3.7 Azure Compliance, Privacy, and Trust

Quick Answer: Trust Center = the public marketing/info hub for trust topics. Service Trust Portal = where the downloadable audit reports live. Microsoft Purview = data governance and classification. Composite SLA = multiply the percentages (so it always goes down). Free services have no SLA.

Microsoft Trust Center vs Service Trust Portal

The Microsoft Trust Center is the central, public-facing resource describing how Microsoft handles security, privacy, and compliance across Azure, Microsoft 365, and Dynamics 365. It hosts overviews, white papers, regional compliance summaries, and the privacy principles.

A closely related distractor is the Service Trust Portal (STP) — this is where you actually download the audit artifacts (ISO certificates, SOC 1/2/3 reports, FedRAMP packages). On the exam: "where do I read about Microsoft's practices?" → Trust Center; "where do I download the SOC 2 report for my auditor?" → Service Trust Portal.

Azure compliance offerings (100+)

Azure advertises more than 100 compliance offerings, more than any other cloud provider. You do not memorize all of them — you recognize what each acronym governs.

Global standards

Regional and industry standards

Scenario shortcut: a US hospital → HIPAA; a payment processor → PCI DSS; a US federal agency → FedRAMP; an EU citizen's personal data → GDPR.

Microsoft Purview: unified data governance

Microsoft Purview is the answer whenever a question mentions discovering, classifying, or governing data across an entire estate — on-premises, multi-cloud, and SaaS.

• Data catalog — searchable inventory of all data assets
• Data map — automated scanning and classification of sources
• Data lineage — traces how data flows and transforms end to end
• Compliance Manager — a compliance score with prioritized improvement actions
• Data Loss Prevention (DLP) and Information Protection — sensitivity labels that stop data leaving

Trap: do not confuse Purview with Azure Policy (enforces resource configuration rules) or Microsoft Defender for Cloud (threat protection). Purview = data governance.

The six privacy principles

Data residency vs data sovereignty

• Data residency = the physical location where data is stored. Create a resource in West Europe and the data stays in that geography; Azure does not move it elsewhere unless you enable geo-redundant replication.
• Data sovereignty = the laws and jurisdiction that apply based on that location. Data in Germany is subject to German law. Sovereign/specialized regions (for example, Azure Government for US agencies) provide physically isolated environments for the strictest requirements.

Service Level Agreements (SLA) math

An SLA is Microsoft's financially-backed uptime guarantee for a paid service.

• Composite SLA = multiply dependent services: 99.9% x 99.9% = 99.81% (lower than either part).
• Adding redundancy (availability zones, paired regions) raises the effective SLA.
• Free-tier services have no SLA at all.
• Missing an SLA earns service credits — a discount, never a cash refund.

Worked SLA example

Suppose an application uses App Service (99.95%) in front of Azure SQL Database (99.99%), and both must be up for the app to function. The composite SLA is 0.9995 x 0.9999 = 0.99940, i.e. 99.94% — lower than either component. Add a second region behind Traffic Manager and the math flips: the failure probabilities multiply instead, so two 99.95% regions in parallel push the combined availability toward 99.9999%. The takeaway the exam wants: serial dependencies drag the SLA down; parallel redundancy pulls it up.

Common AZ-900 traps in this section

• Trust Center vs Service Trust Portal — read about practices on the Trust Center; download the SOC/ISO reports from the Service Trust Portal.
• Purview vs Policy vs Defender — Purview governs data; Azure Policy governs resource configuration; Defender for Cloud handles threats. The word "governance over a data estate" is your Purview signal.
• Residency vs sovereignty — residency is the place; sovereignty is the law. They are often offered as two options in the same question.
• "No content-based targeting" is the privacy principle the exam loves to quote — Microsoft does not mine your content for advertising.
• Region defaults — Azure keeps your data inside the chosen geography unless you enable geo-redundant replication; it never silently relocates data.

On the Exam: Two facts win most SLA questions — dependent services multiply (so the composite is always smaller), and free tiers have zero SLA. Microsoft publishes a single SLA document per service; there is no global blanket SLA covering every Azure product at once.