All organizations, no matter the size, are concerned about security. We’ve compiled a list of the top questions that we receive about security, as well as resources for finding more information.
Who has access to my data? Access to customer data is strictly controlled and logged. Sample audits are performed by both Microsoft and third parties to attest that access is only for appropriate business purposes. Learn more here.
Does Microsoft use my data for advertising? Microsoft does not use your data for anything other than providing the service you have subscribed for. Microsoft will never scan your email or documents for advertising purposes. More information can be found here.
Where is my data stored? Microsoft has a regionalized data center strategy. The customer’s country or region, which the customer’s administrator inputs during the initial setup of the services, determines the primary storage location for that customer’s data. As a standard, Microsoft does not publicly disclose the locations of its data centers. For specific details about where data is geographically located, see the information in the Data Maps table located here.
If I want to leave Office 365, can I get my data out? You own your data, not Microsoft. You are able to download your data at any time, for any reason, without permission from Microsoft. Upon expiration or termination of your Office 365 subscription or contract, Microsoft will provide you, by default, additional limited access for 90 days to export your data. To learn more, go here.
What is Microsoft’s position on government “snooping”? Microsoft takes your privacy concerns very seriously. Microsoft has taken steps to ensure governments use legal process rather than technological brute force to access customer data. Read the official Microsoft position here. Microsoft recently released related to an FBI National Security Letter that Microsoft successfully challenged in court late last year. You can learn more here.
We have specific compliance standards that must be met. What standards do you meet, and how can we verify them? On behalf of Office 365 Microsoft is willing to sign with each customer a data processing agreement, security amendment, HIPAA business associate agreement, and the EU model clauses. Microsoft complies with the standards listed below. For more information, please visit the Independently verified section of the Office 365 Trust Center.
Health Insurance Portability and Accountability Act (HIPAA)
Data processing agreements (DPAs)
Federal Information Security Management Act (FISMA)
European Union (EU) Model Clauses
U.S.–EU Safe Harbor framework
Family Educational Rights and Privacy Act (FERPA)
Statement on Standards for Attestation Engagements No. 16 (SSAE 16)
Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
Gramm–Leach–Bliley Act (GLBA)
What happens if the data center where my data is located is compromised or destroyed? Microsoft applies best practices in design and operations, such as redundancy, resiliency, distributed services, and monitoring.
Microsoft has built physical redundancy at the disk/card level within servers, the server level within a datacenter and the service level across geographically separate data centers to protect against failures.
Each data center has facilities and power redundancy.
Microsoft has multiple datacenters serving every region.
To build redundancy at the data level, Microsoft constantly replicates data across geographically separate datacenters.
The design goal is to maintain multiple copies of data whether in transit or at rest and failover capabilities to enable rapid recovery.
Is the service really available 99.9% of the time? I hear stories that it is not that reliable. Microsoft recently began publishing quarterly uptime availability reports. They can be accessed here.
Will you let us know if our data is compromised? Microsoft will inform you if there are any important changes to the service with respect to security, privacy, and compliance. Microsoft will also promptly notify you if your data has been accessed improperly.
Where can I learn more? The Office 365 Trust Center contains a wealth of information about security controls in Office 365. As always, if you have a specific security concern and can’t find information, feel free to contact us.