Compliance

Comprehensive third party audited certifications.

Microsoft Azure, Microsoft 365 , Microsoft Dynamics 365 and and Microsoft Power Platform online services operated by 21Vianet are public cloud services independently operated in mainland China—run and sold by Shanghai Blue Cloud Technology (hereinafter refer to as “21Vianet”), a wholly-owned subsidiary of 21Vianet. The Microsoft Azure, Microsoft 365, Microsoft Dynamics 365 and and Microsoft Power Platform online services technologies that Microsoft uses to serve other parts of the world have been licensed to 21Vianet, so Microsoft Azure, Microsoft 365, Microsoft Dynamics 365 and and Microsoft Power Platform online services operated by 21Vianet provide globally consistent service quality for customers.

To help organizations comply with national, regional, and industry-specific requirements governing the collection and use of personal data, 21Vianet offers a comprehensive set of certifications and attestations.

21Vianet accomplishes this breadth of compliance offerings with a two-pronged approach:

  • First, a team of 21Vianet experts works with our engineering and operations teams, as well as external regulatory bodies, to track existing standards and regulations, developing hundreds of controls for the product teams to build into our cloud services.
  • Second, because regulations and standards are always evolving, our compliance experts also anticipate upcoming changes to help ensure continuous compliance—researching draft regulations, assessing potential new requirements, and developing corresponding controls.

Microsoft Azure, Microsoft 365 , Microsoft Dynamics 365 and and Microsoft Power Platform online services operated by 21Vianet comply with various types of certifications including international and industry compliance standards ISO / IEC 20000, ISO / IEC 27001 and ISO / IEC 27018, GB/T 22239 Information security technology- Baseline for classified protection of cybersecurity Level 3, GB 18030 Information Technology — Chinese Coded Character Set and Trusted Cloud Service Evaluation (TCS). Microsoft Azure operated by 21Vianet has achieved the SOC (System and Organization Controls) report. Ultimately, it is up to you to determine whether our services comply with the laws and regulations applicable to your business. To help you make these assessments, 21Vianet supplies specifics about security and compliance programs, including certificates and audit reports.

You can submit a support ticket online or contact +86 400-089-0365. Working hours: 09:00-18:00 (UTC+8, China legal working day).

ISO/IEC 20000 is the first international standard for IT Service Management. Microsoft Azure, Office 365(a component of Microsoft 365), Power BI and Microsoft Dynamics 365 operated by 21Vianet focus on managing IT issues and identifying their internal relations through “IT service standardization”, then perform planning, implementation and supervision based on service level agreements and also emphasize interaction with customers. 21Vianet promises to carry out certification based on ISO/IEC 20000 (an international IT service standard for the IT service arena) every year. The ISO/IEC 20000 certificate confirms that 21Vianet has followed the IT service management requirements defined in this standard, and provided customers with efficient service and integrated management to identify and manage critical processes in IT service, which ensure that efficient IT service provided by 21Vianet meets the demand of customers and their business.

ISO scope: IT service management system (ITSM), including establishment, implementation, operation, supervision, review, maintenance and improvement of the IT service management system.

This certificate is issued by BSI and is available for you to review.

ISO/IEC 27001 is one of world-leading security standards. Microsoft Azure, Office 365(a component of Microsoft 365), Power BI Microsoft Dynamics 365 and and Microsoft Power Platform online services operated by 21Vianet has implemented strict physical, logical, procedure and management control defined by ISO/IEC 27001. 21Vianet promises to carry out certification based on ISO/IEC 27001 (a widely applicable international information security standard) every year. The ISO/IEC 27001 certificate confirms that 21Vianet has implemented internationally recognized information security control measures defined in this standard, including information security management guidelines and general principles for activation, implementation, maintenance and improvement.

ISO scope: Information Security Management System (ISMS), including management of information security, privacy and compliance in the areas: infrastructure, security, services/systems, operations, support and datacenter infrastructure.

This certificate is issued by BSI and is available for you to review.

ISO/IEC 27018 is the first international standard focused on personal data protection in public cloud. Microsoft Azure, Office 365(a component of Microsoft 365), Power BI Microsoft Dynamics 365 and and Microsoft Power Platform online services operated by 21Vianet provide users with reliable protection in the accuracy, transparency and security of personal data processing, and protect the full life-cycle of personal data. 21Vianet will carry out certification based on ISO/IEC 27018(an international standard that mainly focused on the protection of personal data in public cloud) every year. The ISO/IEC 27018 certificate confirms that 21Vianet has implemented internationally recognized public cloud PII security control measures defined in this standard, allowing customers to have complete control over their data storage and usage, ensuring the privacy and security of customer data.

ISO scope: Information Security Management System (ISMS), including management of information security, privacy and compliance in the areas: infrastructure, security, services/systems, operations, support and datacenter infrastructure, as well as related personal information protection management.

This certificate is issue by BSI and is available for you to review.

According to GB/T 22240-2008 Information Security Technology—Classification Guide for Classified Protection of Information System Security, the evaluation organization authorized by the Ministry of Public Security (MPS) evaluates Microsoft Azure, Office 365(a component of Microsoft 365), Microsoft Dynamics 365 and and Microsoft Power Platform online services operated by 21Vianet annually based on GB/T 22239-2019 Information Security Technology—Baseline for classified protection of cybersecurity and GB/T 28448-2019 Information Security Technology—Evaluation requirement for classified protection of cybersecurity. The evaluation organization confirmed Microsoft Azure, Office 365(a component of Microsoft 365), Power BI and Microsoft Dynamics 365 operated by 21Vianet compliant with DJCP 2.0 requirements and rate as Level 3 in terms of classified protection of cybersecurity.

