Top 10 trust tenets
Customers need a ready-to-go productivity solution that is inherently secure and trustworthy. To help you determine
the security and trustworthiness of cloud productivity services and choose a cloud service provider that meets your security expectations,
we have identified the key privacy and security considerations that should inform your decision. These include:
Using these three top-ten lists can help you save time and make a more informed decision.
- Data ownership: Who owns the data I put in your service?
Office 365 answer: As described on the Privacy page, you own your data.
- Data location: Where is my data located?
Office 365 answer: The Data maps page describes how your location determines the primary storage location of your data.
- Security: How is my data protected from external attacks?
Office 365 answer: The Security page and the Security white paper describe the Office 365 approach to security.
- Data portability: Can I get my data out of your service whenever I want?
Office 365 answer: Yes. The Data portability page describes how you can download a copy of all of your data at any time and for any reason, without any assistance from Microsoft.
- Data privacy: Will you use my data to build advertising products?
Office 365 answer: No. The How we use your data page shows you that Office 365 does not scan your email or documents for advertising purposes.
- Communication: Will you tell me if things change, and will you tell me if my data is compromised?
Office 365 answer: Yes. The Communications section of the Trust Center describes how we communicate to you. We promptly notify you if your data has been accessed improperly.
- Trust: Are you transparent with the way you store, use, and access my data?
Office 365 answer: Yes. The Transparency page explains that you know where your data resides, who at Microsoft can access it, and what we do with that information internally.
- Contractual obligation: Do you put these commitments in writing?
Office 365 answer: Yes. The Independently verified page describes how Office 365 is willing to sign with each customer a data processing agreement, security amendment, HIPAA Business Associate Agreement, and the EU Model Clauses.
- Availability SLA: What are your commitments regarding keeping my service up?
Office 365 answer: Office 365 offers 99.9% uptime via a financially backed service level agreement. The Office 365 Service continuity page and the Service Continuity white paper describe the Microsoft commitment to maintaining service availability.
- Reliability: Are you backing up my data?
Office 365 answer: Yes, we do replicate customer data. The Office 365 Service continuity page describes how we always have multiple copies of your data.
- We restrict physical data center access to authorized personnel and have implemented multiple layers of physical security, such as biometric readers, motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms.
- We enable encryption of data both at rest and via the network as it is transmitted between a data center and a user.
- We don’t mine or access your data for advertising purposes.
- We use customer data only to provide the service; we don’t otherwise look in your mailbox without your permission.
- We regularly back up your data to ensure reliability.
- We won’t delete all the data in your account at the end of your service term until you have had time to take advantage of the data portability that we offer.
- We host your customer data in-region.
- We enforce ”hard” passwords to increase security of your data.
- We allow you to turn off and on privacy impacting features to meet your needs.
- We contractually commit to the promises made here with the data processing agreement (DPA). For more information about the DPA, visit the Data Processing Agreement section of the Independently verified page.
- Health Insurance Portability and Accountability Act (HIPAA):
HIPAA imposes security requirements on our customers regarding the processing of electronic protected health information. Microsoft developed Office 365 to provide physical, administrative, and technical safeguards that facilitate our customers’ full compliance with HIPAA requirements. We will sign a HIPAA Business Associate Agreement (BAA) with any customer. For more information about the HIPAA BAA, visit the HIPAA/HITECH FAQ.
- Data processing agreements (DPAs):
We provide customers with additional contractual assurances through DPAs regarding Microsoft handling and safeguarding of customer data. By signing DPAs, we commit to over 40 specific security commitments collected from regulations worldwide. Click here to sign. (Enterprise agreement customers should contact their account representative to obtain a DPA.)
- Federal Information Security Management Act (FISMA):
FISMA requires U.S. federal agencies to develop, document, and implement controls to secure their information and information systems. The FISMA FAQ describes how the Office 365 service follows security and privacy processes relating to FISMA.
- ISO 27001:
ISO 27001 is one of the best security benchmarks available in the world. Office 365 is the first major business productivity public cloud service to have implemented the rigorous set of physical, logical, process and management controls defined by ISO 27001.
- European Union (EU) Model Clauses
EU Model Clauses enable customers to legally transfer personal data outside of the EU under the EU Data Protection Directive, a key instrument of EU privacy and human rights law. Office 365 meets the high bar that the EU sets for privacy and security and offers the Model Clauses to customers. The EU Model Clauses FAQ describes the Microsoft regulator-endorsed processes for any customer doing business in Europe or with European customers.
- U.S.–EU Safe Harbor framework:
The U.S.-EU Safe Harbor framework also enables customers to legally transfer personal data outside of the EU under the EU Data Protection Directive. Office 365 follows the principles and processes stipulated by the U.S.-EU Safe Harbor framework.
- Family Educational Rights and Privacy Act (FERPA):
FERPA imposes requirements on educational organizations regarding the use or disclosure of student education records, including email and attachments. Microsoft agrees to use and disclosure restrictions imposed by FERPA that limit our use of student education records, including agreeing to not scan emails or documents for advertising purposes.
- Statement on Standards for Attestation Engagements No. 16 (SSAE 16):
Office 365 has been audited by independent third parties and can provide SSAE16 SOC 1 Type I and Type II reports on how the service implements controls.
- Canadian Personal Information Protection and Electronic Documents Act (PIPEDA):
Microsoft complies with PIPEDA as stipulated by the Canadian Personal Information Protection and Electronic Documents Act through our administration of Office 365. This pertains to how private sector organizations collect, use, and disclose personal information in the course of commercial business.
- Gramm–Leach–Bliley Act (GLBA):
The Gramm–Leach–Bliley Act requires financial institutions to put processes in place to protect their clients’ nonpublic personal information. GLBA enforces policies to protect information from foreseeable threats in security and data integrity. Office 365 can support compliance with GLBA requirements by having processes that govern the collection, disclosure, and protection of consumers’ nonpublic personal information or personally identifiable information.