Privacy compliance and information management are crucial for safeguarding individuals’ rights and responsible data handling. ISVs need to know what personal data they hold and why they process and store it. Microsoft 365 Certification validates that applications use the latest privacy and information management controls to protect customer data.

Certification auditors will confirm that ISVs have a functioning privacy information management system ensuring system confidentiality and integrity. Roles and responsibilities must be clearly defined, and a culture of privacy should be promoted by the organization’s leadership through effective privacy governance.

ISVs will show that personally identifiable information (PII) is minimized and de-identified or deleted after processing. Confidentiality controls and records of cross-border data transfers with documented consent are also in place. Ensuring that an app collects, uses, and retains only the minimum amount of personal data necessary to achieve a specific purpose with business justification.

De-identification removes identifiable information from data, converting sensitive details like email addresses and birth dates into a format that cannot be linked to an individual. This process aims to maintain data utility while reducing risks of misuse, unauthorized access, and breaches.

To achieve certification, ISVs must demonstrate technical and administrative/operational safeguards to protect PII during processing and transmission. This includes emphasizing confidentiality through encryption of data both at rest and in transit, maintaining documented access control lists, and conducting regular audits to prevent unauthorized access.

Evidence may be provided through the configuration settings of the protection mechanisms implemented to ensure that PII data is safeguarded in accordance with control requirements. These mechanisms may include access controls, role-based access control (RBAC), encryption, data loss prevention, and similar measures.

Certification ensures effective record management for data governance, protection, legal compliance, and accountability. When transferring personally identifiable information (PII) across borders, organizations must get explicit consent from data subjects. Inform them about the transfer’s purpose and risks. Auditors will verify ISVs keep records of consent and provide details on the transfer, risk assessment, data protection impact, and retention period.

Next steps

To learn how Microsoft 365 Certification validates your application uses the most up to date controls for data access management , visit the Microsoft 365 Certification privacy evidence requirements.

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.