Common use of Online Services Information Security Policy Clause in Contracts

Online Services Information Security Policy. Each Online Service follows a written data security policy (“Information Security Policy”) that complies with the control standards and frameworks shown in the table below. Online Service ISO 27001 ISO 27002 Code of Practice ISO 27018 Code of Practice SSAE 16 SOC 1 Type II SSAE 16 SOC 2 Type II Office 365 Services Yes Yes Yes Yes Yes Microsoft Dynamics 365 Core Services Yes Yes Yes Yes* Yes* Microsoft Azure Core Services Yes Yes Yes Varies** Varies** Microsoft Cloud App Security Yes Yes Yes Yes Yes Microsoft Graph Yes Yes Yes No No Microsoft Intune Online Services Yes Yes Yes Yes Yes Microsoft Business Application Platform Core Services Yes Yes Yes Yes Yes *Does not include Microsoft Social Engagement. **Current scope is detailed in the audit report and summarized in the Microsoft Azure Trust Center. Microsoft will provide an updated schedule for products not shown on this graph via the Online Services Terms document. Microsoft may add industry or government standards at any time. Microsoft will not eliminate a standard or framework in the table above unless it is no longer used in the industry and it is replaced with a successor (if any). In the event Microsoft provides Customer with products not shown on the schedule above, Microsoft, where appropriate, will provide an updated schedule listing the Microsoft product or service and the applicable control standard via the Online Services Terms document. Subject to non-disclosure obligations, Microsoft will make each Information Security Policy available to Customer, along with other information reasonably requested by Customer regarding Microsoft security practices and policies. Customer is solely responsible for reviewing each Information Security Policy and making an independent determination as to whether it meets Customer’s requirements.

Online Services Information Security Policy. Each Online Service follows a written data security policy (“Information Security Policy”) that complies with the control standards and frameworks shown in the table below. Online Service ISO 27001 ISO 27002 Code of Practice ISO 27018 Code of Practice SSAE 16 SOC 1 Type II SSAE 16 SOC 2 Type II Office 365 Services Yes Yes Yes Yes Yes Microsoft Dynamics 365 Core Online Services Yes Yes Yes Yes* Yes* Microsoft Azure Core Services Yes Yes Yes Varies** Varies** Microsoft Cloud App Security Yes Yes Yes Yes Yes Microsoft Graph Yes Yes Yes No No Microsoft Intune Online Services Yes Yes Yes Yes Yes Online Service ISO 27001 ISO 27002 Code of Practice ISO 27018 Code of Practice SSAE 16 SOC 1 Type II SSAE 16 SOC 2 Type II Microsoft Business Application Platform Core Power BI Services Yes Yes Yes Yes Yes No No *Does not include Microsoft Dynamics Marketing or Microsoft Social Engagement. **Current scope is detailed in the audit report and summarized in the Microsoft Azure Trust Center. Microsoft will provide an updated schedule for products not shown on this graph via the Online Services Terms document. Microsoft may add industry or government standards at any time. Microsoft will not eliminate a standard or framework in the table above above, unless it is no longer used in the industry and it is replaced with a successor (if any). In the event Microsoft provides Customer with products not shown Azure Government Services meet a separate set of control standards and frameworks, as detailed on the schedule above, Microsoft, where appropriate, will provide an updated schedule listing the Microsoft product or service and the applicable control standard via the Online Services Terms documentAzure Trust Center. Subject to non-disclosure obligations, Microsoft will make each Information Security Policy available to Customer, along with other information reasonably requested by Customer regarding Microsoft security practices and policies. Customer is solely responsible for reviewing each Information Security Policy and making an independent determination as to whether it meets Customer’s requirements. If the Standard Contractual Clauses apply, then this section is in addition to Clause 5 paragraph f and Clause 12 paragraph 2 of the Standard Contractual Clauses.