Compliance[ServiceDesc]

Note

The information in this article applies to worldwide versions of Office 365. If you are using a national cloud instance of Office 365, including Office 365 U.S. Government, Office 365 Germany, and Office 365 operated by 21Vianet, see Microsoft National Clouds.

Note

Availability of Partner features varies by region.

Microsoft Office 365 complies with industry standards and regulations, and is designed to help you meet regulatory requirements for your business. For more information, see Compliance Offerings.

Industry certifications

To help organizations comply with national, regional, and industry-specific requirements governing the collection and use of individuals' data, Office 365 complies with or can help your organization comply with the most comprehensive set of government or third-party requirements, certifications, and attestations of any cloud service provider:

  • Argentina PDPA

  • CSA-CCM

  • CS Mark (Gold)

  • DISA

  • ENISA IAF

  • EU Model Clauses

  • FDA 21 CFR Part 11

  • FedRAMP

  • FERPA

  • FIPS 140-2

  • FISC

  • FISMA

  • GxP

  • HIPAA/HITECH

  • CCSL (IRAP)

  • ISO/IEC 27001

  • ISO/IEC 27018

  • Japan My Number Act

  • MTCS

  • NZ CC Framework

  • Section 508 / VPATs

  • SHARED ASSESSMENTS

  • SOC 1

  • SOC 2

  • ENS Spain

  • UK G-Cloud

  • PCI DSS Level One

You can find more information on Office 365 compliance and audit reports in the Service Trust Portal.

In addition, note the following questions for PCI-DSS:

  • Can my organization use Office 365 and still be PCI-DSS compliant?

    • The Payment Card Industry Data Security Standard (PCI-DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. PCI-DSS was written by the PCI Security Standards Council to create a set of security standards for any organization handling credit and debit cards.

    • Customers can use credit cards to order and pay for Office 365 services with confidence because the commerce system through which customers can purchase subscriptions to Office 365 has achieved PCI-DSS Level 1 compliance. An independent third-party auditor determines that Microsoft Online Commerce Platform (OCP) has satisfactorily met the PCI-DSS version 1.2. As explained below, organizations can use the Office 365 services to help them comply with PCI-DSS requirements.

  • How can Office 365 help my organization with PCI-DSS?

    • Office 365 provides a secure platform for customers to communicate and collaborate. Microsoft operates the service securely and provides you with a rich set of compliance and security features that you can use to protect your data throughout its life cycle. With features like Data Loss Prevention (DLP), Advanced Data Governance, Azure Information Protection (AIP), you can turn on policies to automatically detect and label sensitive content when data like Credit Card Numbers, SWIFT codes, ABA routing numbers, etc. are present. You can find a list of our built-in sensitive information types here, and you can also follow the instruction here to create your own sensitive information types. With the appropriate policies applied by the customer, organizations can automatically retain data for a certain period of time and protect their content by preventing their users from sharing sensitive data. If customers need to share sensitive data over email with anyone inside or outside the organization, customers can apply encryption and rights protection with Office 365 Message Encryption so that only authorized parties can read the protected message.
  • Gramm-Leach-Bliley Act (GLB) The GLB sets minimum security and privacy requirements for financial institutions in the United States. Software or services cannot claim to be "GLB compliant" because GLB compliance also requires procedures and policies. Two of the principal regulations under GLB that affect Office 365 services are:

    • Financial Privacy Rule This rule governs the collection and disclosure of customers' personal financial information by financial institutions.

    • Safeguards Rule This rule requires all financial institutions to design, implement, and maintain safeguards to protect customer information, whether they collect such information themselves or receive it from other financial institutions

Feature availability

To view feature availability across Office 365 plans, see Office 365 Platform Service Description.