• Conversations from inside the cloud:

    This new digital series captures authentic conversations about trust in Office 365 with the people that design, build, and run the Office 365 service. The first topic is ‘Why trust Office 365?’

    Next: What is Continuous Compliance?

    Office 365 Trust Center
  • Conversations from inside the cloud:

    What is Continuous Compliance?

    Shawn Veney tells how Office 365 meets the majority of industry requirements today and how our control framework keeps us ahead of any industry requirement changes.

    Next: Who has access to your data?

  • Conversations from inside the cloud:

    Who has access to your data?

    Customer data is not more accessible by the people administering and running the Office 365 service. Learn specifics from Perry Clarke and Vivek Sharma about how Office 365 maintains the service and does not expose customer data to engineers during trouble shooting activities.

    Next: Is your data safe at rest?

  • Conversations from inside the cloud:

    Is your data safe at rest?

    Vivek Sharma addresses your questions about the security of your data at rest in the Office 365 service.

    Next: Security, Compliance, and Privacy in Office 365

  • Cloud services you can trust: Security, compliance, and privacy in Office 365

    See how our construct for security, compliance, and privacy in Office 365 has two equally important dimensions: Built-in capabilities and Customer controls.

The Office 365 Trust Center

Your people and your data are your most important assets and so, as you consider Office 365 for your productivity needs, we want to do our best to answer your top questions upfront. The Office 365 Trust Center is the place where we share our commitments and information on trust-related topics.

With the Office 365 service it’s our responsibility to keep your data safe and secure. It’s your data. You own it. You control it. And it is yours to take with you if you decide to leave the service. The core tenets of our approach to earning and maintaining your trust are:
Learn moreBuilt-in security
  • Service-level security through defense-in-depth
  • Customer controls within the service
  • Security hardening and operational best practices
Learn moreContinuous compliance
  • Proactive processes to meet your compliance needs
  • Customer controls for organizational compliance
  • Independently verified to meet evolving standards
Learn morePrivacy by design
  • Your data is not used for advertising
  • You have extensive privacy controls
  • You can take your data with you when you want
Learn moreTransparent operations
  • You know where your data resides and who has access
  • Visibility into availability and changes to the service
  • Financially backed guarantee of 99.9% uptime
FAQs & lists
Top questions you should ask a cloud service provider when considering the cloud for your IT services, and how Microsoft Office 365 answers these questions.
Top privacy and security considerations to help you determine the security and trustworthiness of cloud service providers and their services.
See some of the key world-class industry standards and certifications that Office 365 meets.
Detailed content
Review detailed descriptions of the services and features that are available with Office 365.
See to which Microsoft Office 365 and Microsoft Dynamics CRM Online enterprise and small business offerings the Trust Center applies to. Plans must be purchased directly from or provided by Microsoft.
Review the Office 365 privacy white paper for a more detailed look at Office 365 privacy standards.
Take a look at the compliance framework for online services white paper to see Office 365 reduces your risk of operational disruptions while increasing confidence in service stability.
This white paper describe how Office 365 fulfills the security, compliance, and risk management requirements as defined by the Cloud Security Alliance, Cloud Control Matrix.
Read the Office 365 security white paper for a detailed description of Office 365 security.
Blogs
This new From Inside the Cloud blog post shows how we continuously meet the compliance needs of your organization. Shawn Veney provides a view into our approach to regulatory compliance: how we go beyond the checkbox approach and use compliance with standards and regulations to fulfil customers’ key requirements, like location of data in certain regions, data security, and privacy.
This new From Inside the Cloud blog highlights how we manage who has access to your data in the service and gives specifics from Perry Clarke and Vivek Sharma about how Office 365 maintains the service and does not expose customer data to engineers during trouble shooting activities.
Don’t miss reading how the Microsoft successful challenge of National Security Letter protects longstanding policy of notifying enterprise customers if a government requests their data.
This new digital series captures authentic conversations about trust in Office 365 with the people that design, build, and run the Office 365 service. The first topic is ‘Why trust Office 365?’
Read insights into how our contractual commitments for Office 365 and other cloud services for business, Microsoft Azure, Microsoft Dynamics CRM, and Windows Intune, are now recognized as meeting the rigorous standards of European Union (EU) privacy law.
In light of recent allegations, see how we’ve decided to take immediate and coordinated action in the areas of expanding encryption and reinforcing legal protections while increasing transparency.
Find out more about our commitment to running highly available services and our service level agreement. See how we measure availability and see our worldwide uptime numbers for Office 365 over the last six quarters.

