Microsoft Azure operated by 21Vianet is a separate instance of Microsoft's Azure cloud services located in mainland China and independently operated and sold by Shanghai Blue Cloud Technology Co., Ltd. ("21Vianet"), a wholly owned subsidiary of Beijing 21Vianet Broadband Data Center Co., Ltd. It is based on the same Azure technology that powers Microsoft's global cloud services with comparable service levels to customers.

    21Vianet understands that in order to realize the benefits of cloud computing you must be willing to trust your cloud provider with your Customer Data. When you invest in a cloud service, you must be able to trust that your Customer Data is safe, that data privacy is protected, and that you own and control your Customer Data in all its uses.

    That’s why we strive to earn your trust in Microsoft Azure operated by 21Vianet. Microsoft has broad experience developing enterprise online services, and has made major investments in foundational processes and technologies that build security and privacy into development. 21Vianet has also implemented industry-leading security measures and privacy policies, and participated in international and domestic compliance programs with independent verification of the Azure controls.

    Security and privacy is made a priority at every step, from code development through incident response.

    The design of Azure is dominated by security from the ground up. We build security into software code following an approach known as the Security Development Lifecycle (SDL). Mandatory development process embeds security requirements into the entire software lifecycle, from planning through deployment. To help ensure that operational activities follow the same security priorities, we’ve developed rigorous security guidelines laid out in the Security Management process.

    Azure employs a robust set of security technologies and practices. These help ensure that Azure infrastructure is resilient to attack, safeguards user access to the Azure environment, and helps keep Customer Data secure through encrypted communications as well as threat management and mitigation practices, including regular penetration testing.

    • Manage and control identity and user access to your cloud environments, data, and applications by federating user identities to Azure Active Directory and enabling Azure Multi-Factor Authentication for more secure sign-in.
    • Encrypt communications and operation processes. For data in transit, Azure uses industry-standard transport protocols between user devices and Azure datacenters, and within datacenters themselves. For data at rest, Azure offers a wide range of encryption capabilities, giving you the flexibility to choose the solution that best meets your needs.
    • Increase network security. Azure provides you the security-hardened infrastructure to connect virtual machines (VMs) to one another and to connect on-premises datacenters with Azure VMs. Azure blocks unauthorized traffic to and within datacenters, using a variety of technologies. Azure Virtual Networks extend your on-premises network to the cloud through IPsec-based site-to-site VPN technology or a high-speed Azure ExpressRoute dedicated WAN link.
    • Defend against threats. Azure offers Microsoft Antimalware for Azure Cloud Services and Virtual Machines to help you protect against online threats. Azure also employs intrusion detection, distributed denial-of-service (DDoS) attack prevention, regular penetration testing, and data analytics and machine learning tools to help mitigate threats to the Azure platform.

    Learn more about Azure Network Security

    Learn more about Azure Security

    21Vianet is an industry leader in protecting customer privacy. Our approach to privacy and data protection is grounded in our commitment to organizations’ ownership of and control over the collection, use, and distribution of their Customer Data. We strive to be transparent in our privacy practices, offer you meaningful privacy choices, and responsibly manage the Customer Data we store and process. One measure of our commitment to data privacy is our adoption of the international and domestic standards of ISO 27001 and Information System Classified Security Protection (DJCP) with classification as Level 3.

    • You own your own Customer Data. You own all your Customer Data that you place in Azure—including text, sound, video, or image files and software. You can access your Customer Data at any time and for any reason without assistance from 21Vianet. We will not use your Customer Data or derive information from it for advertising or data mining.
    • You control your Customer Data. Because the Customer Data you host on Azure belongs to you, you have control over where it is stored and how it is accessed.
    • When law enforcement or third party request access to your data. they must follow applicable legal processes. 21Vianet believes that customers should control their own information whether stored on their premises or in a cloud service. Accordingly, we will not disclose Customer Data to a third party (excluding our suppliers and subcontractors) except as you direct or as required by applicable law and regulations. If compelled to disclose your Customer Data, 21Vianet will use commercially reasonable efforts to promptly notify you and provide a copy of the demand, unless we are legally prohibited from doing so.

