Privacy: It’s all about you

We understand that when you use our cloud services, you are entrusting us with one of your most valuable assets—your data.

A woman standing at a desk in a conference room, touching a large Surface device monitor.

You trust that the privacy and confidentiality of the data you provide to us will be protected and that it will be used only in a way that is consistent with your expectations. To fulfill those expectations, we make these commitments to you and ground them in strong contractual guarantees.

Learn about Trusted data protection

You control your data

Our time-tested approach to privacy is grounded in our commitment to give you control over the data you put in the cloud. In other words: you control your data. Microsoft guarantees this with the contractual commitments we make to you.

Your data belongs to you

Your data is your business, and you can access, modify, or delete it at any time. Microsoft will not use your data without your agreement, and when we have your agreement, we use your data to provide only the services you have chosen.

Learn more

Your control of your data

Your control over your data is reinforced by Microsoft compliance with broadly applicable privacy laws such as the GDPR and privacy standards such as the world’s first international code of practice for cloud privacy, ISO/IEC 27018.

Learn more about GDPR Learn more about ISO/IEC 27018

Independent audit reports

You have access to independent audit reports of our compliance with privacy standards, which in turn offers support for meeting your own privacy obligations.

Learn more about independent audit reports

Data processing only with consent

We only process your data based on your agreement and in accordance with the strict policies and procedures that we have contractually agreed to. We do not share your data with advertiser-supported services, nor do we mine it for any purposes like marketing research or advertising.

Learn about our Online Service Terms

Subcontractors data restrictions

When we deploy subcontractors (also known as subprocessors) to perform work that may require access to your data, they can perform only the functions that Microsoft has hired them to provide, and they are bound by the same contractual privacy commitments that Microsoft makes to you. The Microsoft Online Services Subprocessor List identifies authorized, subprocessors, who have been audited against a stringent set of security and privacy requirements in advance.

Learn about our Subprocessors list notifications

You choose where your data is located

When you use Microsoft commercial cloud services, you choose the service and data location that is right for your business.

Learn more

Choices for datacenters

Based on your choice of Microsoft online services, we offer options and tools for determining where your data is stored when you use Microsoft Azure, Microsoft Dynamics 365 and Power Platform, and Microsoft 365 services. For example, Azure allows you to choose from more than 60 regions linked by one of the largest interconnected networks on the planet including more than 150 datacenters and growing. Microsoft 365 places new customers in the datacenter nearest your business address, with the flexibility to deploy in additional datacenters of your choice.

Learn more about Microsoft Azure Learn more about Microsoft Dynamics 365 and Power Platform

Choices for data residency

Because of our large and ever-expanding network of datacenters, Microsoft can offer data residency in more places in the world than any other cloud provider. This helps ensure that resiliency and compliance requirements are honored within geographic boundaries and enables customers with specific data-residency and compliance obligations to keep their data and applications close. We back these capabilities with contractual commitments to store your data within specific geographic boundaries.

Learn more about Microsoft 365 services

We secure your data at rest and in transit

With state-of-the-art encryption, Microsoft protects your data both at rest and in transit. Our encryption protocols erect barriers against unauthorized access to the data, including two or more independent encryption layers to protect against compromises of any one layer.

Data at rest

The Microsoft cloud employs a wide range of encryption capabilities up to AES-256, giving you the flexibility to choose the solution that’s best for your business.

Data in transit

Data moving between user devices and Microsoft datacenters or within and between the datacenters themselves—Microsoft uses and enables the use of industry-standard encrypted transport protocols, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec).

Encryption keys

All Microsoft-managed encryption keys are properly secured and offer the use of technologies such as Azure Key Vault to help you control access to passwords, encryption keys, and other secrets.

We defend your data

Through clearly defined and well-established response policies and processes, strong contractual commitments, and if need be, the courts, Microsoft defends your data. We believe that all government requests for your data should be directed to you. We do not give any government direct or unfettered access to customer data. Microsoft is principled and transparent about how we respond to requests for data.

Responding to data requests

Because we believe that you should have control over your own data, we will not disclose data to a government or law enforcement agency, except as you direct or where required by law. Microsoft scrutinizes all government demands to ensure they are legally valid and appropriate.

Law enforcement requests

If Microsoft receives a demand for a customer’s data, we will direct the requesting party to seek the data directly from the customer. If compelled to disclose or give access to any customer’s data, Microsoft will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so.

Learn more

Our contractual commitments

Our contractual commitments to our enterprise and public sector customers include Defend Your Data, which builds on our existing protections. We will challenge every government request for commercial and public sector customer data—from any government—where we have a lawful basis for doing so. We have a proven track record of successfully using the courts to challenge government demands that are inconsistent with the rule of law. We have more experience than any other company taking the US government to court to challenge orders seeking access to an individual’s data and to protect our ability to tell customers about those orders, even taking one case to the US Supreme Court. Our challenges have led to greater protections and transparency for our customers worldwide, including enabling us to disclose reports about the number of US national security orders we receive.

Learn more about how far we’ll go Learn more about US national security orders received

GDPR compliance

We stand behind the strength of our GDPR compliance and other data protection safeguards. To provide added reassurance against liability for our commercial and public sector customers, we will provide monetary compensation if we disclose their data in response to a government request in violation of the EU’s GDPR.

Learn more

Our promise to you

In our enduring commitment to the principles above, we are transparent about the specific policies, operational practices, and technologies that help ensure the privacy of your data in every Microsoft commercial cloud service.

And we don’t just state these promises—we contractually guarantee them in our standard contracts for commercial and public sector customers.

Microsoft Online Services Terms

Online Services Data Protection Addendum