Microsoft Office 365

0

Microsoft Office 365 for business provides virtually anywhere access to Office applications, enterprise-grade email, file sharing, conferencing, a public website, and more cloud services. Microsoft is based in Redmond, Washington USA and has been providing Office 365 since 2011. Microsoft provides a wide variety of contact points: you can access the web portal for support of technical help, email customer service, live chat with a virtual agent, connect with customer support on Twitter, or call Microsoft directly. Microsoft encrypts all data in transit between your computer and their servers, but they may not encrypt your data while it is on their servers. Microsoft maintains data centres that are widely distributed all over the world in places like: the USA, Ireland, the Netherlands, Singapore, & Hong Kong (to name a few). Their data centres are state-of-the-art and have been independently audited to stringent certifications that ensure your data is stored securely while still being easily available to you. These measures help Microsoft maintain its guaranteed availability of over 99.9% (Microsoft services are guaranteed to be inaccessible less than 0.1% of the time). Microsoft allows you to import data into its various services or export from them should you wish to backup your data or migrate to another service. Microsoft also states: “you own your data, and retain all rights, title and interest in the data you store with Office 365.” Upon account termination, Microsoft will provide you access to your export your data for 90 days. After that period of time, Microsoft may delete your data.

Microsoft has created its own privacy and security disclosure in response to the New Zealand Privacy Commissioner. Its available here: http://aka.ms/NZprivacyOffice365

This disclosure was provided and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name Microsoft
Company Website https://www.microsoft.com
Company Phone Number 1-800-642-7676
Company Email Address TBD
Physical Address 1 Microsoft Way
Redmond, WA
USA

What services does this disclosure apply to?
Microsoft Office 365
http://office.microsoft.com

What country holds legal jurisdiction over the service(s)?
USA

How long has your company been operating?
Since April 1974.

How long has your company been providing the service(s) covered in this disclosure?
Since June 2011.

Is your company currently profitable?
Yes.

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
24/7

What channels are available for communication with clients?
Clients can access the web portal for support or technical help. They can also call us directly, email customer service, live chat with a virtual agent, or connect with Microsoft Customer Service Support on Twitter.
http://smallbusiness.support.microsoft.com/en-us/contact

Which is your preferred channel for client communications?
Not available

Do you collect any information from client communications?
At some Microsoft sites, we ask you to provide personal information, such as your e-mail address, name, home or work address, or telephone number. We may also collect demographic information, such as your ZIP code, age, gender, preferences, interests and favorites. If you choose to make a purchase or sign up for a paid subscription service, we will ask for additional information, such as your credit card number and billing address.
http://privacy.microsoft.com/en-us/fullnotice.mspx

What is your standard response time for customer support inquires?
Not available

Do you proactively communicate information about future planned outages and maintenance to clients?
Planned downtime results from regular Microsoft-initiated service updates to the infrastructure and software applications deployed. Planned maintenance notifications inform customers about service infrastructure work that might affect some Office 365 services. Customers are notified no later than five business days in advance of all planned maintenance via the Service Health Dashboard.
Office 365 Security and Service Continuity Service Description
http://www.microsoft.com/en-us/download/details.aspx?id=13602

Do you proactively communicate information about current unscheduled outages and incidents to clients?
Microsoft Customer Service and Support recognizes that timely and accurate communications are critical for customer organizations and partners. Microsoft notifies Microsoft Office 365 subscribers by updating the Service Health Dashboard that is available on the Microsoft Office 365 Portal.
Office 365 Security and Service Continuity Service Description
http://www.microsoft.com/en-us/download/details.aspx?id=13602

Do you make incident reports available to clients after major incidents?
A Post Incident Review (PIR) will be provided for any Service Incident (SI) that is published on the Service Health Dashboard (SHD). A customer can also request the PIR for any issue that is published on the SHD. This detailed report includes:
• An incident summary and event timeline
• Broad customer impact and root cause analysis
• Actions being taken for continuous improvement
Because of the time and resources required to conduct an in depth subsequent analysis, the time to dispatch the detailed PIR document is a minimum of five working days following the resolution of the SI. Administrators can request a PIR using a standard online service request submission through the Microsoft Office 365 Portal or a phone call to Microsoft Customer Service and Support.
Office 365 Security and Service Continuity Service Description
http://www.microsoft.com/en-us/download/details.aspx?id=13602