    Learn how to Protecting Data and Privacy in the Cloud.

    • Azure meets international and industry-specific compliance standards, as well as country-specific standards. Rigorous third-party audits verify Azure’s adherence to standards-mandated security controls. As part of our commitment to transparency, you can verify our implementation of many security controls by requesting audit results from the certifying third parties. It makes it easier for you to validate compliance for the infrastructure and applications you run in Azure when 21Vianet verifies that our services meet compliance standards and when we demonstrate how we achieve compliance.
    • Determine compliance responsibilities. 21Vianet maintains compliance with leading data protection and privacy laws and regulations applicable to cloud services, to help you determine if Azure complies with the laws and regulations unique to your industry.
    • Take advantage of a broad compliance framework. Azure offers a set of compliance certifications to help you conform to your specific requirements. Azure complies with international and industry-specific compliance standards, such as ISO/IEC 27001, as well as country-specific standards such as Information System Classified Security Protection (DJCP) managed by MPS.

    Learn more about Compliance

    Azure is built on the premise that for you to control your own Customer Data in the cloud, you require visibility into that Customer Data. You must know where it is stored. You must also know, through clearly stated and readily available policies and procedures, how we help secure your Customer Data, who can access it, and under what circumstances. You can review third-party audits and certifications that confirm how we meet the standards we set.

    • Maintain clear, constant visibility. You know where your Customer Data is stored, who can access it, and under which conditions your Customer Data is accessed. You receive updates to any changes in our service operations policies.
    • Rely on strict access procedures. 21Vianet only grants access to Customer Data to 21Vianet engineers, to perform key tasks such as maintenance and upgrades, and subcontractors, to perform limited services. We use strict controls to govern access to Customer Data, assign the lowest level of privilege required to complete key tasks, and revoke access when it is no longer needed.

    Learn more about Transparency

    In China, customers who use cloud services are subject to many different laws and regulations that may vary from location to location and industry to industry. To help our customers comply with their own requirements, we build our services with common privacy and security requirements in mind. However, it is ultimately up to our customers to evaluate our offerings against their own requirements, so they can determine if our services satisfy their regulatory needs. We are committed to providing our customers with detailed information about Microsoft Azure operated by 21Vianet to help them make their own regulatory assessments.

    Trusted cloud services like Azure require shared responsibility between the customer and the service provider. 21Vianet is responsible for the services based on technology provided by Microsoft and seeks to provide cloud services that can meet the security, privacy, and compliance needs of our customers. Customers are responsible for their environment once the service has been provisioned, including their applications, data content, virtual machines, access credentials, and compliance with regulatory requirements applicable to their particular industry and locale.

    Compliance Certification

    ISO20000DJCPGB-18030
    ISO27001TRUCS
    ISO20000DJCPGB-18030
    ISO27001TRUCS
    Close

    DJCP

    the evaluation organization authorized by the Ministry of Public Security evaluates Microsoft Azure, Office 365 and Power BI operated by 21Vianet, and rates both Azure, Office 365 and Power BI to Level 3 in terms of information security protection classification. Registration certifications are issued to Azure, Office 365 and Power BI by MPS.

    Learn more
    Close

    China GB 18030

    Microsoft Azure is certified by the China Electronics Standardization Institute as compliant with GB 18030, the encoding standard mandated by the Chinese government for the Chinese ideographic character set. Learn more (Chinese)

    Close

    China MLPS

    Microsoft Azure operated by 21Vianet adheres to Multi-Level Protection Scheme, a Chinese state cloud security standard issued by the Ministry of Public Security.Learn more (Chinese)

    Close

    CJIS

    Microsoft Azure Government, Microsoft Office 365 U.S. Government, and Microsoft Dynamics CRM Online Government adhere to the CJIS Security Policy, required to access the FBI's Criminal Justice Information Services (CJIS) database through the cloud.

    arrow
    Close

    CSA CCM

    The Microsoft Cloud Security Alliance Cloud Controls Matrix response details how Microsoft cloud services fulfill the security, privacy, compliance, and risk management requirements defined in CSA CCM version 3.0.1.

    arrow
    Close

    CS Mark (Gold)

    The Cloud Security Mark is the first security standard for cloud service providers in Japan. Microsoft achieved a CS Gold Mark for all three service classifications: Microsoft Azure for IaaS and PaaS, and Microsoft Office 365 for SaaS.

    arrow
    Close

    DISA

    The Defense Information Systems Agency Cloud Service Support has granted a DISA Impact Level 2 Provisional Authorization to Azure, Azure Government, Office 365 MT, and Office 365 U.S. Government, based on FedRAMP authorizations.

    arrow
    Close

    EU Model Clauses

    Microsoft offers European Union Standard Contractual Clauses that provide contractual guarantees around transfers of personal data. Microsoft was the first cloud service provider to gain approval from the EU’s Article 29 Working Party for contractual commitments.

    arrow
    Close

    TRUCS

    21Vianet adopts cutting-edge Azure, Office 365 and Power BI technologies and has successfully obtained Trusted Cloud Service certification with powerful localized operation capabilities, open platform, high-quality SLA, powerful data recovery capability and best customer returns.

    Learn more
    Close

    GB 18030

    GB 18030 is the Chinese ideographic character set and encoding standard mandated by the Chinese government. Microsoft Azure, Office 365 and Power BI operated by 21Vianet are certified as compliant with the mandatory part of this standard by the China Electronics Standardization Institute (CESI).

    Learn more
    Close

    FERPA

    Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 comply with the Family Educational Rights and Privacy Act, a US federal law that protects the privacy of students’ education records.

    arrow
    Close

    FIPS 140-2

    Microsoft certifies that the underlying cryptographic modules used in Microsoft products, including Microsoft enterprise cloud services, comply with the Federal Information Processing Standard Publication 140-2, a US government standard.

    arrow
    Close

    FISC

    Microsoft Azure and Microsoft Office 365 have been independently assessed as meeting the requirements for the Center for Financial Industry Information Systems Version 8 standard security for banking computer systems in Japan.

    arrow
    Close

    IRS 1075

    Microsoft Azure Government and Microsoft Office 365 Government cloud services provide a contractual commitment that they have the appropriate controls in place to meet the requirements of US Internal Revenue Service Publication 1075.

    arrow
    Close

    ISO/IEC 27001

    ISO/IEC 27001 is one of world-leading security standards. Microsoft Azure, Office 365 and Power BI operated by 21Vianet has implemented strict physical, logical, procedure and management control defined by ISO/IEC 27001.

    Learn more
    Close

    CCSL (IRAP)

    Microsoft Azure and Microsoft Office 365 are accredited for the Certified Cloud Services List, which identifies cloud services that have successfully completed an IRAP assessment by the Australian Signals Directorate.

    arrow
    Close

    ISO/IEC 27001

    The ISO/IEC 27001 certificate validates that Microsoft enterprise cloud services have implemented the internationally recognized information security controls defined in the ISO/IEC 27001 standard.

    arrow
    Close

    ISO/IEC 27018

    Microsoft was the first cloud provider to adhere to the ISO/IEC 27018 code of practice, which covers privacy protections for the processing of personal information by cloud service providers.

    arrow
    Close

    MPAA

    Microsoft Azure was the first hyperscale cloud provider to comply with the Motion Picture Association of America guidance and control framework for the security of digital film assets.

    arrow
    Close

    MTCS

    Microsoft was the first global cloud service provider to receive the Singapore Multi-Tier Cloud Security certification across all three classifications—IaaS, PaaS, and SaaS—for in-scope services.

    arrow
    Close

    NZ CC Framework

    The New Zealand Government Chief Information Officer published a cloud computing framework of 100+ questions on the security, privacy, and sovereignty aspects of cloud services. Microsoft NZ demonstrates how Microsoft addresses these questions.

