Office 365 and Compliance Standards

Customers may need to work with Microsoft to assess their information security and privacy rights, and their security and privacy limitations under multitenant deployments of Office 365. For example, Microsoft has stated that it must comply with U.S. federal law and, as a result, could not guarantee that data hosted in the European Union (EU) would not leave the European Economic Area if requested by the U.S. government under the U.S. Patriot Act. Similarly, organizations should consider whether they use export-controlled information and how export regulations might affect their use of Office 365.

While Microsoft has not provided public documentation describing how the multitenant services are structured and segregated to ensure data security, privacy, compliance, and reliability, the company has worked with auditors to attest to the services’ compliance with certain privacy and security standards, including the following:

• EU Model Clauses, which address international transfers of data