What is the expected uptime of the service?
Office 365 has a 99.9% uptime guarantee.
http://office.microsoft.com/en-us/business/what-is-office-365-FX102997580.aspx

Has the service experienced any outages in the last 12 months?
Not available

Does the SLA guarantee service uptime?
Office 365 has a 99.9% uptime guarantee.
http://office.microsoft.com/en-us/business/what-is-office-365-FX102997580.aspx

return to the top

Security

Are logs kept of client logins and locations?
Not available

Does your service support password/account recovery?
Yes. Contact your account administrator to reset your password. If you are an account administrator, you can reset your password using an alternate email account and mobile phone number.
https://prs-ncu.passwordreset.microsoftonline.com

Does the service monitor for any suspicious account activity?
Intrusion detection systems to provide continuous monitoring of all access to the Office 365 services. Sophisticated correlation engines analyze this data to immediately alert staff of any connection attempts that are classified as suspicious.
Office 365 Security and Service Continuity Service Description
http://www.microsoft.com/en-us/download/details.aspx?id=13602

Does your service offer two-step or multi-factor authentication?
Strong authentication (two-step authentication) is available, but only when using a single sign on (SSO) solution such as active directory.
http://community.office365.com/en-us/wikis/sso/294.aspx

Does your service offer login via other services?
Yes, we support single sign on (SSO) using active directory so users can utilize their existing login credentials from their business network.

Does your service secure all client data in transit?
All connections established over the Internet to the Office 365 service are encrypted using industry-standard, 128-bit Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption. Office 365 supports additional security measures to protect sensitive information such as Secure/Multipurpose Internet Mail Extensions (S/MIME) for public key encryption and digital signatures as well as Information Rights Management protection for restricting who can access and perform specific actions on documents, email, and even voicemail messages.
Security in Office 365 White Paper
http://www.microsoft.com/en-us/download/details.aspx?id=26552

Does your service secure client data at rest?
Not available

Does your service allow clients to collaborate with 3rd parties?
Not available

Does your primary system reside in a data center with a security certification?
Yes. All primary systems have the following certifications:
ISO 27001
HIPAA-BAA
FISMA
http://www.microsoft.com/en-us/office365/independently-verified.aspx

All Microsoft Online Services data centers have biometric access controls, with the majority of the data centers used to provide Microsoft Online Services requiring palm prints to gain physical access to the data centers. Physical access to the Microsoft Online Services data centers is controlled by two tier authentication including proxy card access readers (card access badge required) and hand geometry biometric readers.
http://www.microsoft.com/online/legal/v2/?docid=24

Does your backup/disaster recovery system reside in a data center with a security certification?
Yes. All backup systems have the following certifications:
ISO 27001
HIPAA-BAA
FISMA
http://www.microsoft.com/en-us/office365/independently-verified.aspx

All Microsoft Online Services data centers have biometric access controls, with the majority of the data centers used to provide Microsoft Online Services requiring palm prints to gain physical access to the data centers. Physical access to the Microsoft Online Services data centers is controlled by two tier authentication including proxy card access readers (card access badge required) and hand geometry biometric readers.
http://www.microsoft.com/online/legal/v2/?docid=24

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?
You own your data, and retain all rights, title and interest in the data you store with Office 365
http://www.microsoft.com/en-us/office365/data-portability.aspx

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
Yes.

