Standards compliance and certification
Power Virtual Agents is a Core Online Service, as defined in the Online Services Terms (OST), and is compliant with a number of International Organization for Standardization (ISO) certifications. Power Virtual Agents is also compliant with System and Organization Controls (SOC), the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR), and is covered under the Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA).
You can create chatbots that handle protected health information when your organization is bound by HIPAA, as in the following scenarios where the chatbot can:
- Ask individuals to provide their health information (blood pressure, weight, and so on).
- Capture health information and personally identifying information, such as the customer's IP address or email address.
Although Power Virtual Agents is covered under HIPAA, it still isn't intended for use as a medical device. See the disclaimer on the intended use of Power Virtual Agents and medical devices.
SOC is a method for assuring control regulation within a service. Power Virtual Agents has been audited to be compliant with SOC.
SOC audit reports are available from the Microsoft Service Trust Portal.
From the CSA STAR website:
The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.
The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.
Power Virtual Agents has been audited to be compliant with CSA STAR.
Power Virtual Agents is compliant with the ISO standards listed in the following table. Audit reports for each are available from the Microsoft Service Trust Portal.
HIPAA is a United States healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—that have access to patients' protected health information (PHI), in addition to business associates—such as cloud service and IT providers—that process PHI on their behalf.