The Office 365 Trust Center

Office 365 is a security-hardened service, designed following the Microsoft Security Development Lifecycle. We bring together the best practices from two decades of building enterprise software and managing online services to give you an integrated software-as-a-service solution.

At the service level, Office 365 uses the defense-in-depth approach to provide physical, logical, and data layers of security features and operational best practices. In addition, Office 365 gives you enterprise-grade, user and admin controls to further secure your environment.
  • 24-hour monitoring of data centers
  • Multi-factor authentication, including biometric scanning for data center access
  • Internal data center network is segregated from the external network
  • Role separation renders location of specific customer data unintelligible to the personnel that have physical access
  • Faulty drives and hardware are demagnetizedand destroyed
  • Lock box processes for strictly supervised escalation process greatly limits human access to your data
  • Servers run only processes on whitelist, minimizing risk from malicious code
  • Dedicated threat management teams proactively anticipate, prevent and mitigate malicious access
  • Port scanning, perimeter vulnerability scanning, and intrusion detection prevent or detect any malicious access
  • Encryption at rest protects your data on our servers
  • Encryption in transit with SSL/TLS protects your data transmitted between you and Microsoft
  • Threat management, security monitoring, and file/data integrity prevents or detects any tampering of data
  • Rights Management Services prevents file-level access without the right user credentials
  • Multi-factor authentication protects access to the service with a second factor such as phone
  • S/MIME provides secure certificate-based email access
  • Office 365 Message Encryption allows you to send encrypted email to anyone
  • Data loss prevention prevents sensitive data from leaking either inside or outside the organization
  • Data loss prevention can be combined with Rights Management and Office 365 Message Encryption to give greater controls to your admins to apply appropriate policies to protect sensitive data
FAQs & lists
Top privacy and security considerations to help you determine the security and trustworthiness of cloud service providers and their services.
Detailed content
Review detailed descriptions of the services and features that are available with Office 365.
This white paper outlines how Office 365 provides you the security and compliance controls you need, explaining how Office 365 has met and exceeded these needs, and how innovation continues.
This page provides information on the privacy and security features of specific services covered by the Microsoft Online Services Trust Center.
This white paper provides an understanding of what cloud computing at Microsoft means and how Office 365 delivers a trustworthy cloud computing infrastructure.
This white paper gives a look at how the Global Foundation Services organization operates with an emphasis on the Information Security Management Forum, Risk Management program the and Information Security Policy program from the OSSC ISMS.
This white paper describe how Office 365 fulfills the security, compliance and risk management requirements as defined by the Cloud Security Alliance, Cloud Control Matrix.
Read how across thousands of developers and millions of lines of code, one company learns to build secure software in an increasingly insecure world.
Blogs
Learn how our construct for security, compliance, and privacy consists of two equally important dimensions to safeguard your data: built-in capabilities and customer control.
Hear how zero elevated access within the service is enabled by our underlying Roles-based Access Control (RBAC) and PowerShell infrastructures. These infrastructures make sure that anyone who needs to administer the underlying service goes through a process to get privileges before they start.
Following the why-we-built-Exchange-the-way-we-did theme, hear as we take time to explain some architectural changes that have been made to Exchange over successive releases.

The Office 365 Trust Center

When you entrust your data to Office 365 you remain the sole owner of the data: you retain the rights, title, and interest in the data you store in Office 365. It’s our policy to not mine your data for advertising purposes or use your data for anything other than providing you cloud productivity services.
  • You are the owner of the data; Microsoft is the custodian or the processor of your data
  • It’s your data, so if you ever choose to leave the service, you can take your data with you
  • We do not mine your data for advertising or other purposes
  • We do not use your data for purposes other than providing you services you pay us for
  • We regularly disclose the number of law enforcement requests we receive through our transparency reports
  • If a government approaches us for access to customer data, we encourage the inquiry to be made directly with you, the customer and will challenge attempts to prohibit disclosure in court
  • Privacy controls allow you to configure who in your organization has access and what they can access
  • Design elements prevent mingling of your data with that of other organizations using Office 365
  • Extensive auditing and supervision prevent admins to get unauthorized access to your data
FAQs & lists
Top privacy and security considerations to help you determine the security and trustworthiness of cloud service providers and their services.
Detailed content
Read how the Microsoft approach ensures that our customers’ data in our enterprise services remains private. Details include the ways in which we ensure our services protect privacy, to ensuring our customers make informed choices to protect their data privacy in the cloud.
Review the Office 365 Privacy white paper for a more detailed look at Office 365 privacy standards.
This page provides information on the privacy and security features of specific services covered by the Microsoft Online Services Trust Center.
Read our Office 365 privacy statement. This applies to data collected by Microsoft through your use and the administration of Office 365 services.
This document provides a straightforward guide to configuring various privacy settings found in the Office 365 Admin Service Settings page.
This document provides a straightforward guide to configuring various privacy settings found in the Office 365 Admin Service Settings page.
This white paper describe how Office 365 fulfills the security, compliance and risk management requirements as defined by the Cloud Security Alliance, Cloud Control Matrix.
Review the following instructions for changing privacy settings are for Office 2013. Helpful instructions are also available for Office 2010, Office 2007, and Office 2003.
Blogs
This new From Inside the Cloud blog highlights how we manage who has access to your data in the service and gives specifics from Perry Clarke and Vivek Sharma about how Office 365 maintains the service and does not expose customer data to engineers during trouble shooting activities.
Don’t miss reading how the Microsoft successful challenge of National Security Letter protects longstanding policy of notifying enterprise customers if a government requests their data.
Read insights into how our contractual commitments for Office 365 and other cloud services for business, Microsoft Azure, Microsoft Dynamics CRM, and Windows Intune, are now recognized as meeting the rigorous standards of European Union (EU) privacy law.
In light of recent allegations, see how we’ve decided to take immediate and coordinated action in the areas of expanding encryption, and reinforcing legal protections while increasing transparency.

The Office 365 Trust Center

Office 365 is a global service and continuous compliance refers to our commitment to evolve the Office 365 controls and stay up to date with standards and regulations that apply to your industry and geography. Because regulations often share the same or similar controls, this makes it easier for Microsoft to meet the requirements of new regulations or those specific to your organization and industry.

