Privacy is an integral part of how we operate the services. Our approach to privacy and data protection is grounded in our commitment to give you control of the collection, use, and distribution of your information. We work to be transparent in our privacy practices, offer customers meaningful privacy choices, and manage responsibly the data we store.
When you store your Customer Data to Microsoft Azure, Office 365, Microsoft Dynamics 365 and Microsoft Power Platform online services operated by 21Vianet, you remain the exclusive owner of your Customer Data: you retain the rights, title, and interest in the Customer Data you store in Microsoft Azure, Office 365, Microsoft Dynamics 365 and Microsoft Power Platform online services . It’s our policy to not mine your Customer Data for marketing or advertising purposes or use your Customer Data except for purposes consistent with providing you cloud productivity services.
Customer Data is all the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the services. For example, Customer Data includes data that you upload for storage or processing in the services and applications that you or your end users upload for hosting in the services. It does not include configuration, technical settings, or support ticket information.
We only use Customer Data to provide the Services. This may include troubleshooting aimed at preventing, detecting and repairing problems affecting the operation of the Services and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam).
Customer Data will be stored only in datacenters located in China. In limited circumstances, 21Vianet may authorize one of its affiliates, suppliers or subcontractors located outside China to access Customer Data when necessary to troubleshoot customer support incidents or resolve technical issues. 21Vianet will supervise such access and terminate the access when the issue is resolved.
Administrator Data is the information about administrators (including account contact and subscription administrators) provided during sign-up, purchase, or administration of the Services, such as name, address, phone number, and e-mail address.
We use Administrator Data to complete the transactions you request, administer your account, to detect and prevent fraud.
We may contact you to provide information about new subscriptions, billing and important updates about the Services, including information about security or other technical issues. We may also contact you regarding third-party inquiries we receive regarding your use of the Services, as described in your customer agreement. You will not be able to unsubscribe from these communications. Subject to your contact preferences, you may also be contacted, by phone or e-mail, regarding information and offers about other products and services or to request your feedback.
You may manage your contact preferences or update your information in your account profile.
When you make online purchases, you will be asked to provide information, which may include your payment instrument number (e.g., UnionPay or AliPay), your name and billing address, and the security code associated with your payment instrument and other financial data ("Payment Data").
We use Payment Data to complete transactions, as well as for the detection and prevention of fraud.
When you provide Payment Data while authenticated, we will store that data to help you complete future transactions without your having to provide the information again. We do not, however, retain the security code associated with your Payment instrument in this manner.
To remove or modify Payment Data, please contact Customer Support. After you close your account or remove Payment Data, however, 21Vianet may retain your Payment Data for as long as reasonably necessary to complete your existing transaction and for the detection and prevention of fraud.
Support Data is the information we collect when you contact 21Vianet for help, including what you supply in a support request required to resolve an issue related to your service, results from running an automated troubleshooter, or files that you send us. Support Data does not include administrator or Payment Data.
With Microsoft Azure, Office 365, Microsoft Dynamics 365 and Microsoft Power Platform online services operated by 21Vianet, you are the owner of your Customer Data. You can access your Customer Data at any time and for any reason without assistance from 21Vianet. 21Vianet will use your Customer Data only to provide the services agreed upon, including purposes that are compatible with providing those services. We will not use Customer Data or derive information from it for advertising.
We give you authenticated and logged access to your Customer Data, and restrict access to it by 21Vianet personnel and subcontractors. We also take strong steps to protect your Customer Data from inappropriate use or loss, and to segregate your Customer Data on shared hardware from that of other customers.
In Microsoft Azure, Office 365, Microsoft Dynamics 365, Power Platform online services operated by 21Vianet, you know where your Customer Data is located, who can access it and under what circumstances, and how it is responsibly protected, transferred, and deleted.
21Vianet believes that its customers who should control their own information whether stored on their premises or in a cloud service. Accordingly, we will not disclose Customer Data to a third party (excluding our suppliers and subcontractors) except as you direct or as required by applicable law and regulations. If compelled to disclose Customer Data to a third party, we will use commercially reasonable efforts to promptly notify you and provide a copy of the demand, unless legally prohibited.
We take strong measures to help protect Customer Data from inappropriate access or use by unauthorized persons, either external or internal, and to prevent customers from gaining access to one another’s data.
- The operational processes that govern access to Customer Data in business cloud services operated by 21Vianet are protected by strong controls and authentication, which fall into two categories: physical and virtual
- Access to physical datacenter facilities is guarded by outer and inner perimeters with increasing security at each level, including perimeter fencing, security officers, locked server racks, multifactor access control, integrated alarm systems, and around-the-clock video surveillance by the operations center.
- Virtual access to customer data is restricted based on business need by role-based access control, multifactor authentication, minimizing standing access to production data, and other controls. Access to customer data is also strictly logged, and both 21Vianet and third parties designated by 21Vianet perform regular audits (as well as sample audits) to attest that any access is appropriate.
