Last updated: April 2015
Multi-tenant public cloud services such as Microsoft Azure raise complex privacy questions, with trust high on the list. Customers will only user services they trust. If you invest in a cloud service, you must be able to trust that the privacy of your information will be protected, and that your data will only be used in a way that is consistent with your expectations.
For over 20 years, Microsoft has been a leader in creating robust online solutions designed to protect the privacy of our customers. Today, Microsoft cloud infrastructure supports over a billion customers around the globe. Azure itself has more than 240 million user accounts, in companies and organizations in 127 countries, that entrust their mission-critical data to Microsoft.
This experience has given us the foundation for developing industry-leading privacy policies, compliance programs, and security measures that we apply across our cloud computing ecosystem. Our time-tested approach to privacy and data protection is grounded in our commitment to give organizations control over the collection, use, and distribution of their information. We strive to be transparent in our privacy practices, offer you meaningful privacy choices, and responsibly manage the data we store and process.
In the following pages, we describe the specific policies, operational practices, and technologies that help ensure the privacy of your data in Azure.
With Microsoft Azure, you are the owner of your customer data.
We define customer data as all data, including text, sound, video, or image files and software, that are provided to Microsoft by you, or on your behalf, through use of Azure. For example, it includes data that you upload for storage or processing and applications that you or your end users upload for hosting on Azure.
You can access your customer data at any time and for any reason without assistance from Microsoft. Microsoft will use your customer data only to provide the services agreed upon, including purposes that are compatible with providing those services. We will not use customer data or derive information from it for advertising.
We give you authenticated and logged access to your customer data, and restrict access to it by Microsoft personnel and subcontractors. We also take strong steps to protect your customer data from inappropriate use or loss, and to segregate your customer data on shared hardware from that of other customers.
Because the customer data you host on Azure belongs to you, you have control over where it is stored and how it is securely transferred and deleted.
Our commitment to the privacy of your customer data is backed by Microsoft’s adoption of the world’s first international code of practice for cloud privacy, ISO/IEC 27018. The British Standards Institute has independently verified that Azure is aligned with the ISO 27018 code of practice for the protection of personally identifiable information in the public cloud. Adherence also provides transparency about our policies regarding the return, transfer, and deletion of personal information you store in our datacenters.
Microsoft believes that customers should control their own data, whether stored on their premises or in a cloud service. We will never disclose Azure customer data to a government except as you direct or where required by law.
When governments make a lawful demand for Azure customer data from Microsoft, we are principled, limited in what we disclose, and committed to transparency. Put together, this adds up to the following:
We build privacy protections into Microsoft Azure through Privacy by Design, a program that guides how we build and operate products and services to protect privacy. Standards and processes that support Privacy by Design principles include the Microsoft Privacy Standard (which details Microsoft’s core privacy requirements and practices) and the Microsoft Secure Development Lifecycle (which includes addressing privacy requirements).
We then back those protections with strong contractual commitments to safeguard customer data by abiding by the EU Model Clauses, Safe Harbor programs, and ISO/IEC 27018 (which governs the processing of personal information).