THIS PAGE IS FOR MICROSOFT PARTNER USE ONLY. Last updated 10/30/2018 COMPLIANCE PLAYCARD Key Customer Concerns Assess & Manage Risk Protect & Govern Sensitive Data Streamline & Respond Broad Set of Compliance Standards Not understanding your compliance posture; facing significant penalties for non-compliance Preventing sensitive data from getting into the wrong hands; properly governing and managing data Difficulty finding what data is relevant to efficiently conduct inquiries or respond to investigations and legal or regulatory requests Keeping up with increasing regulations for governing the collection and use of personal data Challenger Questions How do you currently assess your compliance posture? We help you to understand your compliance posture against regulatory requirements by providing scoring plus recommendations. Executives and boards of directors need a quick view, and we provide visibility into your compliance posture that you can access easily. How could your compliance improve without negatively affecting your users? Content can be classified (by users or automatically), encrypted, and protected by defining who can access it. Content can be self-protecting: the ultimate information protection is automated protection that doesn’t depend on users—90% of data leakage is caused by user mistakes. Data can be retained automatically for specific periods. What are your concerns about maintaining compliance in the cloud? When on-premises, you have 100% responsibility for compliance. With the cloud, Microsoft shares this responsibility and manages a larger part (access controls, protect data, personnel control). Decision makers who use the cloud are more confident in their ability to comply with GDPR vs. those who prefer to store data on-premises (92% vs. 65%). How can your cloud service provider partner with you to help you stay compliant? Microsoft has more than 1,400 lawyers and public policy professionals working with legal and compliance leaders to help tackle regulatory issues you face in more than 100 countries where you and we do business. For example, we were the first cloud provider to offer Business Associate Agreements that enable healthcare organizations to comply with HIPAA. Steps to Sell & Drive Usage Best Practices Build digital transformation vision and support dark to cloud conversation with ECIF, Business Value Tools. Bring the vision to life with a 2-day onsite workshop, and GDPR Detailed Assessment. Shape the business case and prove ROI by conducting a discovery to identify risks for client and leveraging ECIF for GDPR Data Discovery. Sell it right, and build sustainable deals with strategic go-to-market resources for GDPR, SMB or Enterprise, and commissioned Business Value Programs. Drive usage and accelerate adoption of priority Compliance and GDPR workloads including AIP and Compliance Manager with the resources available on FastTrack and including the FastTrack Productivity Library. Learn what regulations are important to your customer – Find out the customer’s concerns (risk, regulations, internal requirements, customer contractual agreements, regular practices). Understand Microsoft’s position and differentiation of services around their concerns. Discussing how our capabilities enable our customers is key for driving the right conversations with them. Service Trust Portal Establish credibility up front – Communicate Microsoft’s Trusted Cloud story and our commitment to helping customers on their compliance journey, focusing on regulations that affect them. Lead with Microsoft 365 Conversation Starter: providing customers with the most trusted, secure, and productive way to deliver the cloud. Reinforce that compliance goes beyond IT – People and processes are critical. Start with educating the customer about GDPR and a GDPR Assessment. Align with the right partner – Compliance may require additional support beyond the technology we provide. Learn which other partners are influencing decisions and align on a joint approach. See 5.25 case study on partners coming together to deliver compliance services. Highlight the deletion of data you don’t need – Data governance helps you dispose of data that you don’t need to retain, helping reducing liability, because governance isn’t just about keeping data for the right time period.

