Trust Center: Security, Privacy and Compliance Information for Office 365 and Microsoft Dynamics 365
How we use your data
It’s your data. You own the data you store and process with Microsoft ® Office 365 and Dynamics 365. We use your data only to provide the services you want.
We use your data for just what you pay us for: to maintain and provide Office 365 and Dynamics 365. We make it our policy to not use your data for other purposes. While some data may be stored or processed on systems used for both consumer and business services, our business services are designed and operated separately from Microsoft consumer services. Microsoft does not scan emails or documents for advertising purposes.
Customer Data is all the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the services. Customer Data does not include Administrator Data, Payment Data or operational information about the services. See the Microsoft Online Services Privacy Statement .
Content is a subset of Customer Data. Content is generally considered confidential information, and in normal service operation, is not sent over the Internet without encryption. Content includes, for example, Exchange Online e-mail body and attachments, SharePoint Online site content (not URL) and file body, instant messaging conversation body and voice conversation, and CRM files containing data about your end customer interactions.
Database metadata is information about database configuration and schema, including the names of database tables and columns. It does not include the contents of database rows of user tables. We use database metadata to provide services and for compatible purposes and may store and process it in the United States or elsewhere. You should not include personal data in database metadata. Currently only July 2017 Dynamics 365 utilizes Microsoft SQL Server 2016 in order to operate and deliver its services to you. Please see the SQL Server Privacy Statement to learn more about how Microsoft SQL Server 2016 collects and uses your database metadata.
How does Office 365 or Dynamics 365 use my data?
The following table explains how Microsoft uses your Office 365 and Dynamics 365 Data:
Use of Office 365 & Dynamics 365 Customer Data
Customer Data (excluding Content)
Operating and Troubleshooting the Services
Security, Spam and Malware Prevention
Voluntary Disclosure to Law Enforcement
*Applicable only to July 2017 Dynamics 365
Question: How does Office 365 or Dynamics 365 use my data to maintain the service?
Answer: Customer Data will be used only to provide the service including purposes compatible with providing the service, except as you direct.
In addition to day-to-day operations, such purposes can include using Customer Data for the following:
§ Troubleshooting aimed at preventing, detecting and repairing problems affecting the operation of services.
§ Ongoing improvement of features such as those that involve the detection of, and protection against, emerging and evolving threats to the services or Customer Data (such as malware or spam).
§ Providing personalized or inference-based service features.
Question: Does Office 365 or Dynamics 365 share data with any advertiser-supported services? Does Office 365 or Dynamics 365 data-mine Customer Data for its advertisers?
Answer: No. Both Office 365 and Dynamics 365 are operated with no data flow between the two systems and no use of your data to build profiles for advertising or to advertise to your end users.
Question: Can Office 365 or Dynamics 365 use or disclose my data without my permission?
Answer: In a limited number of circumstances, Microsoft may need to disclose Customer Data without your prior consent, including as needed to satisfy legal requirements.
Question: What is the Office 365 and Dynamics 365 process if law enforcement requests my data? What does Microsoft do when subpoenaed or legally mandated to produce customers' information?
Answer: Office 365 and Dynamics 365 believe that their customers should control their own information to the extent possible.
Accordingly, if a governmental entity approaches Microsoft directly for information hosted on behalf of our Office 365 or Dynamics 365 customers, Microsoft will try in the first instance to redirect the entity to the customer to afford the customer the opportunity to determine how to respond. If we are nonetheless required to respond to the demand, Microsoft will only provide information belonging to its Office 365 or Dynamics 365 customers when it is legally required to do so, will limit the production to only that information which it is required to disclose and will use reasonable efforts to notify the enterprise customer in advance of any production unless legally prohibited. Our notice will typically be delivered by email to one or more of the administrator(s) the customer has listed in the online services portal. It is the customer’s responsibility to ensure contact information remains up to date.
Question: What is usage data, and how does Microsoft use usage data?
Answer: Usage data are used to provide the service.
Usage data could refer to any number of data points related to Office 365 and Dynamics 365. “Usage data” could refer to the average number of emails an end user receives each day, the number of licenses in a customer’s subscription, or the amount of electricity Microsoft needs to power Office 365 and Dynamics 365.
We understand our customers are most concerned about how we treat personally identifiable information about end users’ interactions with the services . Such data may be used for day-to-day operations and maintenance of the services (as described above) and for services communications to administrators, including emails about end users’ use or access to the services. For example, an administrator may receive a notification from Microsoft that an end user is near usage or storage limits.
Question: What are the services communications an administrator will receive?
Answer: Administrators may receive various types of communications from Microsoft related to use of the services. The administrator may also receive the following types of communications: communications about services operations, including scheduled maintenance and new features or functionalities of the services.