In addition, Office 365 provides admin and user controls, including eDiscovery, legal hold, and data loss prevention, to help you meet internal compliance requirements. These require no additional on-premises infrastructure to use.
  • Our service is verified to meet requirements specified in ISO 27001, EU model clauses, HIPAA BAA, and FISMA
  • Our data processing agreement details privacy, security, and handling of customer data, which helps you comply with local regulations
  • We have built over 900 controls in the Office 365 compliance framework that enable us to stay up to date with the ever evolving industry standards
  • A specialist compliance team is continuously tracking standards and regulations, developing common control sets for our product team to build into the service
  • Legal hold and eDiscovery built into the service helps you find, preserve, analyze, and package electronic content (often referred to as electronically stored information or ESI) for a legal request or investigation
  • Data loss prevention in Office 365 helps you identify, monitor, and protect sensitive information in your organization through deep content analysis
FAQs & lists
See some of the key world-class industry standards and certifications that Office 365 meets.
Review this FAQ to see how our commitment to transparency helps customers comply with their regulatory needs?
Review this FAQ to see how our commitment to transparency helps customers comply with their FISMA regulatory needs?
Review this FAQ to see how our commitment to transparency helps customers comply with their EU regulatory needs?
Review this FAQ to see how our commitment to transparency helps customers comply with their HIPAA/HITECH regulatory needs?
Read how we obtain third-party audits and certifications so you can trust that our services are designed and operated with the most stringent safeguards.
Detailed content
Take a look at the compliance framework for online services white paper to see how Office 365 reduces your risk of operational disruptions while increasing confidence in service stability.
This white paper describes how Office 365 fulfills the security, compliance, and risk management requirements as defined by the Cloud Security Alliance, Cloud Control Matrix.
This document provides a brief overview of regulation requirements, and a detailed analysis of how Microsoft’s cloud services were built with methodologies that map to those requirements.
Blogs
This new From Inside the Cloud blog post shows how we continuously meet the compliance needs of your organization. Shawn Veney provides a view into our approach to regulatory compliance: how we go beyond the checkbox approach and use compliance with standards and regulations to fulfil customers’ key requirements, like location of data in certain regions, data security, and privacy.
This Trustworthy Computing blog shares Microsoft perspectives about cloud computing. In this episode we discuss the concept of cloud service interdependency.
In this episode we discuss the need to classify and segregate data to enable cloud migration while still maintaining regulatory and standards requirements applicable to sensitive data.

The Office 365 Trust Center

Moving to a cloud service shouldn’t mean losing access to knowing what’s going on. With Office 365, it doesn’t. We aim to be transparent in our operations so you can monitor the state of your service, track issues, and have historical view of availability.
  • You have on-call 24/7 phone support for critical issues
  • We have DevOps processes which means 24/7 escalation to the actual development team to resolve issues that cannot be resolved by operations alone
  • We conduct a thorough review of all service incidents, regardless of magnitude of impact and we share the analysis if your organization is affected
  • We commit to delivering at least 99.9% up-time with a financially-backed guarantee.
  • We publish uptime for the Office 365 suite every quarter. Our most recent and historical uptimes are below.

Recent worldwide uptimes:

2012 2013 2014
99.98% 99.97% 99.94% 99.97% 99.96% 99.98% 99.99%
Q3 Q4 Q1 Q2 Q3 Q4 Q1
FAQs & lists
Read this FAQ about third-party data access.
We hold our subcontractors to security and privacy standards equivalent to our own and in the interest of transparency, we let you know which subcontractors we use and what they do.
We enable you to find out whether someone has accessed your data. We know that in the cloud, data access is one of your main concerns. This means both knowing that you will be able to access your data when you need to and knowing whether someone else has accessed your data. Read who can access your information and under what circumstances it can be accessed.
Detailed content
Read this white paper for a view into a standardized set of data center metrics called Power Usage Effectiveness (PUE), the processes, methods, and new technologies to improve energy efficiency and business computing ecosystems in data centers.
This paper describes how the Microsoft Global Foundation Services team that manages and operates the company’s vast data center, and right sizes its servers to achieve maximum efficiency. The process focuses on the collection of detailed performance data using representative workloads, and then analyzing that data set to select balanced servers that are optimally sized for production scenarios.
Clear documentation of our established practices in responding to government legal demands for customer data.
This document details the number of legal demands for customer data we received from law enforcement agencies around the world and how Microsoft responded to those requests.
Blogs
This new From Inside the Cloud blog highlights how we manage who has access to your data in the service and gives specifics from Perry Clarke and Vivek Sharma about how Office 365 maintains the service and does not expose customer data to engineers during trouble shooting activities.
Stay informed with the Office 365 Message CenterIn an effort to improve communications, we’ve added Message Center. The Message Center helps inform Office 365 admins about new features and actions they need to take to keep their Office 365 service running smoothly.
Hear how as a commitment to running a highly available service, we have a Service Level Agreement of 99.9% uptime that is financially backed. See how we measure availability and see our worldwide uptime number for Office 365 over the last four quarters.