Explore subprocessor access controls requirements

Completed

If a subprocessor has "potential to access" Personal Data or Microsoft Confidential Data, does that mean they can process that data whenever and however they want? Microsoft permits subprocessors to process data, only to deliver the services Microsoft has retained them to provide and they are prohibited from using the data for any other purpose. Personal Data processed by subprocessors is often pseudonymized, or de-identified allowing subprocessors to fulfill their job responsibilities without accessing identifiable attributes. Microsoft requires each type of subprocessor to use appropriate access controls to protect the data they process.

Types of subprocessors

Microsoft has designated three categories of subprocessors:

  • Technology: Third-party subprocessors that power technologies that are seamlessly integrated with Microsoft Online Services and in part power the Microsoft cloud functions. If you deploy one of these services, the subprocessors identified for that service may process, store, or otherwise access Customer Data or Personal Data while helping to provide that service.
  • Ancillary: Third-party subprocessors that provide accompanying services that help support, operate, and maintain the Online Services. In such cases, the subprocessors identified may process, store, or otherwise access limited customer data or personal data while providing their ancillary services.
  • Contract Staff: Organizations that provide contract staff who work side by side with Microsoft full-time employees to support, operate, and maintain Microsoft Online Services. In all such cases, Customer Data or Personal Data resides only in Microsoft facilities, on Microsoft systems, and is subject to Microsoft policies and supervision.

Additionally, Microsoft data center entities provide the datacenter infrastructure on which Microsoft Online Services run. The data within datacenters is encrypted, and no personnel within the datacenters can access it.

Subprocessor access controls

Each type of subprocessor at Microsoft enforces appropriate access controls to protect customer and personal data. All subprocessors are required to maintain the security and confidentiality of customer and personal data and are contractually obligated to meet strict privacy and security requirements. These requirements are equivalent to or stronger than the contractual commitments Microsoft makes to its customers in the Microsoft Products and Services Data Protection Addendum.

Contract staff are subject to the same access controls in place for Microsoft full-time employees, including multifactor authentication (MFA), Zero Standing Access (ZSA), and Just-In-Time (JIT) with Just-Enough-Access (JEA). Additionally, subcontractors who work in facilities or use equipment controlled by Microsoft are contractually obligated to follow our privacy standards and undergo regular privacy training.

Technology and Ancillary subprocessors are responsible for implementing access controls in compliance with Microsoft Data Protection Requirements (DPR). These requirements meet or exceed the contractual commitments Microsoft makes to its customers in our Product Terms. These subprocessors may have the potential to access certain restricted data, such as Customer or Personal Data, to deliver functions in support of Microsoft Online Services. Subprocessor contracts specifically prohibit the use of Personal Data for any other purpose. In addition, applicable controls from the DPR help to protect Customer and Personal Data from unauthorized access or use. In many cases, the tasks subprocessors perform can be accomplished with pseudonymized or anonymized data.

Subprocessors are also required to meet privacy and security requirements, including those related to implementing appropriate technical and organizational measures to protect personal data.

Learn more