21Vianet adopts cutting-edge Azure and Office 365(a component of Microsoft 365) technologies and has successfully obtained multiple Trusted Cloud Service Evaluations with powerful localized operation capabilities, open platform, high-quality SLA, powerful data recovery capability and best customer returns.

Trusted Cloud Service Evaluation is a band of cloud service evaluation under China Academy of Information and Communications Technology (CAICT). It is a serial of quality evaluation system organized by the Trusted Cloud Service Workgroup of Open Source Cloud Alliance for Industry (OSCA) under the guide of Ministry of Industry and Information Technology of China (MIIT). Trusted Cloud Service Evaluation is also the authoritative evaluation system for cloud computing services in China. The evaluation aims to cultivate the Chinese public cloud service market, enhance users’ confidence on cloud services, and protect certified cloud service providers.

Microsoft Azure operated by 21Vianet has passed the evaluation and obtained Trusted Cloud Service Evaluation of Virtual Machine, Cloud Storage, Cloud Database, Load Balancing, Cloud Engine and Cloud Backup. These services have completed the evaluation of total 16 indexes in three classifications—data management, service quality and rights protection--in the SLA framework. With service availability up to 99.99%, the services provide up to 6 copies of data backups on multi datacenters within mainland China, providing reliable, secure, flexible, efficient, and stable assurance for users.

Microsoft Azure operated by 21Vianet has obtained the first batch of Trusted Cloud Service Evaluation on Hybrid Cloud Service Solution (Public Cloud + Private Cloud, two item evaluation) with Azure Hybrid Cloud Service Solution on 2017. Microsoft Azure operated by 21Vianet also achieved "Trusted Cloud Technology Innovation Award -- Hybrid Cloud Award”.

Microsoft Office 365(a component of Microsoft 365) operated by 21Vianet has obtained Trusted Cloud Service Evaluation of Business-Class Email (Exchange Online), File Sharing (SharePoint Online), Shared Calendar and Video Teleconference Service (Skype for Business Online) as well as the evaluation of “Security” and “User Experience” indexes. Office 365(a component of Microsoft 365) operated by 21Vianet achieved "Trusted Cloud 2014-2015 Annual Industry Award” for office applications, which proves Office 365(a component of Microsoft 365) is providing first-class and reliable technology, safe and stable operations and perfect service system of norms. The test result is published on the website of Trusted Cloud Service Certification.

GB 18030 is the Chinese ideographic character set and encoding standard mandated by the Chinese government. Microsoft Azure, Office 365(a component of Microsoft 365), Microsoft Dynamics 365 and and Microsoft Power Platform online services operated by 21Vianet are certified as compliant with the mandatory part of this standard by the China Electronics Standardization Institute (CESI).

SOC report is issued based on Service Organization Controls (SOC) framework which is developed by American Institute of Certified Public Accountants (AICPA), a standard for controls that safeguard the confidentiality and privacy of information stored and processed in the cloud. Service audits based on the SOC framework fall into two categories—SOC 1 and SOC 2, by independent third-party auditors.

  • A SOC 1 audit, intended for CPA firms that audit financial statements, it evaluates the effectiveness of a Cloud Service Provider (CSP)’s internal controls that affect the financial reports of a customer using the provider’s cloud services. The Statement on Standards for Attestation Engagements (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which the audit is performed and is the basis of the SOC 1 report.
  • A SOC 2 audit gauges the effectiveness of a CSP’s system, based on the AICPA Trust Service Principles and Criteria. It provides customers and users with a business need with an independent assessment of CSP’s control environment relevant to security, availability, confidentiality and process integrity. An Attest Engagement under Attestation Standards (AT) Section 101 is the basis of SOC 2 report.

At the conclusion of a SOC 1 or SOC 2 audit, the service auditor renders an opinion in a SOC 1 Type 2 or SOC 2 Type 2 report, which describes the CSP's system and assesses the fairness of the CSP's description of its controls. It also evaluates whether the CSP's controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.

SOC 3 report is an abbreviated version of the SOC 2 Type 2 audit report — for users who want assurance about the CSP's controls but don't need a full SOC 2 report.

Benefits to User Entities

  • User entities that obtain SOC Reports from their service organization receive valuable information regarding the service organization's controls and the effectiveness of those controls. The user entity receives a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed and effectively operated.
  • User entities could provide SOC Reports to their auditors. This will greatly assist the user auditor in planning the audit of the user entities' controls. Without SOC Reports, the user entity would likely have to incur additional costs in sending their auditors to the service organization to perform their procedures.

21Vianet has achieved SOC 1 Type 2, SOC 2 Type 2 and SOC 3 for Microsoft Azure operated by 21Vianet, Microsoft Power Platform operated by 21Vianet and Microsoft Dynamics 365 operated by 21Vianet. Customers can contact 21Vianet to request for the reports.

 Learn more

TISAX(Trusted Information Security Assessment Exchange)is administered by the ENX Association on behalf of the German Association of the Automotive Industry VDA (Verband der Automobilindustrie). TISAX is used by European automotive companies to provide a common information security assessment for internal analysis, evaluation of suppliers, and information exchange.

An independent ENX-accredited auditor completed the TISAX assessment of all datacenter regions that 21Vianet operates Microsoft online services in mainland China against TISAX AL3 Information Security and Data Protection requirements. These TISAX certified regions provide the physical infrastructure for Microsoft Azure, Microsoft Dynamics 365, and Microsoft Power Platform operated by 21Vianet.

If you're an industry representative registered with ENX, you can find the TISAX assessment details on the ENX Portal. To access 21Vianet assessment results, you can narrow your search using the following information:

Assessment ID: APWVC2-1

Assessment Level 3(AL3) scope ID: STPTNZ