Does client use of your service generate any metadata or other statistical information?
We use the information we collect to provide the services you request. Our services may include the display of personalized content and advertising.
We use your information to inform you of other products or services offered by Microsoft and its affiliates, and to send you relevant survey invitations related to Microsoft services.
We do not sell, rent, or lease our customer lists to third parties. In order to help provide our services, we occasionally provide information to other companies that work on our behalf.

http://privacy.microsoft.com/en-us/default.mspx

return to the top

Data Location

Where are the primary systems that host client data located?
For customers with a Ship-To Address in the Americas:
Quincy, Washington,
San Antonio, Texas
Chicago, Illinois
and other United States-based Data Centers
For customers with a European Union Ship-To Address:
Dublin, Ireland
Amsterdam, Netherlands
United States
For customers with an Asia-Pacific Ship-To Address:
Singapore
Hong Kong
United States
http://www.microsoft.com/online/legal/v2/?docid=25

Where are the backup/disaster recovery systems that host client data located?
For customers with a Ship-To Address in the Americas:
Quincy, Washington,
San Antonio, Texas
Chicago, Illinois
and other United States-based Data Centers
For customers with a European Union Ship-To Address:
Dublin, Ireland
Amsterdam, Netherlands
United States
For customers with an Asia-Pacific Ship-To Address:
Singapore
Hong Kong
United States
http://www.microsoft.com/online/legal/v2/?docid=25

Are there any other systems that host client data on behalf of your service?
No.

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?
You can download a copy of all of your data at any time and for any reason, without any assistance from Microsoft.
http://www.microsoft.com/en-us/office365/data-portability.aspx

Can the client freely download their data from the service during the contract period?
You can download a copy of all of your data at any time and for any reason, without any assistance from Microsoft.
http://www.microsoft.com/en-us/office365/data-portability.aspx

Can the client easily import/upload their data from a competing service provider into your service?
Not available

Does your services include an API to access client data?
Not available

Following termination of the service, will the client be able to access their data?
Upon expiration or termination, Microsoft will provide you, by default, additional limited access for 90 days to export your data.
http://www.microsoft.com/en-us/office365/data-portability.aspx

Following termination of the service, is all client data deleted?
Upon expiration or termination of Customer’s use of the Microsoft Online Services, Customer may extract Customer Data and Microsoft will delete Customer Data, each in accordance with the Product Use Rights.
Office 365 and CRM Online Data Processing Agreement
http://g.microsoftonline.com/0BX10en/630

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
Database administrators, by definition, have access to all the resources on a database — including customer data. However, Microsoft strictly prohibits accessing customer data for purposes other than business needs such as performance tuning of databases, or migrating customers from one database to another.
Access to customer data is strictly controlled and logged and sample audits are performed both by Microsoft and third parties to attest that access is only for appropriate business purposes.
http://www.microsoft.com/online/legal/v2/?docid=24

Microsoft logs access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Office 365 and CRM Online Data Processing Agreement
http://g.microsoftonline.com/0BX10en/630

Does your company use client data or information for any business function (other than the provision of the service)?
We use your data for just what you pay us for – to maintain and provide Microsoft Online Services. We make it our policy to not use it for other purposes. Our business services are designed and operated completely separate from Microsoft’s consumer services. While some data may be stored or processed on systems used both for consumer and business services, business services data is not shared with systems used for advertising.
http://www.microsoft.com/online/legal/v2/?docid=23

Does your company use client data or information to generate revenue (other than the provision of the service)?
No.

Do you access client data in any additional circumstance not yet specified in this disclosure?
No.

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
Not available

Do you notify clients if their data has been lost or compromised?
Not available

return to the top

Backup and Maintenance

Does your service support data versioning?
Not available

How often are service/client data backups performed?
As for backups, content is replicated from a primary data center to a secondary data center. As such, there is not a specific backup schedule as the replication is constant. Customers can choose to perform their own extractions/backups if necessary.
Standard Response to Request For Information-O365-Security-Privacy_v2.docx
http://www.microsoft.com/en-us/download/details.aspx?id=26647&langid=en-us

What method is used to perform service/client data backups?
Customer data is stored in a redundant environment with robust backup, restore, and failover capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically dispersed data center.
Standard Response to Request For Information-O365-Security-Privacy_v2.docx
http://www.microsoft.com/en-us/download/details.aspx?id=26647&langid=en-us

How long is backup data retained for?
N/A

return to the top

Disclaimer

The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.