Office 365’s Fine Print: What you need to know

Read the fine printOffice 365 is a good fit for some folks. Not so good for others.

Like any decision concerning your company’s or customers’ data, you should know all the risks and caveats before making a decision. Here are some important details for you to consider.

As you may or may not know, I effectively prepare and negotiate hosting contracts and Service Level Agreements (SLA) on a daily basis and have been doing so for over 15 years. I’ve seen some fantastic agreements from small companies and weak ones from Fortune 100s.

In the end, the fine print is critical and will always be what both parties stand behind. Nothing herein is based on conjecture or taken out of context. The following is all accurate, current information which you can verify in one click. Read for yourself and ask hard questions. You owe it to your company and customers.

Where does my data live?

I’ve gone back and forth on this topic with several Office 365 consultants so I finally decided to put this in writing. Folks assume that since they pick the geographic area of their data center (country) where they want their data stored, that it will remain in that data center and country. False.

The fact is, Microsoft says they can move your data to another Microsoft data center in another country without notifying you. Huh?  Now that I have your attention let’s continue. So while your data may start in the data center or country of your choice, it may end up in another and you won’t even know it happened.

In my experience with technology vendors, or vendors of any sort for that matter, when someone says they could do something you don’t want done and won’t tell you when they do it, that is a serious red flag and deal breaker.

So for those of you with data sovereignty or compliance issues and need your data to unequivocally live in a certain location for its duration, Office 365 may not be the best choice for you.


Microsoft Office 365 won't give notice when customer data is transferred to a new country

Microsoft Office 365 won’t give notice when customer data is transferred to a new country


Limitation of Liability

Microsoft has a relatively low ceiling of liability for anything that may happen to you while you’re an Office 365 customer. This could include things like loss of data, excessive downtime, data breach, etc… I had actually missed this one before doing research for this blog. If you are a partner and receive Office 365 for free, you are limited to just $5,000 in damages. If you pay for the service, you are limited to the last 12 months of service as a maximum value for damages. If your data is important and someone else is acting as custodian, there should be a reasonable liability umbrella just like folks doing financial audits. Here is a reality check – people make mistakes and machines break. If you’re in the business of storing others’ data, you may lose some of it at some point. That’s why you have Cyber and E&O insurance.

This is a no-go for me if I am storing anything on Office 365 that I can’t afford to lose and am not able to back up locally on a schedule that makes me comfortable.


Microsoft Office 365 low ceiling on limitation of liability

Microsoft Office 365 low ceiling on limitation of liability



Audit Rights

For those of you with compliance or regulatory requirements, it’s important to know what your audit rights are when storing data with a Cloud provider like Office 365. In Microsoft’s case, you do not have any audit rights other than Microsoft providing evidence of their ISO, SSAE, PCI, HIPAA or Safe Harbor status. And while these standards are important, audits are fundamentally based on being able to go where the data lives and verify that it exists, it is what you say it is and it’s secure.

As a former auditor, this is a heavy black mark if I’m storing sensitive information with compliance or regulatory requirements whose failure to comply may result in significant penalties.


Microsoft Office 365 does not allow customers to audit Microsoft Online Services or Infrastructure

Microsoft Office 365 does not allow customers to audit Microsoft Online Services or Infrastructure


In Conclusion

So, as always, whenever dealing with your company or your customers’ data, make sure you know all the ins and outs of the hosting provider you’re dealing with.

2013-03-06T07:23:34+00:00 March 6th, 2013|


  1. […] you ever read the fine print on Office 365′s SLA? Here’s what you need to […]

  2. Security in Office 365 | Oddytee March 7, 2014 at 11:28 am - Reply

    […] Reference(s): Office 365′s Fine Print: What you need to know […]

  3. Rolland June 25, 2014 at 3:24 am - Reply

    Joined plumbing APSense since, June 24th, 2013, From delhi, India.
    What to Look For in a 24 Hour PlumberPersonally I am one of these situations, call a Seattle Plumbing Company you can trust, that
    is. I knew she was well paid plumbing and assumed she
    would get some top designing plumber to come to your house.
    Tree roots can somehow get into the domestic
    sector – earning a living mainly on their own. It was massive that morning.

Leave A Comment