Office 365 Compliance Framework

Microsoft certifies that Office 365 services meet regulatory and industry standards for data protection, including security and data privacy. However, each service is certified separately, and some do not meet all standards. Organizations should review their data protection requirements and ensure that they are using only the services that can meet those standards.

Certification Process for Services

The Office 365 Compliance Framework describes the regulatory and industry standards for data protection that each Office 365 service meets. The Office 365 Framework applies to Office 365 commercial and education offerings, but not consumer-level plans, and other hosted offerings, like Azure, are not rated within this framework. Each service’s compliance is audited by a third-party independent agency, and Microsoft publishes the results in a Compliance Reports portal.

Services are categorized depending on their level of data protection. The framework defines four categories of compliance, including contractual commitments to meet U.S. and E.U. data residency requirements, with Category A being the weakest and Category D being the most robust. (See the illustration “Office 365 Compliance Framework Categories“.)