3.7 Azure Compliance, Privacy, and Trust
Key Takeaways
- Microsoft Trust Center is the central resource for information about Microsoft's security, privacy, and compliance practices.
- Azure complies with 100+ compliance offerings including GDPR, HIPAA, ISO 27001, SOC 1/2/3, FedRAMP, and PCI DSS.
- Microsoft Purview provides unified data governance across on-premises, multi-cloud, and SaaS environments.
- Azure Sovereign Regions (Government and China) meet strict compliance requirements for government and regulated industries.
- Microsoft's privacy principles include control, transparency, security, strong legal protections, no content-based targeting, and benefits to users.
Azure Compliance, Privacy, and Trust
Quick Answer: Microsoft Trust Center is the central hub for compliance information. Azure supports 100+ compliance standards (GDPR, HIPAA, ISO 27001, PCI DSS, etc.). Microsoft Purview provides unified data governance. Azure Sovereign Regions serve government and regulated industries.
Microsoft Trust Center
The Microsoft Trust Center is the central resource for information about Microsoft's security, privacy, and compliance practices across all its cloud services (Azure, Microsoft 365, Dynamics 365).
What you find there:
- Security and privacy practices
- Compliance certifications and attestations
- Audit reports (SOC, ISO, etc.)
- White papers and case studies
- Regional compliance information
- Industry-specific compliance details
Azure Compliance Offerings
Azure supports over 100 compliance certifications, more than any other cloud provider. Key offerings include:
Global Standards
| Standard | Description |
|---|---|
| ISO 27001 | Information security management system standard |
| ISO 27018 | Code of practice for protecting personal data in the cloud |
| ISO 27701 | Privacy information management system |
| SOC 1, 2, 3 | Service Organization Controls (financial and operational audits) |
| CSA STAR | Cloud Security Alliance assessment |
Regional and Industry Standards
| Standard | Region/Industry | Description |
|---|---|---|
| GDPR | European Union | General Data Protection Regulation |
| HIPAA | United States (Healthcare) | Health Insurance Portability and Accountability Act |
| FedRAMP | United States (Government) | Federal Risk and Authorization Management Program |
| PCI DSS | Global (Financial) | Payment Card Industry Data Security Standard |
| NIST 800-53 | United States | Security and privacy controls for federal systems |
| UK G-Cloud | United Kingdom | UK government cloud procurement standard |
Microsoft Purview
Microsoft Purview provides a unified data governance and compliance solution:
Purview Data Governance
- Data catalog — Discover and classify data across your entire data estate
- Data map — Automated scanning and classification of data sources
- Data lineage — Track how data flows and transforms across systems
- Data sharing — Securely share data within and across organizations
Purview Compliance
- Compliance Manager — Dashboard showing compliance score and improvement actions
- Data Loss Prevention (DLP) — Prevent sensitive data from leaving the organization
- Information Protection — Classify and label data based on sensitivity
- eDiscovery — Search, hold, and export data for legal proceedings
- Insider Risk Management — Detect risky user activities
On the Exam: Microsoft Purview is the answer when questions mention data governance, data classification, compliance scoring, or data lineage across an organization's entire data estate.
Privacy Principles
Microsoft's six privacy principles:
| Principle | Description |
|---|---|
| Control | You own your data and control how it is used |
| Transparency | Microsoft is transparent about data collection and use |
| Security | Data is protected with strong security and encryption |
| Strong legal protections | Microsoft advocates for your data privacy through legal frameworks |
| No content-based targeting | Microsoft does not use your content for advertising |
| Benefits to you | Data collected is used to improve your experience |
Data Residency and Sovereignty
Data residency refers to where your data is physically stored:
- When you create an Azure resource in a specific region, your data is stored in that region
- Azure does NOT move your data outside the region's geography unless you explicitly configure it (e.g., geo-redundant storage)
- Some regions have specific data residency requirements (e.g., EU data stays in the EU)
Data sovereignty refers to the laws and regulations that apply to data based on where it is stored:
- Data stored in Germany is subject to German data protection laws
- Data stored in the US is subject to US laws
- Azure Sovereign Regions provide isolated environments for specific sovereignty requirements
Service Level Agreements (SLAs)
Azure SLAs define the guaranteed uptime and connectivity for each service:
| SLA | Uptime | Max Monthly Downtime |
|---|---|---|
| 99.9% | Three nines | ~43 minutes |
| 99.95% | Three nines five | ~22 minutes |
| 99.99% | Four nines | ~4.3 minutes |
| 99.999% | Five nines | ~26 seconds |
Key SLA facts:
- Free services do NOT have SLAs (e.g., free tier App Service)
- Composite SLA — When multiple services are used together, the composite SLA is the product of individual SLAs (e.g., 99.99% × 99.99% = 99.98%)
- Financial credits — If Azure fails to meet an SLA, you can claim service credits (not full refunds)
- Higher availability = more expensive (e.g., deploying across availability zones improves SLA but costs more)
On the Exam: SLA questions test your understanding that composite SLAs are LOWER than individual SLAs (multiply the percentages). Adding redundancy improves the composite SLA. Free services have NO SLA.
Where can you find Microsoft's security, privacy, and compliance certifications in one place?
If Service A has a 99.9% SLA and Service B has a 99.9% SLA, what is the composite SLA when both are required?
Which service provides unified data governance, data classification, and compliance management?
Do free-tier Azure services have SLAs?