
- For Azure, Customer must deploy the service into an Azure region located within the EU Data Boundary. See Data Residency in Azure (https://azure.microsoft.com/explore/global-infrastructure/data-residency) for more information. For services that do not enable deployment into a specified Azure region, Customer must follow the instructions at Configuring Azure non-regional services for the EU Data Boundary (https://learn.microsoft.com/privacy/eudb/eu-data-boundary-configure-azure-nonregional-services).
- For Dynamics 365 and Power Platform, if Customer provisions a tenant with a billing address in the EU or EFTA, that tenant will be in-scope for the EU Data Boundary if Customer also creates all of its environments within a Geo inside the EU Data Boundary.
- For Microsoft 365, if Customer provisions a tenant in the EU or EFTA, that tenant will be in-scope for the EU Data Boundary, except for those tenants where Customer has also purchased the Microsoft 365 Multi-Geo Capabilities add-on that enables customers to expand Microsoft 365 tenant presence to multiple geographic regions or countries (https://learn.microsoft.com/microsoft-365/enterprise/microsoft-365-multi-geo?view=o365-worldwide).
Use of EU Data Boundary Services may result in limited transfers of Customer Data or Personal Data outside the EU Data Boundary, as set forth below and further detailed in transparency documentation for the EU Data Boundary located at https://learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn or successor location. Any such transfers will be conducted in accordance with the Data Protection Addendum and the Product Terms.
- Remote Access. Microsoft personnel located outside the EU Data Boundary may remotely access data processing systems in the EU Data Boundary as necessary to operate, troubleshoot, and secure the EU Data Boundary Services.
- Customer-Initiated Transfers. Customers may initiate transfers outside the EU Data Boundary, such as by accessing EU Data Boundary Services from locations outside the EU Data Boundary, sending an email to a recipient located outside the EU Data Boundary, or use of EU Data Boundary Services in combination with other services not in the EU Data Boundary.
- Protecting Customers. Microsoft transfers limited data outside of the EU Data Boundary as necessary to detect and protect Customers against security threats.
- Directory Data. Microsoft may replicate limited Microsoft Entra directory data from Microsoft Entra ID (including username and email address) outside the EU Data Boundary to provide the service.
- Network Transit. To reduce routing latency and to maintain routing resiliency, Microsoft uses variable network paths that may occasionally result in transit of data outside the EU Data Boundary.
- Service and Platform Quality and Management. When required to monitor and maintain service quality or to ensure accuracy of statistical measures of service use or performance, pseudonymized Personal Data may be transferred outside of the EU Data Boundary.
- Service-Specific Transfers. See transparency documentation referenced above for information about transfers applicable to specific EU Data Boundary Services.