mopdf.com

Document Classification: PublicDocument Location: http://aka.ms/Office365-PrivacyDocument Feedback: [email protected] a g e 3Privacy in Office 365Microsoft understands that strong privacy protections are essential for building trust in cloudcomputing, and implements them in Office 365 as follows: Data use Microsoft details how it manages and uses customer data, and provides explicitstatements that Microsoft uses customer data only for maintaining and securing Office 365services. Office 365 does not use customer data to create advertisements.Shared data storage To enable cost savings and efficiencies for data storage, Microsoft storescustomer data from multiple customers on the same equipment (known as a multi-tenantarchitecture). However, the company goes to great lengths to help ensure that multi-tenantdeployments of Office 365 1 logically separate the data (and processing) of different accountsand support the privacy and security of the data stored.Data portability Microsoft enables Office 365 customers to export any or all of their data atany time and for any reason, without any assistance from Microsoft. Even after an Office 365account expires or is closed, customers by default have limited access for an additional 90 daysto export data.Transparency The Office 365 Trust Center and the Microsoft Trust Center detail the policiesand practices that Microsoft uses to protect customer data. The Microsoft Transparency Hubprovides customers with direct access to several reports regarding law enforcement andgovernment access to customer data.Access Microsoft identifies who can access customer data and the circumstances under whichthey can access it. Microsoft also logs and reports all access to customer data and other criticaldata. Additionally, Microsoft and its third-party auditors conduct sample audits to help ensurethat the customer’s data is accessed only for appropriate business purposes.Geographic location of data For customers interested in knowing where their data is stored,including the assignment of private storage locations, Microsoft tells customers where its majordatacenters are located, and how it determines where data is stored at rest. Office 365administrators can also choose to receive updates to changes in datacenter locations. Microsoftdoes not control or limit the regions from which a customer it’s users may access or movecustomer data.Microsoft recognizes that cloud services often raise unique security and privacy questions for business,education, and government customers, so we have adapted our Office 365 policies and governanceprograms to address customer concerns, facilitate regulatory compliance, and to build greater trust inOffice 365 and cloud computing. For example, we contractually commit to specific data handlingprocesses as part of our agreements for Exchange Online, SharePoint Online, Skype for Business, andother cloud services. We also provide customers with flexible management tools that help protectsensitive data and support compliance with government privacy and security guidelines. Suchtransparent policies and strong tools are essential for our customers as they deal with the privacy andsecurity questions that arise from their use of cloud services.1This link points to a document available on the Microsoft Cloud Service Trust Portal (STP). For information on how to access the STP, see Getstarted with the Service Trust Portal for Office 365 for business, Azure, and Dynamics CRM Online subscriptions.

Document Classification: PublicDocument Location: http://aka.ms/Office365-PrivacyDocument Feedback: [email protected] a g e 4Office 365 is built with an emphasis on strong data protection. Reflecting Microsoft’s approach toprivacy by design, a team of privacy professionals has been dedicated to Office 365 since the beginningof the development cycle and has worked and continues to work in close partnership with engineers,business planners, and marketers. Consequently, privacy has been an integral part of Office 365 fromthe beginning, not an afterthought. In addition, employees throughout the organization are accountablefor managing the service’s privacy and security risks. The result is an enterprise cloud service with robustdata protections that reflect Microsoft’s core privacy tenets of responsibility, transparency, and choice.Microsoft understands that managing customer information is a responsibility that includes importantsecurity and privacy obligations. This is particularly true for cloud-based services such as Office 365. Wehave a broad network of people and processes that implement our privacy standards and provideprivacy guidance and training. If a privacy incident occurs, we have rigorous procedures to address theproblem, diagnose the cause, and update customers in a timely manner.Criteria for determining appropriate levels of privacy and security in the cloud are changing rapidly.What matters most today may be a low priority tomorrow. As a result, when evaluating a cloudprovider, organizations would be wise to consider the depth and breadth of the provider’s governancemodel and its ability to quickly adapt to changing privacy priorities.With Office 365, we have employed a variety of risk management mechanisms to appropriately manageregulatory change, organizational change, personnel change, and technological change. Before any ofthe services that are part of Office 365 launch to the public, subject-matter experts conduct privacy,security, and business continuity risk assessments on each service and work closely with the serviceowners to remediate any identified risks. After launch, we use a process of continuous monitoring toensure that our data protection systems are functioning properly. We test required functionalityannually, semi-annually, quarterly, monthly, or at the time of each new release, depending on the levelof risk associated with the particular privacy or security control. We also conduct regular riskassessments to refresh the control framework and, if necessary, to reset priorities if new aspects of theservice emerge as high-risk. This multi-layered and continuous approach to monitoring the Office 365data protection environment helps us quickly diagnose and remedy problems that occur and helps ourcustomers respond quickly to shifting regulatory or industry requirements.Microsoft’s Approach to Regulatory ComplianceJust as Microsoft has a responsibility to process our enterprise customers’ information in a trustworthymanner, many of our customers have a responsibility to comply with national, regional, and industryspecific requirements governing the collection and use of individuals’ data. As a provider of global cloudservices, we must run our services with common operational practices and features that span multiplecustomers and jurisdictions. To fulfill our privacy responsibility to our customers as well as help ourdiverse customer base fulfill its regulatory obligations, we set the bar high and then build our services tomeet that bar using common privacy and security controls. While it is ultimately up to our customers todetermine whether our services satisfy their specific regulatory needs, we are committed to providingdetailed information about our cloud services to help them in their assessments.One tool we have developed to facilitate customers’ assessments of Office 365 is the Microsoft TrustCenter, an online repository of detailed information about Office 365 privacy and security practices. Forexample, on the Regulatory Compliance page of the Trust Center, we explain how we believe Office 365

Document Classification: PublicDocument Location: http://aka.ms/Office365-PrivacyDocument Feedback: [email protected] a g e 5helps facilitate compliance with a range of major statutes, from European Union data protection laws tothe U.S. Gramm-Leach-Bliley Act, which includes provisions on the protection of consumers’ financialinformation.Another resource we offer to help customers evaluate Office 365 is detailed information about the wellrecognized certifications that the service has attained. On the Security, Audits, and Certifications page ofthe Trust Center, customers can locate information about the certifications held by both Of fice 365 andthe Microsoft datacenters that host the service. On the Microsoft Cloud Service Trust Portal and withinthe Service Assurance dashboard, we also enable customers to download third-party audit reports forOffice 365, Azure, and more. By making this information readily available, we empower customers tovalidate that what we say about our security and privacy practices has been affirmed by an accreditedthird party.Support for EU-U.S. Privacy ShieldMicrosoft supports the recently announced EU-U.S. Privacy Shield, which sets a new high standard forthe protection of Europeans’ personal data. The Privacy Shield secures Europeans’ right to legal redress,strengthens the role of data protection authorities, introduces an independent oversight body, and itclarifies data collection practices by U.S. security agencies. In addition, it introduces new rules for dataretention and onward transfer of data. Key Privacy Shield provisions will also be extended to alternativedata transfer mechanisms, such as EU Model Clauses. Microsoft has begun the process of implementingthe Privacy Shield requirements, which it previously announced it would sign up for in April 2016.On August 1, 2016, Microsoft signed up for the EU-U.S. Privacy Shield and submitted its Privacy Shieldcertification to the U.S. Department of Commerce. Going forward, any data which we will transfer fromEurope to the United States will be protected by the Privacy Shield’s safeguards. 2Using Customer Data Only for Providing ServicesResponsible cloud providers must have strong internal policies in place that clearly delineate what theprovider and its partners can and cannot do with customer information. In Office 365, we use ourcustomers’ data only for what they pay us for—to maintain and provide Office 365 services. As part ofproviding a quality service, we will troubleshoot in order to prevent, identify, or repair problems and toimprove features that protect our customers. Microsoft does not build advertising products out of ourcustomers’ data. We also don’t scan our customers’ email or documents for the purpose of buildinganalytics, data mining, advertising, or improving the service without our customers’ permission.Government Access to Customer DataMicrosoft does not provide any government with direct and unfettered access to its customers’ data,and Microsoft does not provide any government with its encryption keys or the ability to break itsencryption. If a government entity approaches Microsoft directly with a request related to a MicrosoftOnline Services customer, Microsoft will first try to redirect the entity to the customer to respond. IfMicrosoft is required to respond to the demand, Microsoft will promptly notify the customer andprovide a copy of the demand (unless legally prohibited).Microsoft publishes its law enforcement requests report to identify the number and types of requests itreceives and its compliance with those requests. Microsoft recently received permission from the U.S.2See 1/microsoft-signs-privacy-shield/ for the official announcement.