- In addition, the cloud operated by 21Vianet uses encryption to safeguard Customer Data and help you maintain control over it. When data moves over a network—between user devices and 21Vianet datacenters or within datacenters themselves—products and services operated by 21vianet use industry-standard secure transport protocols. To help protect data at rest, cloud operated by 21Vianet offers a range of built-in encryption capabilities.
- Most business cloud services operated by 21Vianet are multitenant services, meaning that your data, deployments, and virtual machines may be stored on the same physical hardware as that of other customers. Cloud operated by 21Vianet uses logical isolation to segregate storage and processing for different customers through technology engineered to ensure that your Customer Data is logically separate from other customers data.
- Cloud services operated by 21Vianet with audited certifications such as ISO 27001 are regularly verified by 21Vianet and accredited audit firms, which perform sample audits to attest that access is only for legitimate business purposes.
21Vianet operations and support services are available 24 hours a day, 365 days a year. We have automated a majority of our service operations so that only a small set requires human interaction.
- 21Vianet engineers do not have default access to cloud customer data. Instead, they are granted access, under management oversight, only when necessary.
- 21Vianet personnel will use customer data only for purposes compatible with providing you the contracted services, such as troubleshooting and improving features, such as protection from malware.
We limit access by subprocessors
Microsoft business cloud services operated by 21Vianet process various categories of data, including Customer Data and personal data. Where 21Vianet hires a subcontractor to perform work that may require access to such data, they are considered a subprocessor. 21Vianet discloses these subprocessors below.
Subprocessors may access data only to deliver the services 21Vianet has hired them to provide and are prohibited from using data for any other purpose. They are required to maintain the confidentiality of this data and are contractually obligated to meet strict privacy requirements that are equivalent to or stronger than the contractual commitments 21Vianet makes to its customers.
Subprocessors are also required to meet EU General Data Protection Regulation (“GDPR”) requirements, including those related to employing appropriate technical and organizational measures to protect personal data.
21Vianet requires subprocessors to meet the 21Vianet Data Protection Requirement (“21Vianet DPR”). This 21Vianet DPR is designed to standardize and strengthen data handling practices, and to align supplier business processes and systems with those of 21Vianet.
Subprocessors who handle Customer Data (including personal data therein) are subject to same requirements. Subprocessors of Customer Data must agree to the EU Model Clauses for services operated by 21Vianet for which 21Vianet offers its customers the EU Model Clauses.
Subprocessors can perform work in any of the following capacities:
- Subprocessors who provide technologies to power certain Online Services operated by 21Vianet
Subprocessor identified for a specific service may process, store, or otherwise access customer data (including personal data contained therein) in the course of helping to provide that service.
- Subprocessors who provide ancillary services to support Online Services operated by 21Vianet
Subprocessor may process, store, or otherwise access limited customer data (including personal data contained therein) in the course of providing their ancillary services.
Lists of subprocessors
21Vianet’s contractual commitments to customers define Customer Data as all the data provided to 21Vianet through your use of our business cloud services (see how 21Vianet categorizes data). Some Customer Data is personal data as defined under GDPR. GDPR requires disclosure of subprocessors with access to personal data.
- Core Online Services Subprocessors List identifies the subprocessors authorized to access Customer Data (including personal data contained therein) in Core Online Services operated by 21Vianet, as defined in the Online Services Terms (Appendix A).
- Personal Data Subprocessors List identifies the subprocessors authorized to process personal data in any form (including pseudonymous data) across all enterprise online services that are not already listed on the Core Online Services Subprocessors List above.
21Vianet publishes the names of any new subprocessors for Core Online Services operated by 21Vianet (as defined in Core Online Services Subprocessors List) at least six months in advance of their authorization to perform services that may involve access to Customer Data. 21Vianet publishes the names of any other new subprocessors for personal data (as defined in Personal Data Subprocessors List) at least 14 days in advance of their authorization to perform services that may involve access to such data.
Privacy protections in Microsoft Azure, Office 365, Microsoft Dynamics 365, Power Platform online services operated by 21Vianet are grounded in Privacy Statement and the underlying technology that is licensed to 21Vianet is developed using the Security Development Lifecycle (which includes addressing privacy requirements in the process of developing software).
We then back those protections with strong contractual commitments to safeguard Customer Data in 21Vianet Online Services Standard Agreement for Microsoft Azure and 21Vianet Online Services Standard Agreement for Office 365.
Microsoft Azure Customer
For personal data submitted by Azure customers (for example, personal data submitted for getting support, and other personal data submitted via azure.cn), we provide approaches to export and/or delete. Please click here to continue. Click here if you would like to get the documentation for this process.
For personal data generated during a customer use of Azure services, tenant administrators can export and/or delete by clicking here. For details of Data Subject requests, see Data Subject Requests for the GDPR.
Office 365 Customer
For Office 365 customers we provide export or/and delete guidance by clicking here the detailed operation instructions.
Microsoft Dynamics 365 Customer
For Dynamics 365 customers, detailed guidance on how to manage GDPR obligations is available here.
Microsoft Power Platform Customer
For Power Platform customers, detailed guidance on how to manage GDPR obligations is available here.