Understand how privacy works in Microsoft Viva
Microsoft is transparent about the specific policies, operational practices, and technologies that help you ensure the privacy of your data across Microsoft Viva.
- You control your data.
- We're transparent about where data is located and how it's used.
- We secure data at rest and in transit.
- We defend your data.
Privacy is built into all Microsoft Viva experiences. Microsoft Viva and the Viva apps adhere to the Microsoft Privacy Statement and follow Microsoft's compliance with General Data Protection Regulation and the Microsoft EU Data Boundary.
Microsoft Viva inherits privacy features and settings from Microsoft 365, Teams, SharePoint, and Viva Engage, where applicable.
In addition to the inherited controls, each Viva app has its own set of privacy controls that lets you customize the information you share. The following information describes how the Viva apps handle and store data, who can access it, and, if applicable, how you can manage it.
GDPR compliance
Microsoft Viva and the Viva apps support compliance with General Data Protection Regulation (GDPR) requirements.
Additionally, see the following GDPR information for specific apps:
- Viva Connections and Viva Learning (SharePoint): Safeguarding your SharePoint data
- Viva Engage: Manage GDPR data subject requests in Viva Engage
- Viva Glint: Set up a successful Works Council program
- Viva Goals: Viva Goals security, privacy, and compliance
- Viva Insights: Personal Insights privacy guide
Data residency
Data residency refers to the geographic location where data is stored at rest. The way that data is transferred and stored in Microsoft Viva is defined in the Microsoft Products and Services Data Protection Addendum (DPA).
If you are using Viva Connections, you can purchase the Advanced Data Residency add-on in Microsoft 365, which provides more tools to address data residency requirements.
All data within Viva is stored within the customer tenant for any given Viva application and follows the standard Microsoft 365 data storage guidelines by available geography. The following table provides information about where the data for each app resides, along with links to more information.
Viva app | Where the data resides | More information |
---|---|---|
Viva Amplify | Data is stored in the data center where the associated Microsoft 365 tenant resides. If your organization is using SharePoint, Amplify follows the SharePoint data residency policy. | Privacy and security in Microsoft Viva Amplify |
Viva Connections | Data is stored in the data center where the associated Microsoft 365 tenant resides. For tenants located in Germany or the EU, none of the data is transferred to a third country. Note: Data from third-party apps is governed by the data and privacy agreements for those apps. This information applies to data from Microsoft apps. |
Data Residency for Viva Connections |
Viva Engage | Committed to storing message bodies and files attached to messages at rest within a specific geographical area (Geo). Data is stored in either Engage cloud storage or SharePoint. Files saved in SharePoint are stored in SharePoint Online per your SharePoint Online data residency policy. Mobile push notifications require sending data to a third party notification service (Apple or Google), which might be outside your Geo. |
Data residency for Viva Engage |
Viva Glint | The data region for Viva Glint is determined by the default geography of the tenant, not individual users, and is stored in US or EU data centers based on central tenant location. | |
Viva Goals | Data for customers located in the European Union Data Boundary (EUDB) or the United Kingdom is stored in data centers located in the EU. The data for all other tenants is stored in data centers located in the United States. | Viva Goals data residency |
Viva Insights | Personal insights - Processed and stored in the employee’s Exchange Online mailbox. Data residency is based on the employee's mailbox location. Manager/Leader/Advanced Insights - The data region for Manager/Leader and Advanced is determined by the Default Geography of the tenant, not individual users. Data at Rest (header info and metadata sourced from Exchange Online and Teams, but not message content or attachments) is stored in US, EU, EMEA, APAC based on central tenant location. |
Viva Insights - Advanced/Manager/Leader Viva Insights - Personal |
Viva Learning | Viva Learning doesn’t store any personal data since usage and consumption data is aggregated. Integration with SharePoint is currently only supported for sites hosted from the home geography of the tenant. For example, a French tenant can only link SharePoint sites hosted in France to Viva Learning. |
Viva Learning data residency |
Viva Pulse | Data for customers located in the European Union Data Boundary (EUDB) is stored in data centers located in the EU. The data for all other tenants is stored in data centers located in the United States | Data residency for Viva Pulse |
For more information, see:
- Microsoft 365 data locations
- Microsoft Privacy - Where is Your Data Located
- Licensing Documents (microsoft.com)
How Microsoft Viva uses AI
Important
We’re extending Copilot to Microsoft Viva to help leaders boost employee engagement and improve business performance. The Copilot System combines the power of large language models (LLMs), including GPT-4, with the Microsoft 365 and Microsoft Viva apps, as well as your business data in the Microsoft Graph—and makes it accessible through natural language.