Document Classification: PublicDocument Location: http://aka.ms/Office365-PrivacyDocument Feedback: [email protected] a g e 6government to publish information about Foreign Intelligence Surveillance Act orders and NationalSecurity Letters.Trust with TransparencyAlthough many organizations cite privacy and security concerns as major obstacles to their adoption ofcloud services, information on the privacy and security practices of many cloud providers is eitherdifficult to find or indecipherable to all but the most astute IT professionals. To help our customers findanswers to their privacy and security questions about Office 365, we strive to be as transparent aspossible about our data protection policies and procedures.The centerpiece of our transparency efforts is the Microsoft Trust Center, which includes several serviceTrust Centers: Office 365Microsoft AzureMicrosoft Commercial SupportMicrosoft Dynamics AXMicrosoft Dynamics CRM OnlineMicrosoft IntuneMicrosoft National CloudsPower BIThe Microsoft Trust Center is designed to provide answers to questions that customers have about ourcloud services, such as who can access their data, where their data is stored, and how they can verifythat Microsoft is doing what it says. Our compliance is independently audited, and we’re transparent onmany levels—from how we handle legal demands for your customer data to the security of our code.We offer detailed trust information on each of our cloud services. For example, on the Office 365 TrustCenter, we describe our approach to security, privacy, compliance, and transparency. We state clearlythat customers own their data and that we are the custodian or processor of your data. And thatbecause it is your data, if you ever choose to leave the service, you can take your data with you.Regulatory Compliance in Office 365To help organizations comply with national, regional, and industry-specific requirements governing thecollection and use of individuals’ data, Microsoft offers the most comprehensive set of certifications andattestations of any cloud service provider. To demonstrate that these controls deliver compliance youcan rely on, Microsoft enterprise cloud services are independently validated through certifications andattestations, as well as third-party audits. In-scope services within the Microsoft Cloud meet keyinternational and industry-specific compliance standards, as well as regional and country-specificstandards and contractual commitments. In addition, rigorous third-party audits validate the adherenceof our cloud services to the strict requirements these standards mandate.Customers can view by service, location, and industry, all of the global standards to which Office 365and other Microsoft cloud services conform on the Compliance page of the Microsoft Trust Center.

Document Classification: PublicDocument Location: http://aka.ms/Office365-PrivacyDocument Feedback: [email protected] a g e 7Microsoft Privacy ResourcesListed below is a sampling of the privacy resources from Microsoft that are available to customers andprospective customers. Microsoft Privacy PracticesPrivacy Guidelines for Developing Software Products and ServicesMicrosoft Trustworthy ComputingPrivacy ModelsMicrosoft Online Services Privacy StatementCloud Privacy at MicrosoftMicrosoft Transparency Hub - Law Enforcement RequestsBrad Smith blog post - Responding to government legal demands for customer dataBrad Smith blog post - Our search warrant case: An important decision for people everywhereJohn Frank blog post - EU-U.S. Privacy Shield: Progress for privacy rightsEU Policy blogs from Microsoft on PrivacyMicrosoft has also created a guide called Building Global Trust Online, 4th Edition: MicrosoftPerspectives for Policymakers, which was compiled from extensive work and ongoing research byMicrosoft teams, as well as consultation with external subject-matter experts to provide ongoingeducation about policy topics related to privacy, security, safety, and accessibility.SummarySince Microsoft recognizes that privacy and security are major concerns for cloud customers, wedeveloped Office 365 from the ground up with strong data protection in mind. Microsoft’s privacyprinciples and privacy standards guide the collection and use of customer and partner information atMicrosoft and give our employees a clear framework to help ensure that we manage data responsibly.The Microsoft Corporate Privacy Policy comprises six key privacy principles for the protection andappropriate use of customer information, such as information submitted by customers, data obtainedfrom third parties, and data that is automatically collected.Microsoft recognizes that cloud services often raise unique security and privacy questions for business,education, and government customers, so we have adapted our Office 365 policies and governanceprograms to address customer concerns, facilitate regulatory compliance, and to build greater trust inOffice 365 and cloud computing. Reflecting Microsoft’s approach to privacy by design, a team of privacyprofessionals was dedicated to the product early in the development cycle and worked in closepartnership with engineers, business planners, and marketers. Consequently, privacy has been anintegral part of Office 365 from the beginning, not an afterthought. In addition, employees distributedthroughout the organization are accountable for managing the service’s privacy and security risks. Theresult is an enterprise cloud service with robust data protections that reflect Microsoft’s core privacytenets of responsibility, transparency, and choice.

Aug 15, 2016 · Office 365 is built with an emphasis on strong data protection. Reflecting Microsoft’s approach to privacy by design, a team of privacy professionals has been ded