Abstract
This document provides an overview of Microsoft Azure compliance offerings intended to help customers meet their own compliance obligations across regulated industries and markets worldwide. Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings), as well as depth (number of customer-facing services in assessment scope). Azure compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region/country specific. Each offering description provides an up to-date-scope statement and links to useful downloadable resources.
Overview
Azure is a multi-tenant hyperscale cloud platform that is available or announced to customers in 60+regions worldwide. Most Azure services enable customers to specify the Region where their Customer Data will be located. Microsoft may replicate Customer Data to other Regions within the same Geo for data resiliency but Microsoft will not replicate Customer Data outside the chosen Geo (e.g., United States). Microsoft makes 5 distinct Azure cloud environments available to customers:
- Azure public cloud service is available globally
- Azure in China is available through a unique partnership between Microsoft and 21Vianet, one of the country’s largest Internet providers
- Azure Government is available from 3 regions in the United States to US government agencies and their partners
- Azure Government for DoD is available from 2 regions in the United States to the US Department of Defense
To help customers meet their own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings), as well as depth (number of customer-facing services in assessment scope). To find out which Azure services are available in which regions, customers should explore the Azure global infrastructure product availability dashboard.
Azure compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region/country specific. Compliance offerings are based on various types of assurances, including formal certifications, attestations, validations, authorizations, and assessments produced by independent third-party auditing firms, as well as contractual amendments, self- assessments, and customer guidance documents produced by Microsoft. Each offering description in this document provides an up to date scope statement indicating which Azure customer-facing services are in scope for the assessment, as well as links to downloadable resources to assist customers with their own compliance obligations. For select third-party assessments, Appendices A and B list services in audit scope for Azure and Azure Government, respectively.
More detailed information about Azure compliance offerings is available from the Trust Center. Moreover, all downloadable documentation is available to Azure customers under a non-disclosure agreement from the Service Trust Portal in sections labeled:
- Audit Reports, which is further divided into FedRAMP, GRC Assessment, ISO, PCI DSS, and SOC reports sections;
- Data Protection Resources, which is further divided into Compliance Guides, FAQ and White Papers, and Pen Test and Security Assessments sections.
Customers are wholly responsible for ensuring their own compliance with all applicable laws and regulations. Information provided in this document does not constitute legal advice, and customers should consult their legal advisors for any questions regarding regulatory compliance.