THIS PAGE IS FOR MICROSOFT PARTNER USE ONLY. Product and Customer Value Assess & Manage Risk Protect & Govern Sensitive Data Streamline & Respond Broad Set of Compliance Standards Deliver ongoing risk assessment, actionable insights (STP) Automatically classify, protect, and govern data (ADG, AIP Premium, Identity and Access Management, Encryption) Respond to regulatory, legal, or information requests quickly (eDiscovery, Customer Lockbox, PAM, PIM) Provides a comprehensive set of international and industry-specific compliance offerings (Compliance Offerings) Product Value Reduced compliance risk with better assessment of your compliance posture against regulations or standards. Audit ready report of Microsoft and customer-managed controls with supporting details. Built-in, intelligent capabilities work together to more effectively govern data and safeguard it from inadvertent employee leaks or advanced threats. Ensure you keep the data you need and delete what you don’t to reduce cost and risk. Finding the data you need when you need it using targeted content search, eDiscovery, and workflows for Data Subject Requests or privileged access provide peace of mind that you will be ready to respond when called upon. Over 1,100 controls in the Office 365 compliance framework – the most comprehensive set of compliance offerings of any cloud service provider, including ISO 27001/27018, FedRAMP, FISMA, EU Model Clauses, GDPR. Customer Value Supporting Offers and Recommended Add-ons Buyers: General Counsel (Legal), Chief Compliance Officer, Privacy Officer, CISO, LoB Executive Lead Offers Microsoft 365 E5 (hero) includes all advanced compliance capabilities Add-ons (to E3) Advanced Compliance Azure Information Protection P2 (FAQ, features) For Partners: Microsoft 365 Compliance Practices Good Better Best Licensing Microsoft 365 licenses and E5 upgrades Project services Secure Score and enterprise security assessments Cloud security policy development and technology road map Microsoft 365 pilots and deployment project services Pull-through project services Security policy implementation services Governance, risk, compliance, and GDPR assessments and consulting services Managed services Server security monitoring and backup services Managed services Security monitoring, alerting, and remediation services using Microsoft Security Graph API EMS and AD user onboarding and management Cloud application security Repeatable IP Data inventorying, mapping, and governance solutions SharePoint online user and AD synchronization Additional Resources General Resources Microsoft 365 Partner Portal GDPR partners How Microsoft Supports GDPR GDPR Webinar Office 365 Info Protection for GDPR Programs Microsoft Mechanics videos Practice Development Playbook GTM Resources Customer Ready Resources GDPR: Overview | Assessment Microsoft Trust Center Service Trust Portal Service Trust Portal and Compliance Manager paper Encryption Whitepaper Get GDPR compliant with Microsoft Tools GDPR Demos Compliance Manager Toolkit GDPR Detailed assessment IT Roadmap Productivity Library Customer Evidence

Microsoft 365. Intelligent, in place, and continuous compliance. Built-in compliance with Microsoft 365 Accelerate your compliance journey Most comprehensive set of compliance offerings of any cloud service provider. We wanted the best of both worlds—easy-to-use consumer- based technology that had the security, privacy, regulatory compliance, and governance of a corporate solution.”  Mansour Zadeh, Senior Vice President and Global CIO, Smithfield Foods Starting with a compliant cloud solution, you can more easily address even the most rigorous security, privacy, and compliance demands worldwide. Microsoft 365 includes integrated, flexible tools that help reduce cost and compliance risk across international, regional, and industry-specific standards and terms, and even internal requirements—all without compromising user productivity. Microsoft 365 compliance capabilities help your organization to… Assess and manage compliance risk from one place 65% cited “design and implementation of internal processes” as the biggest GDPR hurdle1 Gain visibility into your compliance posture with a risk-based score. Get actionable insights to improve data protection capabilities. 1 Compuware, “Unprepared for GDPR?” 2017 Protect and govern sensitive data intelligently #1 GDPR compliance concern is protecting customer data2 Integrated classification, labeling, and encryption capabilities enable persistent protection of data across devices, apps, the cloud, and on-premises solutions. 2 Microsoft, “Microsoft GDPR survey,” 2017 Streamline and efficiently respond to regulatory requests and requirements $9B spent on eDiscovery investigations3 Built-in, audit-ready tools support cross-team collaboration to manage compliance needs and respond to data privacy requests more efficiently. 3 Mandiant, “M-Trends 2017 report,” 2017 Adhere to a broad set of international and industry-specific compliance standards 60-80% of the controls are managed by Microsoft under the shared responsibility model Rely on the cloud with the most comprehensive compliance coverage, with standards including ISO 27001, FedRAMP, NIST 800- 171, and the contractual commitment of GDPR compliance. Microsoft 365. Intelligent, in place, and continuous compliance. Visit Trust Center, Compliance and the Productivity Library to find additional resources.