For customers to effectively exercise their right to control their data, they must have access and visibility to that data. They must know where it is stored. They must also know, through clearly stated and readily available policies and procedures, how the cloud provider helps secure customer data, who can access it, and under what circumstances.
Where and how data is stored and used. Microsoft gives Azure customers visibility to where their customer data is stored in an ever-expanding network of data centers around the globe. Customers can balance the need to store backups at multiple locations in case of a disaster with the need to keep their data out of certain geographies. Microsoft provides clear data maps and geographic boundary information for all data centers.
How data is secured. Customers have access to up-to-date information regarding security policies and procedures. Microsoft promotes transparency by publishing and adhering to the Security Development Lifecycle.
Who requests access to customer data. Microsoft will never disclose Azure customer data to a government or law enforcement agency except as directed by the customer or where required by law. In response to lawful demands for Azure customer data, Microsoft strives to be principled, limited in disclosure, and committed to transparency. Microsoft regularly publishes a Law Enforcement Requests Report that discloses the scope and number of government requests received.
Breach notification. In the event that customer data is compromised, Microsoft will notify its customers. Azure has comprehensive, transparent policies that govern incident response from identification all the way through to lessons learned.
Audit standards certifications. Rigorous third-party audits, such as those conducted by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate. As part of Microsoft’s commitment to transparency, customers can verify Azure’s implementation of many security controls by requesting audit results from the certifying third parties.
Customer guidance. Microsoft publishes a Security Response Center Progress Report and a Security Intelligence Report to provide customers with insights into the threat landscape, and provide prescriptive guidance for managing risk to protect their assets.
Transparency Centers. Microsoft operates Transparency Centers that provide government customers with the ability to review source code, reassure themselves of its integrity, and confirm there are no back doors.