Continuing data transfers that apply to all EU Data Boundary Services
There are scenarios where Microsoft will continue to transfer data out of the EU Data Boundary to meet cloud service operational requirements, where data stored in the EU Data Boundary will be accessed remotely by personnel located outside the EU Data Boundary, and where a customer's use of EU Data Boundary Services will result in data transfer out of the EU Data Boundary to achieve the customer's desired outcomes. Microsoft ensures that any Customer Data and pseudonymized personal data transfers outside of the EU Data Boundary are protected by security safeguards detailed in our services agreements and product documentation.
Remote access to data stored and processed in the EU Data Boundary
Microsoft cloud services are built, operated, kept secure, and maintained by expert teams from around the world to provide customers with the highest level of service quality, support, security, and reliability. This model (known as the Microsoft DevOps model) puts developers and operations staff together working in tandem to continuously build, maintain, and provide the services. This section describes how Microsoft both minimizes this remote access to Customer Data and pseudonymized personal data and restricts such access when it needs to occur.
Microsoft uses a multilayered approach to protect Customer Data and pseudonymized personal data from unauthorized access by Microsoft personnel, which consists of both employees of Microsoft and its subsidiaries and contract staff from third party organizations who assist Microsoft employees. To access Customer Data or pseudonymized personal data, Microsoft personnel must have a background check on file in good standing, in addition to utilizing multifactor authentication as part of Microsoft standard security requirements.
When Microsoft personnel need to access Customer Data or pseudonymized personal data stored on Microsoft systems inside the EU Data Boundary from outside the boundary (considered a transfer of data under European privacy law although the data remains within Microsoft datacenter infrastructure in the EU Data Boundary) we rely on technology that ensures this type of transfer is secure, with controlled access and no persistent storage at the remote access point. When such a data transfer is required, Microsoft uses state-of-the-art encryption to protect Customer Data and pseudonymized personal data at rest and in transit. For more information, see Encryption and key management overview.
How Microsoft protects Customer Data
We design our services and processes to maximize the ability of DevOps personnel to operate the services without requiring access to Customer Data, employing automated tooling to identify and repair issues. In rare cases when a service is down or in need of a repair that can’t be effectuated with automated tooling, authorized Microsoft personnel may require remote access to data stored within the EU Data Boundary, including Customer Data. There's no default access to Customer Data; access is provided to Microsoft personnel only when a task requires it. Access to Customer Data must be for an appropriate purpose, must be limited to the amount and type of Customer Data required to achieve the appropriate purpose, and where the purpose can only be achieved through this level of access. Microsoft uses just-in-time (JIT) access approvals which are granted only for as long as is necessary to achieve that purpose. Microsoft also relies on role-based access control (RBAC), where individual access is subject to strict requirements, such as the need-to-know principle, mandatory continual training, and oversight by one or more managers.
Microsoft personnel that have access to Customer Data operate from secure admin workstations (SAWs). SAWs are limited-function computers that reduce the risk of compromise from malware, phishing attacks, bogus websites, and pass-the-hash (PtH) attacks, among other security risks, and are enabled with countermeasures intended to make data exfiltration difficult. For example, Microsoft personnel working on SAWs have restricted access to the internet on such devices and are unable to access external or removable media because those capabilities are blocked in the SAW implementation. The Microsoft SAW and high-risk environment program received CSO50 awards from csoonline.com in 2022, 2020, and 2019.
In addition to the controls described previously, customers may establish additional access controls for many Microsoft cloud services by enabling Customer Lockbox. Implementation of the Customer Lockbox feature varies slightly by service, but Customer Lockbox generally ensures that Microsoft personnel can't access Customer Data to perform service operations without the customer's explicit approval. See Customer Lockbox in Office 365, Customer Lockbox for Microsoft Azure, and Customer Lockbox in Power Platform and Dynamics 365 for examples of Customer Lockbox in action.
Access to Customer Data is also logged and monitored by Microsoft. Microsoft performs regular audits to review and confirm that access management measures are working in accordance with policy requirements, including Microsoft's contractual commitments.
How Microsoft protects pseudonymized personal data in system-generated logs
Currently, to access pseudonymized personal data stored in the EU Data Boundary, Microsoft personnel may use either a SAW or a virtual desktop infrastructure (VDI). The SAW-specific security measures described in the preceding section also apply when using a SAW to access pseudonymized personal data. When using a VDI to access pseudonymized personal data in the EU Data Boundary, Microsoft enforces access limitations to provide a secure environment for data access. As with SAWs, the list of utilities that are allowed on the VDIs are limited and are subject to rigorous security tests before being certified to run on the VDIs. When a VDI is used, pseudonymized personal data in the EU Data Boundary is accessed through virtual machines that are hosted on a physical machine located in the EU Data Boundary and no data persists outside of the EU Data Boundary.
