Last updated: September 2014
To report suspected security issues or abuse of Azure, please contact the cert.microsoft.com team, which is available 24x7.
Please note that it is ultimately your obligation to comply with your regulatory requirements. We provide you with information to help you do so. We commit to compliance with data protection and privacy laws generally applicable to IT service providers. If you are subject to industry or jurisdictional requirements, you will need to make your own assessment of your ability to comply. Customers in many industries and geographies have found they can use Azure in a manner that complies with applicable regulations, provided they utilize the services in a manner appropriate to their particular circumstances.
For instance, organizations covered by the E.U. Data Protection Directive should have their own policies, security, and training program in place to ensure their personnel do not use Azure in a way that violates the Directive. We will do our part by abiding by the promises we have made, thereby helping you remain compliant.
It's your data, and you retain the rights to it. Microsoft will not use Customer Data or derive information from it for any advertising or similar commercial purposes. Microsoft will only use Customer Data for purposes compatible with providing the services. In addition to day-to-day operations, such purposes can include using Customer Data for the following:
Microsoft believes that its customers should control their own information whether stored on their premises or in a cloud service. Accordingly, we will not disclose Customer Data to a third party (including law enforcement, other government entity or civil litigant) except as you direct or required by law. Should a third party contact us with a demand for Customer Data, we will attempt to redirect the third party to request it directly from you. As part of that, we may provide your basic contact information to the third party. If compelled to disclose Customer Data to a third party, we will promptly notify you and provide a copy of the demand, unless legally prohibited from doing so.
Except as you direct, Microsoft will not provide any third party: (1) direct, indirect, blanket or unfettered access to Customer Data; (2) the platform encryption keys used to secure Customer Data or the ability to break such encryption; or (3) any kind of access to Customer Data if Microsoft is aware that such data is used for purposes other than those stated in the request.
Microsoft may hire other companies to provide limited services on its behalf, such as providing customer support. Microsoft will only disclose Customer Data to subcontractors so they can deliver the services we have retained them to provide. Subcontractors are prohibited from using Customer Data for any other purpose, and they are required to maintain the confidentiality of your information. Subcontractors that work in facilities or on equipment controlled by Microsoft must follow our privacy standards. All other subcontractors must follow privacy standards equivalent to our own. You can download the list of subcontractors authorized to process Customer Data in Azure.
We require subcontractors to join Microsoft's Vendor Privacy Assurance Program, to meet our privacy requirements by contract, and to undergo regular privacy training. We contractually obligate subcontractors that work in facilities or on equipment controlled by Microsoft to follow our privacy standards. All other subcontractors are contractually obligated to follow privacy standards equivalent to our own.
No. Our independent audits and certifications are shared with customers in lieu of individual customer audits. These certifications and attestations accurately represent how we obtain and meet our security and compliance objectives, and serve as a practical mechanism to validate our promises for all customers. Allowing potentially thousands of customers to audit our services would not be a scalable practice and might compromise security and privacy. Our independent third-party validation program includes audits that are conducted on an annual basis to provide verification of Azure security controls.
No. Microsoft is not able to agree to custom audit obligations for individual customers. The costs and potential conflicts between varying obligations make it impractical to customize audits.