Frequently Asked Compliance Questions

Microsoft commits to using student data only to provide schools and districts with its cloud services or compatible purposes and does not mine student data for advertising or user profiling.  In addition, Microsoft contractually commits not to disclose student data except as the educational institution directs, or as described in a school or district contract.  The education records that a school provides to Microsoft through the use of a Microsoft cloud service are subject to stringent contractual restrictions regarding their use and disclosure.

QuestionAnswerCompliant Microsoft Provision(s)
Does Microsoft publicly disclose its student data use policies? Yes, Microsoft’s policies are publicly available.Microsoft Online Services Terms Microsoft Online Services Data Protection Addendum
How does Microsoft use student data?Microsoft does not use student data for advertising, commercial purposes, or market research unless the use is in accordance with Customer’s documented instructions.Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services  
Does Microsoft use student data to amass profiles about students?No.  Microsoft does not use or process student data for user profiling.Microsoft Online Services Data Protection Addendum -> Data Protection Terms à Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services  
Will student data be rented or sold?Microsoft does not rent or sell student data and does not use it for advertising, commercial purposes, or market research unless the use is in accordance with Customer’s documented instructions.Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services  
Will Microsoft disclose student data to third parties?Microsoft will only disclose student data as the Customer directs, as described in Microsoft’s Online Services Data Protection Addendum, or as required by law.Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data  

See also Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations
Does Microsoft maintain security procedures and practices that meet industry standards?Microsoft implements and maintains appropriate technical and organizational measures to protect Customer Data and Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Those measures are set forth in a Microsoft Security Policy that is available to Customer.   In addition, Microsoft’s security measures comply with the requirements set forth in ISO 27001, ISO 27002, and ISO 27018.Microsoft Online Services Data Protection Addendum ->Data Protection Terms -> Data Security -> Security Practices and Policies  

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
Will Microsoft delete student data upon request?During the terms of Customer’s subscription, Customer has the ability to access, extract, and delete the student data stored in each Online Service.Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion  
How will Microsoft respond in the event of a data breach?If Microsoft becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by Microsoft (each a “Security Incident”), Microsoft will promptly and without undue delay (1) notify Customer of the Security Incident (within 72 hours); (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.  Further information on Microsoft’s information security incident management procedures can be found in the Microsoft Online Services Data Protection Addendum.Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Incident Notification  

Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures -> Information Security Incident Management
Where does Microsoft store Customer data at rest?For the Core Online Services, Microsoft will store Customer Data at rest within certain major geographic areas as set forth in Attachment 1 to the OST (or successor location in the Use Rights).   Microsoft does not control or limit the regions from which Customer or Customer’s end users may access or move Customer Data.Microsoft Online Services Data Protection Addendum-> Data Protection Terms -> Data Transfers and Location -> Location of Customer Data at Rest