FAQ - Microsoft Office 365 Privacy & Security

Where is the data stored?

Data for organisations in the UK is all hosted within the EU. The primary Microsoft data centre we host the service in is located in Dublin and the fail-over is to Amsterdam.

How often is the data backed up?

The idea of “back up” is very different with Office 365 than with traditional locally hosted services. We use a network of globally redundant data centres and replicate data on multiple servers across the two data centres. Any one time we keep 3 copies of the organisation's data across the two data-centres mentioned (Dublin & Amsterdam).

Does the Microsoft have a clear process for recovering data?

Yes. Users themselves can recover data for 30 days after deleting an item. Administrators then have a further 30 days once the item is deleted from the deleted-items folder. There are also additional paid-for archiving services available with Office365, but with a 50GB inbox per person the pressure on users to archive email is not as great compared to existing email systems.

How does Microsoft protect your privacy?

3 key things: No advertising, no “mingling” of Office 365 data with our consumer services (such as Hotmail) and full data-portability, in case you ever want to leave the service.

Who owns the data that you store on the email platform?

You own the data. Microsoft does not. You own your data, and retain all rights, title and interest in the data you store with Office 365. You can download a copy of all of your data at any time and for any reason, without any assistance from Microsoft.

Who has access to the data?

By default no one has access to customer data within the Office 365 service. Microsoft employees who have completed appropriate background checks and have justified need can raise an escalation for time-limited access to Customer data. Access is regularly audited, logged and verified through the ISO 27001 Certification.

As detailed in a recent accreditation submission to the UK Government, any organisation that specify “UK” as their country during tenant creation will be provisioned and data stored within the EU datacenters (Dublin and Amsterdam).

Microsoft has been granted accreditation up to and including the UK government’s “Impact Level 2” (IL2) assurance for Office 365. As of February 2013 Microsoft are the only major international public cloud service provider to have achieved this level of accreditation and, indeed, it is the highest level of accreditation possible with services hosted outside of the UK (but inside of the EEA).

Organisations may wish to consider the extent to which applicable laws in the US – which apply to services operated by companies registered in the US, e.g. Microsoft and Google – affect the suitability of these services. For example the US Patriot Act provides a legal means through which law enforcement agencies can access data held within these services without necessarily needing the consent or even the knowledge of the customer. 

Is personal information shared with anyone else?

No personal information is shared.

Does Microsoft share email addresses with third party advertisers? Or serve users with ads?

No. There is no advertising in Office365.

What steps does Microsoft take to ensure that your information is secure?

Microsoft uses 5 layers of security - data, application, host, network and physical.

Office365 is certified for ISO 27001, one of the best security benchmarks available across the world. Office 365 was the first major business productivity public cloud service to have implemented the rigorous set of physical, logical, process and management controls defined by ISO 27001.

EU Model Clauses. In addition to EU Safe Harbor, Office 365 is the first major business productivity public cloud service provider to sign the standard contractual clauses created by the European Union (“EU Model Clauses”) with all customers. EU Model Clauses address international transfer of data.

Data Processing Agreement. Microsoft offers a comprehensive standard Data Processing Agreement (DPA) to all customers. DPA addresses privacy, security and handling of customer data. Our standard Data Processing Agreement enables customers to comply with their local regulations.

How reliable is the service?

There is a 99.9% uptime commitment with financially-backed SLA for any paid-for services in Office365 (typically though, most schools will be using ‘free’ services and therefore will not receive the financially backed SLA).

What level of support is offered as part of the service?

Microsoft offer organisations direct telephone support 24/7 for IT administrators and there is also a large range of online help services, which you can read about here. Our recommendation is that organisations use a Microsoft partner like Atlantec  with industry specific expertise in cloud services for schools and small businesses.

Additional Resources

If you'd like to know more, there is a wealth of information about Office365 security in the Office 365 Trust Centre