Assorted Office 365 Services – Data Storage and Compliance

Today I met with a customer and the topic of where various data for Office 365 Services was stored and how those services may stack up to compliance requirements in the Healthcare and Life Sciences arena. They provided me a list of different services they wanted to nail down and I set about populating the info with brief write-ups, as well as resource links.

Whether you are a Healthcare and Life Sciences customer, or a customer in another industry, understanding where service data resides and the applications compliance standing may be valuable information. With that in mind I am sharing it here. Bon Apetit! :)

*PS - for all things compliance be sure to visit the Microsoft Trust Center.

• Forms
  • Microsoft Forms and it’s data are a part of Office 365
  • Microsoft Forms data is stored on servers in the United States and Europe. All data is located in the United States, except for European-based tenants who started using Microsoft Forms after May 2017. Their data is stored in databases in Europe.
  • Microsoft Forms data follows the O365 Compliance Framework, and meets Compliance Category C as outlined in the framework.
  • Microsoft Forms has also met GDPR compliance requirements as of May 2018. Please refer to Office 365 Data Subject Requests for the GDPR for more information.
  • Microsoft Forms meets FERPA and BAA protection standards.
  • For more see:
    • Set up Microsoft Forms
    • Frequently asked questions about Microsoft Forms
    • Turn off or turn on Microsoft Forms
  • To-Do
    • Since Microsoft To-Do uses Exchange Online for data storage and synchronization, customers benefit from the reliability, security and compliance they've come to expect from Exchange. When you use Microsoft To-Do , your to-dos are stored as tasks in your Exchange Online mailbox, which also hosts data from other Exchange modules such as mails, events, contacts and/or notes.
    • Data is encrypted at rest on Exchange servers and in transit to and from the To-Do app on your
    • browser or device.
    • Since the Microsoft To-Do web app hosted on https://to-do.microsoft.com is considered a service from a compliance perspective, it is developed according to industry compliance standards and has thus been through audits, such as the SOC 2 (Service Organization Controls) Type 1 Audit.
    • Though Microsoft To-Do is not explicitly mentioned in the Online Service Terms or HIPAA Business Associate Agreements agreed to between Microsoft and Office 365 customers, these additions are in progress. In the meantime, it is important to keep in mind that the underlying service (Exchange Online) is represented in both documents and is the sole backend for Microsoft To-Do.
    • For more see:
      • Review data storage and compliance in Microsoft To-Do
      • Get started with Microsoft To-Do
    • PowerApps
      • Where is Microsoft PowerApps data stored? PowerApps provides a number of out-of-box connectors to store data on SQL, Dropbox, SharePoint and many other platforms. See PowerApps and the Microsoft Common Data Model
      • In PowerApps, most canvas apps use external information stored in cloud services called Data Sources. A common example is a table in an Excel file stored in OneDrive for Business. Apps access these data sources by using Connections. See Understand data sources for canvas apps in PowerApps
      • See Responding to Data Subject Rights (DSR) requests for PowerApps customer data
      • See Administer PowerApps
    • Flow
      • Flows are stored in Azure. Your flow is deployed in the region that hosts the environment. For example, if your environment is created in the Europe region, your flow is deployed in Europe data centers. See FAQ for regions in Microsoft Flow
      • See Microsoft Flow audit events now available in Office 365 Security & Compliance Center
      • As an Administrator, you don't want flows that get data from an internal location (such as OneDrive for Business or a SharePoint list that contains salary information), and then post that data publicly (such as to Twitter). Use data loss prevention to control which services can share data within your Microsoft Flow deployment. See Using environments within Microsoft Flow
      • Data loss prevention (DLP) policies for Flow
      • Responding to GDPR Data Subject Requests for Microsoft Flow
      • Microsoft Flow Documentation
    • Stream
      • Microsoft Stream is Tier-C compliant in the Office 365 Compliance Framework which covers SOC 1, SOC 2, ISO 27001, HIPAA, and EU Model Clauses. See Microsoft Stream is Tier-C certified as per Office 365 Compliance Framework     
      • Microsoft Stream audit events now in Office 365 Security & Compliance Center
      • Microsoft Stream FAQ
    • Project Online
      • Project Online stores all of its data in Office 365
      • Project Online Documentation
    • Power BI
      • The Power BI service is built on Azure, which is Microsoft’s cloud computing infrastructure and platform. The Power BI service architecture is based on two clusters – the Web Front End (WFE) cluster and the Back End cluster. The WFE cluster is responsible for initial connection and authentication to the Power BI service, and once authenticated, the Back End handles all subsequent user interactions. Power BI uses Azure Active Directory (AAD) to store and manage user identities, and manages the storage of data and metadata using Azure BLOB and Azure SQL Database, respectively. See Power BI Security
      • In the Power BI service, data is either at rest (data available to a Power BI user that is not currently being acted upon), or it is in process (for example: queries being run, data connections and models being acted upon, data and/or models being uploaded into the Power BI service, and other actions that users or the Power BI service may take on data that is actively being accessed or updated). Data that is in process is referred to as data in process. Data at rest in Power BI is encrypted. Data that is in transit, which means data being sent or received by the Power BI service, is also encrypted. See Power BI Security White Paper
      • Encryption Keys for Power BI. See Power BI Security White Paper 
        • The encryption keys to Azure Blob keys are stored, encrypted, in Azure Key Vault.
        • The encryption keys for Azure SQL Database TDE technology is managed by Azure SQL itself.
        • The encryption key for Data Movement service and on-premises data gateway are stored:
          • In the on-premises data gateway on customer’s infrastructure – for on-premises data sources
          • In the Data Movement Role – for cloud-based data sources
        • Power BI – Which data center hosts my data? Where is my data stored?
      • Sway
        • Sway data is stored in Azure within United States data centers and is working to support data centers worldwide. Sways do not count against your OneDrive for Business storage quota.
        • Differences between Consumer and Commercial Versions:
          • The Sway creation experience looks and feels the same whether you’re logged in with a Microsoft account or an Office 365 work or school account. Sway is still your digital design assistant no matter how you use it. However, there are some differences including premium features when you log in with an Office 365 work or school account:
            • Content sources in the Insert tab are tailored for Office 365 commercial users.
            • By default, Sways can only be viewed by others in your organization.
            • Built-in sharing options are scoped for Office 365 commercial use.
            • Office 365 global admins can control turning Sway on or off for individual users, as well as disable external sharing of Sway for people in the organization.
            • Ability to add password protection to Sways.
            • Ability to add more content into the Sway.
            • Ability to remove the Sway informational footer.
            • Ability to add a logo to the Sway title.
            • Ability to view more advanced analytics.
          • Sway currently supports encryption in flight via https. Encryption at rest is currently supported for Sways created or edited after December 7, 2017.
          • Sway meets compliance category C. For more info, read the Compliance Framework for Office 365 and check out the Office 365 Trust Center.
          • For More on Sway visit:
            • Frequently asked questions about Sway – Admin Help
            • Administrator settings for Sway
          • StaffHub
            • StaffHub data is currently stored in Azure in datacenters in North America and Western Europe. For more information about where data is stored, see Where is my data?
            • Our compliance framework provides visibility into Office 365’s compliance with global, regional, and industry standards, and details how customers can control Office 365 services based on compliance needs. Review our Office 365 Compliance Framework for Industry Standards and Regulations to check the category for StaffHub.
            • 
            • Windows White Board
              • Enable Microsoft Whiteboard for your organization
              • Set up and use Whiteboard to Whiteboard collaboration
            • Live Events
              • See Stream