Frequently Asked Questions (FAQ)
How do I report a security incident or abuse?
To report suspected security issues or abuse of Azure, please contact the cert.microsoft.com team, which is available 24x7.
Is Azure compliant with my regulatory requirements?
Please note that it is ultimately your obligation to comply with your regulatory requirements. We provide you with information to help you do so. We commit to compliance with data protection and privacy laws generally applicable to IT service providers. If you are subject to industry or jurisdictional requirements, you will need to make your own assessment of your ability to comply. Customers in many industries and geographies have found they can use Azure in a manner that complies with applicable regulations, provided they utilize the services in a manner appropriate to their particular circumstances.
For instance, organizations covered by the E.U. Data Protection Directive should have their own policies, security, and training program in place to ensure their personnel do not use Azure in a way that violates the Directive. We will do our part by abiding by the promises we have made, thereby helping you remain compliant.
How will Microsoft use the information I store in Azure?
Microsoft will use the Customer Data you store in Azure only to provide you with the Azure service. This may include troubleshooting aimed at preventing, detecting or repairing problems affecting the operation of Azure and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam).
We may use statistical data, trends and usage information derived from your use of Azure for the purpose of providing, operating, maintaining or improving Azure as well as any Microsoft products and services used to deliver Azure.
Does Microsoft share data between its advertiser-supported services and Azure? Does Azure data-mine my data for advertising?
No. Azure does not share data with its advertiser-supported services. Azure does not mine Customer Data for advertising.
What happens if law enforcement or another third party asks Microsoft for my Customer Data? What does Microsoft do when subpoenaed for Customer Data?
Microsoft believes that its customers should control their own information whether stored on their premises or in a cloud service. Accordingly, we will not disclose Customer Data to a third party (including law enforcement, other government entity or civil litigant) except as you direct or required by law. Should a third party contact us with a demand for Customer Data, we will attempt to redirect the third party to request it directly from you. As part of that, we may provide your basic contact information to the third party. If compelled to disclose Customer Data to a third party, we will promptly notify you and provide a copy of the demand, unless legally prohibited from doing so. Microsoft also publishes a Law Enforcement Requests Report that provides insight into the scope of requests, as well as information from Microsoft's General Counsel about how the company responds to national security requests.
In what circumstances is Customer Data disclosed to subcontractors, and how do they use it?
Microsoft may hire other companies to provide limited services on its behalf, such as providing customer support. Microsoft will only disclose Customer Data to subcontractors so they can deliver the services we have retained them to provide. Subcontractors are prohibited from using Customer Data for any other purpose, and they are required to maintain the confidentiality of your information. Subcontractors that work in facilities or on equipment controlled by Microsoft must follow our privacy standards. All other subcontractors must follow privacy standards equivalent to our own. You can download the list of subcontractors authorized to process Customer Data in Azure.
How does Azure ensure subcontractors comply with Microsoft's privacy requirements?
We require subcontractors to join Microsoft's Vendor Privacy Assurance Program, to meet our privacy requirements by contract, and to undergo regular privacy training. We contractually obligate subcontractors that work in facilities or on equipment controlled by Microsoft to follow our privacy standards. All other subcontractors are contractually obligated to follow privacy standards equivalent to our own.
Does Microsoft allow customers to audit Azure operations or its data centers?
No. Our independent audits and certifications are shared with customers in lieu of individual customer audits. These certifications and attestations accurately represent how we obtain and meet our security and compliance objectives, and serve as a practical mechanism to validate our promises for all customers. Allowing potentially thousands of customers to audit our services would not be a scalable practice and might compromise security and privacy. Our independent third-party validation program includes audits that are conducted on an annual basis to provide verification of Azure security controls.
Can Microsoft customize its audit for me?
No. Microsoft is not able to agree to custom audit obligations for individual customers. The costs and potential conflicts between varying obligations make it impractical to customize audits.