Assorted Office 365 Services – Data Storage and Compliance

Published Aug 08 2018 12:34 PM 6,312 Views

Today I met with a customer and the topic of where various data for Office 365 Services was stored and how those services may stack up to compliance requirements in the Healthcare and Life Sciences arena. They provided me a list of different services they wanted to nail down and I set about populating the info with brief write-ups, as well as resource links.

Whether you are a Healthcare and Life Sciences customer, or a customer in another industry, understanding where service data resides and the applications compliance standing may be valuable information. With that in mind I am sharing it here. Bon Apetit! :)

*PS - for all things compliance be sure to visit the Microsoft Trust Center.


  • Forms
    • Microsoft Forms and it’s data are a part of Office 365
    • Microsoft Forms data is stored on servers in the United States and Europe. All data is located in the United States, except for European-based tenants who started using Microsoft Forms after May 2017. Their data is stored in databases in Europe.
    • Microsoft Forms data follows the O365 Compliance Framework, and meets Compliance Category C as outlined in the framework.
    • Microsoft Forms has also met GDPR compliance requirements as of May 2018. Please refer to Office 365 Data Subject Requests for the GDPR for more information.
    • Microsoft Forms meets FERPA and BAA protection standards.
    • For more see:
    • To-Do
      • Since Microsoft To-Do uses Exchange Online for data storage and synchronization, customers benefit from the reliability, security and compliance they've come to expect from Exchange. When you use Microsoft To-Do , your to-dos are stored as tasks in your Exchange Online mailbox, which also hosts data from other Exchange modules such as mails, events, contacts and/or notes.
      • Data is encrypted at rest on Exchange servers and in transit to and from the To-Do app on your
      • browser or device.
      • Since the Microsoft To-Do web app hosted on is considered a service from a compliance perspective, it is developed according to industry compliance standards and has thus been through audits, such as the SOC 2 (Service Organization Controls) Type 1 Audit.
      • Though Microsoft To-Do is not explicitly mentioned in the Online Service Terms or HIPAA Business Associate Agreements agreed to between Microsoft and Office 365 customers, these additions are in progress. In the meantime, it is important to keep in mind that the underlying service (Exchange Online) is represented in both documents and is the sole backend for Microsoft To-Do.
      • For more see:
      • PowerApps
      • Flow
      • Stream
      • Project Online
      • Power BI
        • The Power BI service is built on Azure, which is Microsoft’s cloud computing infrastructure and platform. The Power BI service architecture is based on two clusters – the Web Front End (WFE) cluster and the Back End cluster. The WFE cluster is responsible for initial connection and authentication to the Power BI service, and once authenticated, the Back End handles all subsequent user interactions. Power BI uses Azure Active Directory (AAD) to store and manage user identities, and manages the storage of data and metadata using Azure BLOB and Azure SQL Database, respectively. See Power BI Security
        • In the Power BI service, data is either at rest (data available to a Power BI user that is not currently being acted upon), or it is in process (for example: queries being run, data connections and models being acted upon, data and/or models being uploaded into the Power BI service, and other actions that users or the Power BI service may take on data that is actively being accessed or updated). Data that is in process is referred to as data in process. Data at rest in Power BI is encrypted. Data that is in transit, which means data being sent or received by the Power BI service, is also encrypted. See Power BI Security White Paper
        • Encryption Keys for Power BI. See Power BI Security White Paper 
          • The encryption keys to Azure Blob keys are stored, encrypted, in Azure Key Vault.
          • The encryption keys for Azure SQL Database TDE technology is managed by Azure SQL itself.
          • The encryption key for Data Movement service and on-premises data gateway are stored:
            • In the on-premises data gateway on customer’s infrastructure – for on-premises data sources
            • In the Data Movement Role – for cloud-based data sources
          • Power BI – Which data center hosts my data? Where is my data stored?
        • Sway
          • Sway data is stored in Azure within United States data centers and is working to support data centers worldwide. Sways do not count against your OneDrive for Business storage quota.
          • Differences between Consumer and Commercial Versions:
New Contributor

Hi @Mike Gannotti  this is awesime thanks so much, I've been googling and asking this question for weeks but always get a geographical answer.


Do you know where personal Forms get stored?


The ones that get created if I don't do it within Teams or a Teams base document, for a standard form or polls attached to other apps via the office add-in like Outlook or PowerPoint?


If you could also make a quick reference info graphic for this it would be amazing!






All Forms data is stored in the data services layer tied to the customers tenant. 

Hi @Mike Gannotti.  As a follow-up question to @Andy Hollingworth's question, can you confirm the following:

  • Forms and responses to surveys I create using are under the control of my company's Office 365 tenant
  • Forms and responses to surveys I create are saved/associated with my personal Microsoft account at my employer
  • Form responses I receive are not accessible to others unless I "Share to collaborate" or the person in an Office 365 admin at my company

The net is I am trying to make sure that any data I collect by using Microsoft Forms is linked to my account and not available to others unless I explicitly provide access.  If Microsoft Forms doesn't provide this level of data control/security, can you recommend another Office 365 tool that I can use to create a survey that I want to sent to people internal and external to my company? 


Thank you in advance for your help!



@Marc_Archer_lo The short of it is yes, Forms is just another 365 service with the data tied to the tenant and permissioned in same manner as other 365 entities. You can track down specific compliance adherence here at 

Version history
Last update:
‎Jul 12 2019 01:49 PM
Updated by: