hong kong guidance on complying with regulatory...
TRANSCRIPT
Page 1 of 50
HONG KONG
GUIDANCE ON COMPLYING WITH REGULATORY REQUIREMENTS APPLICABLE TO
INSURANCE COMPANIES USING DYNAMICS 365
Last update: 1 August 2017
1. WHAT DOES THIS MICROSOFT GUIDANCE CONTAIN?
This guidance document provides a guide to complying with the regulatory process and requirements applicable to insurance companies (“ICs”) using
Dynamics 3651. Note that other financial service institutions are subject to separate regulation in Hong Kong. Microsoft has prepared a guidance document
for other financial service institutions which is available on request.
Sections 2 to 6 of this guidance sets out information about the regulatory process and the regulations that apply.
Section 7 sets out questions in relation to outsourcing to a cloud services solution based on the laws, regulations and guidance that are relevant to the use
of cloud services. Although there is no legal or regulatory requirement to complete a checklist like this one, we have received feedback from financial
service institutions that a checklist approach like this is very helpful. The checklist can be used:
(i) as a checklist for ensuring regulatory compliance with the requirements set out in the laws, regulations and guidelines (listed in Section 2); and
(ii) as a tool to aid discussions with the regulator(s) (listed in Section 3), should they wish to discuss your organization’s overall approach to compliance
with their requirements.
1 Note that this document is not intended as legal or regulatory advice and does not constitute any warranty or contractual commitment on the part of Microsoft or its affiliates. Instead,
it is intended to streamline the regulatory process for you. You should seek independent legal advice on your technology outsourcing project and your legal and regulatory obligations. If you have any questions, please do not hesitate to get in touch with your Microsoft contact.
Page 2 of 50
Annex One also contains a list of the points that ICs should “consider” when negotiating the contract for cloud computing services.
2. WHAT REGULATIONS AND GUIDANCE ARE RELEVANT?
The IA has developed a Guideline on Outsourcing (https://www.ia.org.hk/en/legislative_framework/files/GL14.pdf) (“Guideline on Outsourcing”) which
sets out the issues that the IA expects an IC to take into account in formulating and monitoring outsourcing arrangements generally. The IA has not
produced any specific guidance in relation to cloud services.
3. WHO IS/ARE THE RELEVANT REGULATOR(S)?
The Insurance Authority in Hong Kong (“IA”)
4. IS REGULATORY APPROVAL REQUIRED IN HONG KONG?
No.
Under the Guideline on Outsourcing, the IA does not require ICs to obtain prior approval before engaging service providers to provide cloud services.
However, prior notification should be made in the case of entering into a new material outsourcing arrangement, or significantly varying an existing one, as
provided under Section 6 of the guideline.
5. IS/ARE THERE (A) SPECIFIC FORM OR QUESTIONNAIRE(S) TO BE COMPLETED?
In the case of providing prior notification for entering into a new or significantly varying an existing material outsourcing arrangement, the Guideline on
Outsourcing priors, in Annexes 2 and 3 respectively, checklists to be used for such purpose. Suggested response and guideline for completing these
checklists can be found throughout the contents of this guidance document. Otherwise, there are no specific forms or questionnaires that an IC must
complete when considering cloud computing solutions.
Page 3 of 50
6. DOES THE REGULATOR MANDATE SPECIFIC CONTRACTUAL REQUIREMENTS THAT MUST BE ADOPTED?
No.
The IA does not specifically mandate contractual requirements that must be agreed by ICs with their service providers. However, the Guideline on
Outsourcing does contain a long list of matters that it says that ICs should “consider” when negotiating the contract. Appendix One contains a
comprehensive list and details of where in the Microsoft contractual documents these points are covered.
Page 4 of 50
7. CHECKLIST
Key:
In blue text, Microsoft has included template responses that would demonstrate how your proposed use of Microsoft’s services would address the point
raised in the checklist. Some points are specific to your own internal operations and processes and you will need to complete these answers as well.
In red italics, Microsoft has provided guidance to assist you with the points in the checklist.
Ref. Question/requirement Template response and guidance
A. OVERVIEW
Section 6 of the Guideline on Outsourcing requires ICs to provide certain information regarding any ‘material outsourcing arrangement’ within 30
days of entering into such an agreement or significantly varying an existing one. This section will assist you with this process as well as providing
background and context information to the rest of this document.
1. Who is the proposed Service
Provider?
The Service Provider is Microsoft Operations Pte Ltd, the regional licensing entity for Microsoft Corporation, a global
provider of information technology devices and services, which is publicly-listed in the USA (NASDAQ: MSFT). Microsoft’s
full company profile is available here: https://www.microsoft.com/en-us/news/inside_ms.aspx.
2. What service is being
outsourced?
Service(s) to be outsourced Critical (Y/N)
1. Customer Relationship Management Solution Y
Page 5 of 50
Ref. Question/requirement Template response and guidance
Through adoption of Microsoft Dynamics 365 product, which is described in more detail here:
https://www.microsoft.com/en-us/dynamics365/home.
