Assorted Office 365 Services – Data Storage and Compliance
Published Aug 08 2018 12:34 PM 7,451 Views

Today I met with a customer and the topic of where various data for Office 365 Services was stored and how those services may stack up to compliance requirements in the Healthcare and Life Sciences arena. They provided me a list of different services they wanted to nail down and I set about populating the info with brief write-ups, as well as resource links.

Whether you are a Healthcare and Life Sciences customer, or a customer in another industry, understanding where service data resides and the applications compliance standing may be valuable information. With that in mind I am sharing it here. Bon Apetit! :)

*PS - for all things compliance be sure to visit the Microsoft Trust Center.


  • Forms
    • Microsoft Forms and it’s data are a part of Office 365
    • Microsoft Forms data is stored on servers in the United States and Europe. All data is located in the United States, except for European-based tenants who started using Microsoft Forms after May 2017. Their data is stored in databases in Europe.
    • Microsoft Forms data follows the O365 Compliance Framework, and meets Compliance Category C as outlined in the framework.
    • Microsoft Forms has also met GDPR compliance requirements as of May 2018. Please refer to Office 365 Data Subject Requests for the GDPR for more information.
    • Microsoft Forms meets FERPA and BAA protection standards.
    • For more see:
    • To-Do
      • Since Microsoft To-Do uses Exchange Online for data storage and synchronization, customers benefit from the reliability, security and compliance they've come to expect from Exchange. When you use Microsoft To-Do , your to-dos are stored as tasks in your Exchange Online mailbox, which also hosts data from other Exchange modules such as mails, events, contacts and/or notes.
      • Data is encrypted at rest on Exchange servers and in transit to and from the To-Do app on your
      • browser or device.
      • Since the Microsoft To-Do web app hosted on is considered a service from a compliance perspective, it is developed according to industry compliance standards and has thus been through audits, such as the SOC 2 (Service Organization Controls) Type 1 Audit.
      • Though Microsoft To-Do is not explicitly mentioned in the Online Service Terms or HIPAA Business Associate Agreements agreed to between Microsoft and Office 365 customers, these additions are in progress. In the meantime, it is important to keep in mind that the underlying service (Exchange Online) is represented in both documents and is the sole backend for Microsoft To-Do.
      • For more see:
      • PowerApps
      • Flow
      • Stream
      • Project Online
      • Power BI
        • The Power BI service is built on Azure, which is Microsoft’s cloud computing infrastructure and platform. The Power BI service architecture is based on two clusters – the Web Front End (WFE) cluster and the Back End cluster. The WFE cluster is responsible for initial connection and authentication to the Power BI service, and once authenticated, the Back End handles all subsequent user interactions. Power BI uses Azure Active Directory (AAD) to store and manage user identities, and manages the storage of data and metadata using Azure BLOB and Azure SQL Database, respectively. See Power BI Security
        • In the Power BI service, data is either at rest (data available to a Power BI user that is not currently being acted upon), or it is in process (for example: queries being run, data connections and models being acted upon, data and/or models being uploaded into the Power BI service, and other actions that users or the Power BI service may take on data that is actively being accessed or updated). Data that is in process is referred to as data in process. Data at rest in Power BI is encrypted. Data that is in transit, which means data being sent or received by the Power BI service, is also encrypted. See Power BI Security White Paper
        • Encryption Keys for Power BI. See Power BI Security White Paper 
          • The encryption keys to Azure Blob keys are stored, encrypted, in Azure Key Vault.
          • The encryption keys for Azure SQL Database TDE technology is managed by Azure SQL itself.
          • The encryption key for Data Movement service and on-premises data gateway are stored:
            • In the on-premises data gateway on customer’s infrastructure – for on-premises data sources
            • In the Data Movement Role – for cloud-based data sources
          • Power BI – Which data center hosts my data? Where is my data stored?
        • Sway
          • Sway data is stored in Azure within United States data centers and is working to support data centers worldwide. Sways do not count against your OneDrive for Business storage quota.
          • Differences between Consumer and Commercial Versions:
Version history
Last update:
‎Jul 12 2019 01:49 PM
Updated by: