|
-
The operational processes that govern access to customer data in Microsoft business cloud services are protected by strong controls and authentication, which fall into two categories: physical and logical.
Access to physical datacenter facilities is guarded by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, multifactor access control, integrated alarm systems, and around-the-clock video surveillance by the operations center.
Virtual access to customer data is restricted based on business need by role-based access control, multifactor authentication, minimizing standing access to production data, and other controls. Access to customer data is also strictly logged, and both Microsoft and third parties perform regular audits (as well as sample audits) to attest that any access is appropriate.
-
Microsoft products and services use industry-standard secure transport protocols when data moves over a network—between user devices and Microsoft datacenters or within the datacenters themselves. To help protect data at rest, Microsoft offers a range of built-in encryption capabilities.
Most Microsoft business cloud services are multitenant services, meaning that your data, deployments, and virtual machines may be stored on the same physical hardware as that of other customers. Microsoft uses logical isolation to segregate storage and processing for different customers through specialized technology engineered to help ensure that your data is not combined with anyone else’s.
Business cloud services with audited certifications such as ISO 27001 are regularly verified by Microsoft and accredited audit firms, which perform sample audits to attest that access is only for legitimate business purposes.
-
Microsoft operations and support personnel are available 24 hours a day, 365 days a year around the globe. A majority of our service operations are automated so that only a small set requires human interaction.
Microsoft engineers don’t have default access to cloud customer data. Instead, they are granted access, under management oversight, only when necessary.
Microsoft personnel will use customer data only for purposes compatible with providing you the contracted services, such as troubleshooting and improving features like protection from malware.
-
Microsoft business cloud services process various categories of data, including customer and personal data. Subprocessors are subcontractors hired by Microsoft to perform work that may require access to such data.
Subprocessors may access data only to deliver the functions in support of online services that Microsoft has hired them to provide and are prohibited from using data for any other purpose. They are required to maintain the confidentiality of this data and are contractually obligated to meet strict privacy requirements. Subprocessors are also required to meet EU General Data Protection Regulation (GDPR) requirements, including those related to implementing appropriate technical and organizational measures to protect personal data.
Microsoft requires subprocessors to join the Microsoft Supplier Security and Privacy Assurance Program. This program is designed to standardize and strengthen data handling practices, and to ensure supplier business processes and systems are consistent with those of Microsoft.
Subprocessors who have access to customer and personal data are subject to heightened requirements.
Third-party subprocessors can perform work in any of the following capacities:
- Powering cloud technologies integrated with Microsoft Online Services and Microsoft Cloud functions: Subprocessors may process, store, or otherwise access customer and personal data (consisting of pseudonymized personal identifiers) while helping to provide this service.
- Providing ancillary services: Subprocessors help support, operate, and maintain Microsoft Online Services. In such cases, the subprocessor(s) may process, store, or access customer and personal data (consisting of pseudonymized personal identifiers) while providing ancillary services.
- Providing contract staff: Contract staff work in close coordination with Microsoft employees to operate, deliver, and maintain Microsoft Online Services. While doing so, contract staff may process customer or personal data (consisting of pseudonymized personal identifiers) on behalf of Microsoft. In all such cases, the data resides only on Microsoft systems and is subject to Microsoft policies and supervision. The processing activities of these contract staff within Microsoft Online Services are subject to independent audits Microsoft conducts annually.
- Powering cloud technologies integrated with Microsoft Online Services and Microsoft Cloud functions: Subprocessors may process, store, or otherwise access customer and personal data (consisting of pseudonymized personal identifiers) while helping to provide this service.
-
Microsoft defines customer data as all data provided by the customer to Microsoft through their use of our business cloud services (see how Microsoft categorizes data). Some customer data is personal data as defined under GDPR. Microsoft also processes some personal data generated or collected through the operation of online services not contained within customer data.
The Microsoft Online Services Subprocessor List identifies subprocessors authorized to subprocess customer or personal data in Microsoft Online Services. This list is applicable for all Microsoft Online Services governed by the Microsoft Data Protection Addendum.
Microsoft publishes the names of any new subprocessors for its online services at least six months in advance of the subprocessor’s authorization to perform services that may involve access to customer data or personal data.1
To receive notifications of updates to this Subprocessor list, please follow the instructions that describe My library functionality.