More information about additional AI capabilities in Microsoft Viva and the Viva apps will be available soon.
Viva Connections uses AI to rank content in the feed. Microsoft's use of artificial intelligence is governed by the Responsible AI Standard.
For more information on how Viva uses AI, see the following:
App-specific data information
Each of the Viva apps collects and stores data in different ways, based on the intent of the app. You control your data, but how you control it differs depending on the app.
Viva Amplify
Viva Amplify campaigns are set as private by default because campaigns are designed to be a private collaborative space for campaign team members to work and build their communications. Changing this setting is not recommended.
For more information about Viva Amplify, see Overview of Microsoft Viva Amplify.
Viva Connections
Privacy and security controls:
- You control what content is available through the app.
- Privacy settings inherited from SharePoint, Teams, Viva Engage/Viva
What info is available? | Who can access it? | How is it managed? |
---|---|---|
Conversations, resources, and apps from Microsoft services (like Teams and SharePoint) and third-party apps (by using the SharePoint Framework) For users with elevated permissions, aggregated analytics data about traffic, usage by experience, and usage by platform. |
Users with access to the SharePoint resources For analytics, users with site member or higher access to the SharePoint home site that supports the Connections instance. |
Information is visible to users based on the setting and their role in the organization Different permission levels are required based on the content creator role (for example Home site or Dashboard). Dashboard authors can target the cards to specific audiences by using Microsoft Entra groups. |
For more information about Viva Connections, see Overview of Viva Connections.
Viva Engage
Privacy and security controls:
- Security and privacy settings are managed as a part of Viva Engage.
- Role-based access
What info is available? | Who can access it? | How is it managed? |
---|---|---|
Public announcements, private messages, posts, polls, and videos shared in communities, the inbox, and the Storyline. User profiles (through Viva Engage) Questions and answers Rewards and recognition Sentiment/usage analysis (personal analytics, audience analytics, campaign analytics, Answers analytics) |
All users with a paid Microsoft or Office 365 subscription (as part of the Viva Engage license) and accessible through Microsoft Teams. By default, private content is restricted to the participants in the content (for example, the sender and recipient of a private message); however, admins can be temporarily granted access to private content. (You'll need to manually remove this access as well.) |
The Engage admin can set up and configure Viva Engage through the Engage admin center (present in the Teams app). |
For more information about privacy in Viva Engage, see Overview of security and compliance in Viva Engage.
Viva Goals
For information about privacy in Viva Goals, see Viva Goals security, privacy, and compliance.
Viva Insights
Privacy and security controls:
- Role-based access
- Everyone's data is kept private
- Mailbox security through Exchange
What info is available? | Who can access it? | How is it managed? |
---|---|---|
Personal insights (visible only to the individual) Manager and leader insights (always aggregated and deidentified) Organization insights (aggregated and deidentified, with data access restricted to assigned analysts) Note: A manager or leader needs to have nine direct reports for the data to be aggregated. The admin can increase this threshold. |
Insights only available to licensed users (Personal Insights) and assigned analysts or managers (Manager / Leader / Organization insights) | Admins can configure what information to include in insights, set access levels, and opt individual users in or out by using the Microsoft 365 admin center. Individual users can opt in or out by going to the Settings > Privacy menu in the Viva Insights app in Teams or on the web. |
For more information on how to manage access to data in Viva Insights, see Managing who has access to data.
For more information about privacy and data protection in Viva Insights, see the following articles:
- Privacy guide for the Insights app
- Privacy guide for admins
- Technical privacy guide for organization insights and advanced insights
Viva Learning
Privacy and security controls:
- SharePoint integration supports local content
- Role-based access
What info is available? | Who can access it? | How is it managed? |
---|---|---|
Training content from Microsoft, third party providers, and customer-owned content. Learning object content metadata, such as title, description, author, and language User data, such as bookmarks, recently viewed, recommended courses, assigned courses, and completion records Required service data, such as error logs Diagnostic data |
The Viva Learning app is discoverable to all users with a paid Microsoft or Office 365 subscription and access to Microsoft Teams. Individual completion data and recommendations are available to those individuals and anyone that they share recommendations with. |
Admins can control whether individual users can use Viva Learning and what they can do by changing user and group settings in the Teams admin center. Admins can also turn on or off the storage of diagnostic data. |
For more information about Viva Learning, see Microsoft Viva Learning.