    arrow
    Close

    PCI DSS Level 1 Service Provider

    Microsoft Azure complies with Payment Card Industry Data Security Standards Level 1 version 3.1, the global certification standard for organizations that accept most payment cards and store, process, or transmit cardholder data.

    arrow
    Close

    SOC 1 & 2 Type 2 Reports

    Service Organization Controls (SOC) are a series of accounting standards that measure the control of financial information for a service organization. Azure’s SOC 1 and SOC 2 Type 2 audit reports attest to the effectiveness of the design and operation of its security controls.

    arrow
    Close

    SOC 1

    Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls 1 standards for design and operational security.

    arrow
    Close

    SOC 2

    Microsoft cloud services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls Type 2 standards for design and operational security.

    arrow
    Close

    SOC 3

    Microsoft Azure and Microsoft Intune in-scope services have been successfully audited against American Institute of Certified Public Accountants (AICPA) Service Organization Controls 3 standards for design and operational security.

    arrow
    Close

    UK G-Cloud

    The UK Crown Commercial Service has renewed the classification of Microsoft’s in-scope cloud services to Government Cloud v6, covering all four of its offerings at the OFFICIAL level.

    arrow
    Close

    Section 508 / VPATs

    Microsoft cloud services offer Voluntary Product Accessibility Templates, a standardized form documenting whether a product meets the accessibility requirements of Section 508, an amendment to the Rehabilitation Act of 1973.

    arrow
    Close

    DIACAP

    The US Department of Defense Information Assurance Certification and Accreditation Process was replaced with the NIST 800-37 Risk Management Framework and DoD 8510.01. Microsoft Azure demonstrates compliance through its FedRAMP accreditation.

    arrow
    Close

    ENISA IAF

    The European Network and Information Security Agency Information Assurance Framework requirements have been mapped to Microsoft cloud services through the CSA CCM. Customers can refer to the CSA CCM response version 3.0.1.

    arrow
    Close

    FISMA

    Azure, Azure Government, Dynamics CRM Online Government, and Office 365 Government have a Provisional Authority to Operate for FedRAMP, the successor of the Federal Information Security Management Act for US government cloud solutions.

    arrow
    Close

    SHARED ASSESSMENTS

    Microsoft demonstrates the alignment of Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 with the Shared Assessments Program—a vendor-risk management toolset—through the CSA CCM version 3.0.1.

    arrow
    Close

    Argentina Personal Data Protection Act 25,326

    Microsoft Azure, Microsoft Dynamics CRM Online, and Microsoft Office 365 have implemented the security measures in the Argentina Personal Data Protection Act. Learn more (Spanish)

    Close

    Japan My Number Act

    The My Number Act assigns a unique number to each resident of Japan. Companies using Microsoft cloud services can be assured that Microsoft does not have standing access to My Number data. Learn more (Japanese)Learn more (English)

    Close

    China TRUCS

    Azure operated by 21Vianet in China has passed the Trusted Cloud Service certification developed by the Data Center Alliance and tested by the China Academy of Information and Communications Technology. Learn more (Chinese)

    Close

    FACT

    The Federation Against Copyright Theft in the UK developed a certification scheme based on ISO 27001 that focuses on physical and digital security to protect against theft of intellectual property. Microsoft Azure was the first multitenant public cloud to achieve FACT certification.

    arrow
    Close

    ENS Spain

    Spain's Esquema Nacional de Seguridad (National Security Framework) provides ICT security guidance to public administrations and cloud service providers (CSPs). Microsoft was the first hyperscale CSP to receive this ENS certification—for Microsoft Azure and Microsoft Office 365.

    arrow
    Close

    GxP

    The Microsoft Cloud meets Good Clinical, Laboratory, and Manufacturing Practices (GxP), as part of compliance with the US Food and Drug Administration Code of Federal Regulations Title 21 CFR Part 11.

    Close

    arrow