Microsoft Viva Compliance
Microsoft offers a comprehensive set of compliance offerings to help your organization comply with national, regional, and industry-specific requirements governing the collection and use and data. Microsoft Viva is also covered under the Microsoft Product Terms and Data Protection Agreement (DPA).
For more information, see the Microsoft Trust Center.
This article covers the following information:
Shared responsibility model
Microsoft works to ensure that we are compliant with industry and international standards, and customers are responsible for ensuring their data within the Microsoft Cloud is protected in a manner that is compliant with the standards and regulations imposed on the customer.
Inheritance of compliance features and settings
Microsoft Viva apps are built on your existing infrastructure and, depending on the app, inherit compliance features and settings from Microsoft Teams, Exchange Online, SharePoint Online, Azure, and Viva Engage. In addition, all Viva modules are built on the Microsoft Graph API.
For detailed information on each service, see:
Microsoft 365 Plan for security and compliance
Microsoft Teams Overview of security and compliance in Microsoft Teams
Microsoft SharePoint Plan compliance requirements for SharePoint and OneDrive
Microsoft Graph Use the Microsoft Graph compliance and privacy APIs
Viva Engage Overview of security and compliance in Viva Engage
Microsoft Entra ID Microsoft Entra security baseline for Microsoft Entra ID
Azure Azure, Dynamics 365, Microsoft 365, and Power Platform compliance offerings
System and Organization Controls (SOC) 2
A SOC 2 report is an independent assessment of a service organization's systems and processes that are relevant to the trust services criteria. The report is conducted by a third-party auditor and evaluates the effectiveness of the controls in place to meet these criteria. Following is the SOC 2 audit report status for each Viva app:
Viva app | SOC 2 report |
---|---|
Viva Connections | Covered within scope of SharePoint Online SOC 2 report, although not individually called out in the report. Excludes third-party content. |
Viva Learning | Covered by Microsoft 365 Microservices T1 - SSAE 18 SOC 2 Type 1 Report (2022) |
Viva Engage | Covered by Office 365 – Viva Engage – SOC 2 Type 2 (2022) |
Viva Goals | Covered by Microsoft 365 Microservices T1 - SSAE 18 SOC 2 Type 1 Report (2022) |
Viva Insights | Covered by Microsoft 365 - Microservices Type 2 - SOC 2 Report (9-30-2023) |
General Data Protection Regulation (GDPR)
All Viva apps built on your Microsoft 365 infrastructure support compliance with EU General Data Protection Regulation (GDPR) requirements. For detailed information, see Microsoft Viva Privacy.
Data residency
Data residency refers to the geographic location where data is stored at rest. Many customers, particularly in the public sector and regulated industries, have distinct requirements around protecting personal or sensitive information. In addition, in certain countries, customers are expected to comply with laws and regulations that explicitly govern data storage location.
For information about data residency for Viva apps, see Microsoft Viva Privacy.
Microsoft Purview
Microsoft Purview is a family of data governance, risk, and compliance solutions that can help your organization govern, protect, and manage your entire data estate.
Currently, certain features in Viva Engage and Viva Connections (through SharePoint) are supported by Microsoft Purview.
The Viva Engage features eDiscovery and Data Retention are supported by Microsoft Purview; sensitivity labels and data loss prevention aren't supported. Native Mode is required to take advantage of eDiscovery and the Microsoft Purview compliance portal. This functionality is unavailable for networks in non-Native mode. For more information, see Overview of Native Mode.
Viva Connections inherits eDiscovery and Data Retention support from SharePoint Online for files involved in each service.