We are pleased to announce that Microsoft will now sign a Data Processing Agreement (DPA), the EU’s model clauses (EUMC) and a business associate agreement (BAA). These supplemental contracts will help customers certify compliance with key industry standards, such as the European Commission’s Data Protection Directive, and the U.S.-mandated Health Insurance Portability and Accountability Act (HIPAA).
What are the DPA, BAA and EUMC?
EU Model Clauses (EUMC) are a set of stringent European Union wide data protection requirements. EUMC help to assure customers that appropriate steps have been taken to help safeguard personal data, even if data is stored in a cloud-based service center located outside the European Economic Area.
The Data Processing Agreement (DPA) addresses privacy, security and handling of Customer Data. Microsoft’s DPA goes above and beyond the EU Model Clauses to address additional requirements from individual EU member states. The DPA may also be used by non-EU countries to help them comply with standards in their jurisdiction.
HIPAA is a U.S. law that requires entities to meet certain privacy and security standards with respect to individually identifiable health information. To help customers comply with HIPAA, Microsoft offers a BAA, which assures adherence to certain privacy and security requirements. The BAA covers Protected Health Information (PHI) and has a provision requiring Security incident notification within 30 days of unauthorized access.
Other related information can be found here
Standard responses for privacy and security related questions