Compliance certifications for Office 365
Welcome to the place where we share our commitments and information about security, privacy, and compliance.
Learn how our commitment to transparency can help your organization comply with your regulatory needs.
Learn how our commitment to transparency can help your organization comply with FedRAMP/FISMA regulatory needs.
EU Model Clauses
Learn how our commitment to transparency can help you comply with EU regulatory needs.
Learn how our commitment to transparency can help you comply with HIPAA/HITECH regulatory needs.
Microsoft Trust Center: Compliance offerings
Read about our comprehensive set of compliance certifications, audits, and accreditations for collecting and using personal data.
Office 365 certifications
Some certifications may not be available in your country/region.
Argentina Personal Data Protection Act 25,326
Microsoft Azure, Microsoft Dynamics CRM Online, and Office 365 have implemented the security measures in the Argentina Personal Data Protection Act (APDPA).
The Microsoft Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) response details how Microsoft cloud services fulfill the security, privacy, compliance, and risk management requirements defined in CSA CCM version 3.0.1.
The Cloud Security (CS) Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS Gold Mark for all three service classifications: Microsoft Azure for IaaS and PaaS, and Office 365 for SaaS.
The Defense Information Systems Agency (DISA) Cloud Service Support has granted a DISA Impact Level 2 Provisional Authorization to Microsoft Azure, Azure Government, Office 365 MT, and Office 365 U.S. Government, based on Federal Risk and Authorization Management Program (FedRAMP) authorizations.
The European Network and Information Security Agency (ENISA) Information Assurance Framework (IAF) requirements have been mapped to Microsoft cloud services through the CSA CCM. You can refer to the CSA CCM response version 3.0.1.
Regulations Title 21 Part 11, which details security requirements for the electronic records of companies that sell food and drugs in the United States.
Microsoft Azure, Azure Government, Dynamics CRM Online Government, and Office 365 Government have a Provisional Authority to Operate for the Federal Risk and Authorization Management Program (FedRAMP), mandatory for cloud services used by federal agencies.
Microsoft Azure, Microsoft Dynamics CRM Online, and Office 365 comply with the Family Educational Rights and Privacy Act (FERPA), a US federal law that protects the privacy of students’ education records.
Microsoft certifies that the underlying cryptographic modules used in Microsoft products, including Microsoft enterprise cloud services, comply with the Federal Information Processing Standard Publication (FIPS) 140-2, a US government standard.
Microsoft Azure and Office 365 have been independently assessed as meeting the requirements for the Center for Financial Industry Information Systems (FISC) Version 8 standard security for banking computer systems in Japan.
The Microsoft cloud meets Good Clinical, Laboratory, and Manufacturing Practices (GxP), as part of compliance with the US Food and Drug Administration Code of Federal Regulations Title 21 CFR Part 11.
Microsoft enterprise cloud services offer a Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement that stipulates adherence to HIPAA, which regulates patient Protected Health Information in the US.
Microsoft Azure and Office 365 are accredited for the Certified Cloud Services List (CCSL), which identifies cloud services that have successfully completed an Information Security Registered Assessors Program (IRAP) assessment by the Australian Signals Directorate.
The ISO/IEC 27001 certificate validates that Microsoft enterprise cloud services have implemented the internationally recognized information security controls defined in the ISO/IEC 27001 standard.
Microsoft was the first cloud provider to adhere to the ISO/IEC 27018 code of practice, which covers privacy protections for the processing of personal information by cloud service providers.
Microsoft was the first global cloud service provider to receive the Singapore Multi-Tier Cloud Security (MTCS) certification across all three classifications—IaaS, PaaS, and SaaS—for in-scope services.
The New Zealand Government Chief Information Officer published a cloud computing (CC) framework of 100+ questions on the security, privacy, and sovereignty aspects of cloud services. Microsoft NZ demonstrates how Microsoft addresses these questions.
Microsoft cloud services offer Voluntary Product Accessibility Templates (VPATs), a standardized form documenting whether a product meets the accessibility requirements of Section 508, an amendment to the Rehabilitation Act of 1973.
Microsoft demonstrates the alignment of Microsoft Azure, Microsoft Dynamics CRM Online, and Office 365 with the Shared Assessments Program—a vendor-risk management toolset—through the CSA CCM version 3.0.1.
Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) 1 standards for design and operational security.
Spain's Esquema Nacional de Seguridad (National Security Framework, or ENS) provides information and communications technologies security guidance to public administrations and cloud service providers (CSPs). Microsoft was the first hyperscale CSP to receive this ENS certification—for Microsoft Azure and Office 365.