Per our standard policies, bulk transfers of data outside the EU Data Boundary are prohibited, and VDI users can only access preapproved URL destinations. In addition, Microsoft personnel who use the VDI environment don't have administrative access to the physical machines located in the EU Data Boundary.
See the following resources for more information about the technologies used to protect Customer Data and pseudonymized personal data:
- Protecting high-risk environments with secure admin workstations
- Using shielded virtual machines to help protect high-value-assets
- Four operational practices Microsoft uses to secure the Azure platform
- Microsoft 365 service engineer access control
- What is virtual desktop infrastructure (VDI)?
Customer-initiated data transfers
Transfers customers initiate as part of service capabilities
The EU Data Boundary isn't intended to interfere with or restrict the service outcomes customers intend when they use our services. Thus, if a customer administrator or user takes an action in the services that initiates a data transfer out of the EU Data Boundary, Microsoft won't restrict such customer-initiated transfers from happening; doing so would disrupt normal business operations for customers. User-initiated data transfers outside of the EU Data Boundary can happen for a variety of reasons, for example:
- A user accesses data stored within the EU Data Boundary or interacts with a service while outside of the EU Data Boundary area.
- A user chooses to communicate with other users physically located outside the EU Data Boundary. Examples include sending an email or SMS message, initiating a Teams chat or voice communication such as a Public Switched Telephone Network (PSTN) call, voice mail, cross geo-meetings, and so on.
- A user configures a service to move data out of the EU Data Boundary.
- A user elects to combine EU Data Boundary Services with other Microsoft or third-party offerings or connected experiences subject to separate terms from those that apply to the EU Data Boundary Services (for example by utilizing an optional Bing-backed experience available through the Microsoft 365 Applications, or by using an available connector to sync data from within an EU Data Boundary Service to an account the user may have with a provider other than Microsoft).
- A customer administrator elects to connect EU Data Boundary Services to other services offered by Microsoft or a third party, where those other services are subject to separate terms from those that apply to the EU Data Boundary Services (for example by configuring an EU Data Boundary Service to send queries to Bing, or by establishing a connection between an EU Data Boundary Service and a service hosted at a provider other than Microsoft with which the customer also has an account).
- A user acquires and uses an app from an app store presented within an EU Data Boundary Service (the Teams store, for example), where the app is subject to terms separate from those applicable to the EU Data Boundary Service, such as the end user license agreement from the app provider.
- An organization requests or subscribes to professional security services, where Microsoft acts in a remote security operation center capacity or performs forensic analysis on behalf of (and as part of) the organization's security group.
Fulfilling GDPR data subject rights requests worldwide
Microsoft has implemented systems to enable our customers to respond to data subject rights requests (DSRs) under the General Data Protection Regulation (GDPR) (for example, to delete personal data in response to a request under Article 17 of the GDPR) as customers determine is appropriate, and these systems are available to customers worldwide. To enable our customers to maintain GDPR compliance, DSR signals that include user identifiers must be processed globally to ensure that all data related to a data subject is deleted or exported as requested. When our customer determines data deletion is appropriate in response to a data subject requesting that their personal data be deleted, all personal data related to that data subject must be located and deleted from all of Microsoft's data stores, both within and outside of the EU Data Boundary. Similarly, when an export request is submitted by a customer administrator, Microsoft must export to the storage location specified by the customer admin, even if outside the EU Data Boundary, all the personal data about that data subject. For more information, see GDPR: Data Subject Requests (DSRs).
Professional Services data
When customers provide Microsoft with data in the course of engaging with Microsoft for support or paid consulting services, that data is Professional Services Data, as defined in the Microsoft Products and Services Data Protection Addendum (DPA). Professional Services Data is currently stored in United States-based Microsoft datacenters.
Access to Professional Services Data by Microsoft personnel during a support engagement is limited to approved support management systems utilizing security and authentication controls, including two-factor authentication and virtualized environments, as necessary. Other Microsoft personnel may only access Professional Services Data associated with a specific engagement by providing necessary business justification and manager approval. The data is encrypted both in transit and at rest.
Professional Services Data provided, obtained, and processed during a paid consulting engagement is accessed by the team the customer engages to provide the purchased services. Work is in progress to allow EU customers to specify that their Professional Services Data should be stored and processed in the EU Data Boundary.
Protecting customers
To protect against global cybersecurity threats, Microsoft must run security operations globally. To do this, Microsoft transfers (as detailed in Security Operations) limited pseudonymized personal data outside of the EU Data Boundary and, in rare situations, limited Customer Data. Malicious actors are operating globally, launching geo distributed attacks, using coordinated stealth, and evading detection. Analyzing contextual threat data across geo boundaries allows Microsoft security services to protect customers by providing high quality, automated security detections, protections, and response.
The results of this cross-boundary analysis feed multiple protection scenarios, including alerting customers of malicious activity, attacks, or attempted breaches.
Having strong security protections in place benefits our customers and the computing ecosystem and supports regulatory obligations in the security of Customer Data, pseudonymized personal data, and critical infrastructure. Consistent with both GDPR and the EU Charter of Fundamental Rights, Microsoft’s approach provides value by promoting privacy, data protection, and security.
Access to the limited Customer Data and pseudonymized personal data transferred out of the EU for security operations is restricted to Microsoft security personnel, and the usage is restricted to security purposes, including detecting, investigating, mitigating, and responding to security incidents. Transferred Customer Data and pseudonymized personal data are protected through encryption and access restrictions. More information about access to data stored and processed in the EU Data Boundary is covered earlier in this article.
Examples of customer-facing capabilities provided by Microsoft through usage of the cross-boundary signals include:
- To provide protection against sophisticated modern security threats, Microsoft relies on its advanced analytics capabilities, including artificial intelligence, to analyze aggregate security-related data, including activity logs, to protect against, detect, investigate, respond to, and remediate these attacks. Limited Customer Data and globally consolidated pseudonymized personal data is used to create statistical summaries to reduce false positive results, improve effectiveness, and create unique machine learning models for advanced detections of both known and unknown threats in near real-time. Global models allow us to fine-tune and enable custom models for specific operations. Without this centralized analytics capability across global data, the efficiency of these services would degrade significantly, and we wouldn't be able to protect our customers nor provide a consistent user experience.
- The hyperscale cloud enables diverse, ongoing analysis of security-related system-generated logs without prior knowledge of a specific attack. In many cases, global system-generated logs enable Microsoft or its customers to stop previously unknown attacks, while in other cases Microsoft and customers can use system-generated logs to identify threats that weren't detected initially but can be found later based on new threat intelligence.
- Detecting a compromised enterprise user, by identifying logins into a single account from multiple geographic regions, within a brief period (known as "impossible travel" attacks). To enable protection from these types of scenarios, Microsoft security products (and as applicable, security operations and threat intelligence teams) process and store data such as Microsoft Entra authentication system-generated logs centrally across geos.
- Detecting data exfiltration from the enterprise, by aggregating several signals of malicious access to data storage from various locations, a technique used by malicious actors to fly under the detection radar (known as "low and slow" attacks).
To minimize the privacy impact of this work, Microsoft's security threat hunter teams limit ongoing transfers to system-generated logs and service configuration information necessary to detect and investigate early indicators of malicious activity or breach. This pseudonymized data is consolidated and stored primarily in the United States but may include other data center regions worldwide for threat detection work as described previously. Pseudonymized personal data is transferred and protected in accordance with the terms of the DPA and applicable contractual commitments. In the rare instances where Customer Data is accessed or transferred as a result of security investigation, it's done so through elevated approvals and controls as set forth in the How Microsoft protects Customer Data section earlier in this article.
Security Operations
Microsoft security operations use a collection of internal services to monitor, investigate, and respond to threats facing the platforms customers rely on for their daily operations. The cross-geo boundary pseudonymized personal data or limited Customer Data processed for these operations helps block malicious attempts against the cloud infrastructure and Microsoft online services.
Pseudonymized personal data processed for security purposes is transferred to any Azure region worldwide. This enables Microsoft’s security operations, like the Microsoft Security Response Center (MSRC), to provide security services 24 hours a day, 365 days a year in an efficient and effective manner in response to worldwide threats. The data is used in monitoring, investigations, and response to security incidents within Microsoft’s platform, products, and services, protecting customers and Microsoft from threats to their security and privacy. For example, when an IP address or phone number is determined to be used in fraudulent activities, it's published globally to block access from any workloads using it.
- Security analysts access aggregated data from locations around the globe, as MSRC has a follow-the-sun operation model, with distributed expertise and skills to provide continuous monitoring and response for security investigations, including, but not limited to the following scenarios: Customer identified malicious activity in their tenant or subscriptions and contacted Microsoft support for help resolving the incident.
- MSRC has a clear indication(s) of compromise in a customer tenant, subscription, or resource and notifies the customer, helps investigate, and respond to the incident, following approval from the customer.
- Through the course of the investigation, if a customer-impacting privacy incident is identified, MSRC would, following a strict protocol, do further investigation to support the notification and response to the privacy-impacting incident.
- Sharing of threat intelligence and investigation details among Microsoft internal security teams for agile response and remediation.
More information about access to data stored and processed in the EU Data Boundary is covered earlier in this article.
Security Threat Intelligence
Microsoft threat intelligence services monitor, investigate, and respond to threats facing customer environments. Data collected for security investigations may include pseudonymized personal data in system-generated logs and limited Customer Data. This data is used to help block malicious attempts against our customers’ cloud infrastructures and provide timely threat intelligence and indications of compromise to organizations, helping them to increase their level of protection.
For threat investigations where evidence of a Nation State Threat or other malicious actions by sophisticated actors is detected, the Microsoft teams gathering threat intelligence, like the Microsoft Threat Intelligence Center (MSTIC), alert customers of the noted activity. MSTIC can identify malicious activity through globally consolidated system-generated logs and diagnostic data collected from various Microsoft products and services, in conjunction with expert analysis by MSTIC personnel.
Access by geographically dispersed analyst teams to globally consolidated system-generated logs for security purposes is critically important to timely identification of an attack or breach, providing a non-interrupted investigation. MSTIC analysts possess specific attacker knowledge and skills that can't simply be replicated in other regions as they may have specific regional adversary expertise. As a result, MSTIC analysis operations necessarily cross geopolitical boundaries to provide customers with the highest level of expertise. For additional information on access controls, see Remote access to data stored and processed in the EU Data Boundary earlier in this article.
Providing customers with the best threat intelligence requires MSTIC to leverage global signals for scenarios like:
- Malicious Nation State activities that are used to achieve national intelligence objectives.
- Malicious Nation State activities that use commodity malware and tactics in destructive, unrecoverable attacks, or are used to mask the identity of the attacker (false flag) and provide plausible deniability. Malicious criminal activities that are used in illicit financial extortion schemes (for example, ransomware attacks against civilian critical resources or infrastructure).
Services in preview/trials
Only paid Microsoft services that are generally available are included in the EU Data Boundary. Services that are in preview or made available as free trials aren't included.
Deprecated services
Services that, as of December 31, 2022, Microsoft has announced as being deprecated aren't included in the EU Data Boundary. Microsoft cloud services follow the Modern Lifecycle Policy, and in most cases when we've announced a service as being deprecated we've also recommended an alternative or successor product offering that is in scope for the EU Data Boundary. For example, Microsoft Stream (Classic) is an enterprise video service for Microsoft 365 being replaced by Stream (on SharePoint). While specific deprecation dates for Stream (Classic) haven't yet been announced, customers have been advised that Stream (Classic) will be deprecated in 2024. Migration guidance and public preview tools are available to assist customers in migrating to Stream (on SharePoint), which is within the EU Data Boundary.
On-premises software and client applications
Data stored in on-premises software and client applications isn't included in the EU Data Boundary, as Microsoft doesn't control what happens in customers' on-premises environments. Diagnostic data generated from the use of on-premises software and client applications is also not included in the EU Data Boundary.
Directory data
Microsoft may replicate limited Microsoft Entra directory data from Microsoft Entra (including username and email address) outside the EU Data Boundary to provide the service.
Network Transit
To reduce routing latency and to maintain routing resiliency, Microsoft uses variable network paths that may occasionally result in routing of customer traffic outside of the EU Data Boundary. This may include load balancing by proxy servers.
Service and Platform Quality and Management
Microsoft personnel may require some pseudonymized personal data from system-generated logs to be consolidated globally to ensure the services are running efficiently and to compute and monitor real-time, global quality metrics for the services. A limited amount of pseudonymized personal data such as object IDs or primary unique IDs (PUIDs), can be included in these transfers and are used to address various service operability and management issues. Examples include calculating the number of users affected by a service-impacting event to determine its pervasiveness and severity or calculating monthly active users (MAU) and daily active users (DAU) of the services to ensure billing calculations based on this data are complete and accurate. Pseudonymized personal data transferred for MAU and DAU calculation purposes is retained outside the EU Data Boundary for only as long as needed to compile aggregate analytics.