Standards compliance and certification

  • 2 minutes to read

Power Virtual Agents is a Core Online Service, as defined in the Online Services Terms (OST), and is compliant with a number of International Organization for Standardization (ISO) certifications. Power Virtual Agents is also compliant with System and Organization Controls (SOC), the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR), and is covered under the Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement (BAA).

You can create chatbots that handle protected health information when your organization is bound by HIPAA, as in the following scenarios where the chatbot can:

  • Ask individuals to provide their health information (blood pressure, weight, and so on).
  • Capture health information and personally identifying information, such as the customer's IP address or email address.

Note

Although Power Virtual Agents is covered under HIPAA, it still isn't intended for use as a medical device. See the disclaimer on the intended use of Power Virtual Agents and medical devices.

SOC compliance

SOC is a method for assuring control regulation within a service. Power Virtual Agents has been audited to be compliant with SOC.

SOC audit reports are available from the Microsoft Service Trust Portal.

CSA STAR

From the CSA STAR website:

  • The Security Trust Assurance and Risk (STAR) Program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings.

    The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their security providers in order to make the best procurement decisions.

Power Virtual Agents has been audited to be compliant with CSA STAR.

ISO compliance

Power Virtual Agents is compliant with the ISO standards listed in the following table. Audit reports for each are available from the Microsoft Service Trust Portal.

Standard Name of report and certificate Link to standard (www.iso.org)
ISO 9001:2015 Microsoft Azure, Dynamics 365, and Other Online Service - ISO9001 Certificate and Assessment Report ISO 9001:2015
ISO 20000-1:2011 Microsoft Azure, Dynamics 365, and Other Online Service - ISO20000-1 Certificate and Assessment Report ISO/IEC 20000-1:2011
ISO 22301:2012 Microsoft Azure, Dynamics 365, and Other Online Service - ISO20000-1 Certificatie and Assessment Report ISO/IEC 22301:2012
ISO 27001:2013 Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001 and 27701 Certificate and Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001, 27018, 27017, 27701 Assessment Report ISO/IEC 27001:2013
ISO 27017:2015 Microsoft Azure, Dynamics 365, and Other Online Service - ISO27017 Certificate and Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001, 27018, 27017, 27701 Assessment Report ISO/IEC 27017:2015
ISO 27018:2019 Microsoft Azure, Dynamics 365, and Other Online Service - ISO27018 Certificate and Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001, 27018, 27017, 27701 Assessment Report ISO/IEC 27018:2019
ISO 27701:2019 Microsoft Azure, Dynamics 365, and Other Online Service - ISO27701 Certificate and Microsoft Azure, Dynamics 365, and Other Online Service - ISO27001, 27018, 27017, 27701 Assessment Report ISO/IEC 27701:2019

HIPAA coverage

HIPAA is a United States healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—doctors' offices, hospitals, health insurers, and other healthcare companies—that have access to patients' protected health information (PHI), in addition to business associates—such as cloud service and IT providers—that process PHI on their behalf.

Note

Can you tell us about your documentation language preferences? Take a short survey.

The survey will take about seven minutes. No personal data is collected (privacy statement).