Privacy in Azure
When you use Azure services, you are entrusting us with one of your most valuable assets—your data. You trust that the privacy and confidentiality of the data you store and process in Azure services will be protected and that it will be used only in a way that is consistent with your expectations.
You control your data
With Azure, you are the owner of the data that you provide for storing and hosting in Azure services. We do not share your data with advertiser-supported services, nor do we mine it for any purposes like marketing research or advertising.
We process your data only with your agreement, and when we have your agreement, we use your data to provide only the services you have chosen. These agreements apply equally to subcontractors (or, subprocessors) that Microsoft authorizes and hires to perform work that may require access to your data: they can perform only the functions that Microsoft has hired them to provide, and they are bound by the same contractual privacy commitments that Microsoft makes to you.
If you leave the Azure service or your subscription expires, Microsoft follows strict standards for removing data from its systems.
You choose where your data is located
When you use Azure, you choose where your data is located. Through our large and ever-expanding network of datacenters around the globe, Microsoft offers data residency Azure allows you to choose from more than 60 regions linked by one of the largest interconnected networks on the planet, including more than 150 datacenters and growing.
However, no matter where your data is stored, Microsoft does not control or limit the locations from which you or your end users may access, copy, or move customer data. Most Azure services enable you to specify the region where your customer data will be stored and processed.
Azure offers tools to help you control the location of your data—for example, you can use Azure Policy or Azure Blueprint to restrict access to selected regions for your subscription.
Azure secures your data at rest and in transit
With state-of-the-art encryption, Azure protects your data both at rest and in transit. Azure secures your data using various encryption methods, protocols, and algorithms, including double encryption.
- For data at rest, all data written to the Azure storage platform is encrypted through 256-bit AES encryption and is FIPS 140-2 compliant. Proper key management is essential. By default, Microsoft-managed keys protect your data, and Azure Key Vault helps ensure that encryption keys are properly secured. Azure key management also includes server-side encryption that uses service-managed keys, customer-managed keys in Azure Key Vault, or customer-managed keys on customer-controlled hardware. With client-side encryption, you can manage and store keys on-premises or in another secure location.
- For data in transit—data moving between user devices and Microsoft datacenters or within and between the datacenters themselves—Microsoft adheres to IEEE 802.1AE MAC Security Standards, and uses and enables your use of industry-standard encrypted transport protocols, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec).
Microsoft defends your data
Through clearly defined and well-established response policies and processes, strong contractual commitments, and if need be, the courts, Microsoft defends your data. We believe that all government requests for your data should be directed to you. We do not give any government direct or unfettered access to customer data. Microsoft is principled and transparent about how we respond to requests for data.
Because we believe that you have control over your own data, we will not disclose data to a government except as you direct or where required by law. Microsoft scrutinizes all government demands to ensure they are legally valid and appropriate.
If Microsoft receives a demand for a customer's data, we will direct the requesting party to seek the data directly from the customer. If compelled to disclose or give access to any customer's data, Microsoft will promptly notify the customer and provide a copy of the demand unless legally prohibited from doing so.
Azure adheres to privacy standards
Get details on how Azure also complies with many external privacy standards, laws, and regulations, including: the GDPR, ISO/IEC 27701, ISO/IEC 27018, EU Standard Contractual Clauses, HIPAA, HITRUST, FERPA, Japan My Number Act, Canada PIPEDA, Spain LOPD, and Argentina PDPA.
Microsoft Online Services Terms and Data Protection Addendum
Read our standard contractual language for data processing in the Microsoft Online Services Terms (OST).
Read the Online Services Data Protection Addendum (DPA), and addendum to the OST.
Get help fulfilling your General Data Protection Regulation (GDPR) obligations with documentation specific to Azure, including: