Security Best-in-class security with over a decade of experience building Enterprise software & Online services Physical and data security with access control, encryption and strong authentication Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats Unique customer controls with Rights Management Services to empower customers to protect information Compliance Commitment to industry standards and organizational compliance Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA Contractually commit to privacy, security and handling of customer data through Data Processing Agreements Admin Controls like Data Loss Prevention, Legal Hold, E-Discovery to enable organizational compliance Privacy Privacy by design with complete separation of Enterprise and Consumer services No mining of data for advertising Transparency with the location of customer data, who has access and under what circumstances Customer have greater control over privacy to enable or regulate sharing based on organizational needs

Where is Data Stored? Who accesses and what is accessed? Core Customer Data accessed only for troubleshooting and malware prevention purposes. Core Customer Data access is limited to key personnel on an exception basis only. Clear Data Maps and Geographic boundary information provided ‘Ship To’ address determines Data Center Location Do I get notified? Microsoft notifies you of changes in data center locations.

Will you use my data to build advertising products? Who owns the data I put in your service? You own your data and retain the rights, title, and interest in the data you store in Office 365. You can take your data with you, whenever you want. We do not mine your data for advertising purposes. It is our policy to not use your data for purposes other than providing you productivity services. We design our Office 365 commercial services to be separate from our consumer services so that there is no mixing of data between the two. Learn more about data portability and how we use your data.data portabilityhow we use your data

No Advertising Transparency No advertising products out of Customer Data No scanning of or documents to build analytics or mine data Privacy controls Access to information about geographical location of data, who has access and when Notification to customers about changes in security, privacy and audit information Various customer controls at admin and user level to enable or regulate sharing If the customer decides to leave the service, they get to take to take their data and delete it in the service

Address privacy, security and handling of Customer Data. Going above and beyond the EU Model Clauses to address additional requirements from individual EU member states Enables customers to comply with their local regulations. Office 365 is the first major business productivity public cloud service provider willing to sign EU Model Clauses with all customers. EU Model Clauses a set of stringent European Union wide data protection requirements Data Processing Agreement EU Model Clauses ISO27001 is one of the best security benchmarks available across the world. Office 365 first major business productivity public cloud service to implement rigorous ISO security controls on physical, logical, process and management ISO27001 We are the first and only major cloud based productivity to offer the following

28 member countries of the Article 29 Working Party plus Luxembourg, the Czech Republic, and Spain all agree Microsoft is the first and only cloud provider to receive this type of validation Personal data stored in Microsoft’s enterprise cloud adheres to Europe’s rigorous privacy standards no matter where that data is located Applies to Microsoft Azure, Office 365, Dynamics CRM Online, and Windows Intune Microsoft’s contractual privacy protections meet EU standards for international transfers of data.

Office 365 is built with a focus on privacy and security that allows us to obtain important industry certifications and enables customers to meet international laws and regulations 3rd party certification and audits. Built in Capabilities Customer controls for compliance Data Loss Prevention (DLP) Archiving and Legal Hold E-Discovery

Data Loss Prevention (DLP) Prevents Sensitive Data From Leaving Organization Provides an Alert when data such as Social Security & Credit Card Number is ed. Alerts can be customized by Admin to catch Intellectual Property from being ed out. Empower users to manage their compliance Contextual policy education Doesn’t disrupt user workflow Works even when disconnected Configurable and customizable Admin customizable text and actions Built-in templates based on common regulations Import DLP policy templates from security partners or build your own 10

archiving and retention Preserve Search Secondary mailbox with separate quota Managed through EAC or PowerShell Available on-premises, online, or through EOA Automated and time- based criteria Set policies at item or folder level Expiration date shown in message Capture deleted and edited messages Time-Based In-Place Hold Granular Query-Based In-Place Hold Optional notification Web-based eDiscovery Center and multi-mailbox search Search primary, In-Place Archive, and recoverable items Delegate through roles-based administration De-duplication after discovery Auditing to ensure controls are met In-Place ArchiveGovernance Hold eDiscovery 11

Security best practices like penetration testing, Defense-in-depth to protect against cyber-threats Built in Capabilities Flexible Customer Controls Physical and data security with access control, encryption and strong authentication Unique customer controls with Rights Management Services to empower customers to protect information

Network perimeter Internal network Host Application Data User Facility Threat and vulnerability management, monitoring, and response Edge routers, intrusion detection, vulnerability scanning Dual-factor authentication, intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), access control and monitoring, anti- malware Access control and monitoring, file/data integrity Account management, training and awareness, screening Physical controls, video surveillance, access control

Copyright© Microsoft Corporation TSL/SSL Bit locker AES IRM (RMS) S/MIME Third party e.g: PGP Encrypts the tunnel to help prevent snooping/eavesdropping. Hashes the data on the hard drives in the datacenter so that if someone gets unauthorized access to the machine they can't read it. Prevents sensitive information from being printed, forwarded, or copied by unauthorized people inside the organization Provides peer to peer, cryptographic security services for electronic messaging applications: authentication, message integrity, non-repudiation of origin, privacy and data security Provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, s, files, directories, and whole disk partitions and to increase the security of communications

Data protection at rest Data Protection in motion Information can be protected with RMS at rest or in motion Data protection at rest

Copyright© Microsoft Corporation

RMS can be applied to s Apply RMS to content RMS can be applied to SharePoint libraries Files are protected if they are viewed using Webapps or downloaded to a local machine RMS can be applied to SharePoint libraries Files are protected if they are downloaded to a local machine and opened using rich clients RMS can be applied to any Office documents

Copyright© Microsoft Corporation Exchange Online Policy detection and Enforcement Tenant configuration data and key O365 User Internet User Send Microsoft Account/Organization Account Message Viewing Portal Deliver Post