Export (0) Print
Expand All
5 out of 8 rated this helpful - Rate this topic

Compliance

Office 365
 

Topic Last Modified: 2013-02-25

Microsoft Office 365 complies with industry standard regulations, and is designed to help you meet regulatory requirements for your business. For more information, see Regulatory Compliance.

For details on the following industry certifications, see Independently verified and Security, Audits, and Certifications.

  • SAS 70 / SSAE16 Assessments
  • ISO 27001 certified
  • EU Model Clauses
  • EU Safe Harbor
  • HIPAA-Business Associate Agreement
  • FISMA Authority to Operate
  • Microsoft Data Processing Agreement
  • PCI DSS Level One

In addition, note the following:

  • Gramm-Leach-Bliley Act (GLB)   The GLB sets minimum security and privacy requirements for financial institutions in the United States. Software or services cannot claim to be “GLB compliant” because GLB compliance also requires procedures and policies. Two of the principal regulations under GLB that affect Office 365 services are:
    • Financial Privacy Rule   This rule governs the collection and disclosure of customers’ personal financial information by financial institutions.
    • Safeguards Rule   This rule requires all financial institutions to design, implement, and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions.
  • Payment Card Industry Data Security Standard (PCI-DSS) Level One   Office 365 ordering, billing, and payment systems that handle credit card data are Level One Payment Card Industry (PCI) Compliant, and customers can use credit cards to pay for the services with confidence. An independent third party audits and determines whether the Microsoft Online Commerce Platform (OCP) which supports Office 365 has satisfactorily met the PCI-DSS version 1.2.
  • PCI-governed data   Office 365 services are not suitable for processing, transmitting, or storing PCI-governed data. PCI-DSS is an industry standard designed to protect and maintain sensitive data during transmission and storage throughout the data life cycle. At a minimum, organizations that support transactions through credit and debit cards are required to have a degree of compliance to the PCI standard.
    There is much confusion in the marketplace around the impact of PCI-DSS. Many customers state that all data within their organizations requires PCI certification and compliance, and the Microsoft Online Services must also demonstrate compliance. While it is true that Microsoft Online Services needs to be compliant for the Primary Account Number (PAN) data it processes, and it is, customers should not use the Office 365 service to transmit or store PAN data for their own use.
    noteNote:
    PCI compliance will only apply if Primary Account Number (PAN) is transmitted or stored within the online environment. To be compliant, the PAN data must be encrypted during transmission and storage. In addition, reporting must demonstrate that this encryption has successfully protected the PAN data. As a result, the service is not a suitable storage medium for PAN data, and companies should apply customer-side policies to prevent transmission of PAN data to the online environment.

 

Certification

Office 365 Small Business

Office 365 Small Business Premium

Office 365 Midsize Business

Office 365 Enterprise E1

Office 365 Education A2

Office 365 Government G1

Office 365 Enterprise E3

Office 365 Education A3

Office 365 Government G3

Office 365 Enterprise E4

Office 365 Education A4

Office 365 Government G4

Office 365 Enterprise K1

Office 365 Government K1

SAS 70 / SSAE16 Assessments

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ISO 27001

Yes

Yes

Yes

Yes

Yes

Yes

Yes

EU Model Clauses

Yes

Yes

Yes

Yes

Yes

Yes

Yes

EU Safe Harbor

Yes

Yes

Yes

Yes

Yes

Yes

Yes

HIPAA-Business Associate Agreement

Yes

Yes

Yes

Yes

Yes

Yes

Yes

FISMA Authority to Operate

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Microsoft Data Processing Agreement

Yes

Yes

Yes

Yes

Yes

Yes

Yes

PCI DSS Level One

Yes

Yes

Yes

Yes

Yes

Yes

Yes

PCI-governed PAN data

No

No

No

No

No

No

No

If you have comments or questions about this topic, we'd love to hear from you. Just send your feedback to Office 365 Service Description Feedback. Your comments will help us provide the most accurate and concise content.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.