Microsoft Dynamics 365 is a remotely hosted customer relationship management (CRM) solution managed by Microsoft
and offering the following capabilities:
• Marketing—flexible segmentation tools, simplified campaign management, intuitive response tracking, and
insightful analytics.
• Sales—full lead to cash visibility, lead and opportunity tracking, streamlined approvals, and real-time sales
forecasts.
• Field Service—simplified case management, streamlined escalations, improved knowledge sharing, and more
effective account management.
• Project
• Operations
• Dynamics Business Platform—a flexible framework that helps organizations to extend and build custom business
applications and industry solutions known as the Business Application Platform.
Microsoft Dynamics CRM Online delivers flexibility and business fit, combined with familiar user experiences through its
deep stack alignment with the Microsoft Office productivity suite, namely Microsoft Outlook, Microsoft Excel, and Microsoft
Word. It also works well with other Microsoft technologies such as Microsoft SQL Server® database software, Microsoft
Communications Server, Microsoft BizTalk® Server, Microsoft Exchange Server, and Microsoft SharePoint® Server.
Page 6 of 50
Ref. Question/requirement Template response and guidance
3. Where will the outsourced
services be performed?
You may need to amend this depending on the final solution that you decide on.
Microsoft informs us that it takes a regional approach to hosting of Dynamics 365 data. Microsoft is transparent in relation
to the location of our data. Microsoft data center locations are made public on the Microsoft Trust Center at
https://www.microsoft.com/en-us/trustcenter/default.aspx.
Microsoft enables customers to select the region that it is provisioned from. Under the OST, Microsoft commits that if a
customer provisions its tenant in the United States or EU, Microsoft will store the customer’s data at rest in the United
States or EU, as applicable.
The table below will need to be amended depending on the specific solution that you are taking up.
# Locations of Data Centre Classification of DC: Tier I, II, III or IV Storing your organization’s data (Y/N)
1.
2.
B. OUTSOURCING POLICY
4. Prior to the outsourcing of
services, an IC should
develop an outsourcing
policy, approved by the
IA Guideline on Outsourcing, Section 5.1. The IA requires that ICs have in place a comprehensive policy on outsourcing
duly approved by the board of directors of the IC. This will differ from one organization to another but the IA expects that
this will cover the following specific points:
Page 7 of 50
Ref. Question/requirement Template response and guidance
Board of Directors. The IC
should have appropriate
documentation of its
outsourcing policy and
ensure that procedures are in
place such that all relevant
staff of the IC are fully aware
of and comply with the
outsourcing policy
(a) The objectives of the outsourcing and criteria for approving an outsourcing arrangement;
(b) The framework for evaluating the materiality of outsourcing arrangements;
(c) The framework for a comprehensive assessment of risks involved in outsourcing;
(d) The framework for monitoring and controlling outsourcing arrangements;
(e) The identities of the parties involved and their roles and responsibilities in approving, assessing and monitoring
the outsourcing arrangements and how those responsibilities may be delegated and details of any authority limits;
and
(f) The review mechanism to ensure the outsourcing policy and the monitoring and control procedures are capable
to accommodate changing circumstances of the IC and cater for market, legal and regulatory developments.
5. The IC should develop a
framework for assessing the
materiality of an outsourcing
arrangement. The
assessment of what is
material may involve
qualitative judgement and
depends on the
circumstances of the IC
concerned.
IA Guideline on Outsourcing, Section 5.4. The IA deems a “material outsourcing” to be “an outsourcing arrangement which
if disrupted or falls short of acceptable standards, would have the potential to significantly impact on an IC’s financial
position, business operation, reputation or its ability to meet obligations or provide adequate services to policy holders or
to conform with legal and regulatory requirements.” The IA expects you to be able to demonstrate that you have considered
the materiality of the outsourcing in relation to at least the following factors:
(a) Impact on financial position, business operation and reputation of the IC if the outsourced service is disrupted or
falls short of acceptable standards;
(b) Impact on the ability of the IC to maintain adequate internal controls and comply with legal and regulatory
requirements if the outsourced service is disrupted or falls short of acceptable standards;
Page 8 of 50
Ref. Question/requirement Template response and guidance
(c) Cost of outsourcing as a proportion to the total operating costs of the IC; and
(d) Degree of difficulty and time required to find alternative Service Provider or to bring the outsourced service in-
house if necessary.
6. The IC should regularly
conduct reviews on the
materiality of its outsourcing
arrangements. If it is
reassessed to be material,
the IC should notify the IA
forthwith.
IA Guideline on Outsourcing, Section 5.5. It would be usual to undertake such a reassessment whenever there is a change
in scope or otherwise, annual reviews may be appropriate.
C. ACCOUNTABILITY
7. In any outsourcing
arrangement, the Board of
Directors and management
of ICs should retain ultimate
accountability for the
outsourced activity.
IA Guideline on Outsourcing, Section 4.1. We would suggest including a list, setting out the position of the key people
involved in the selection and any decision-making and approvals processes used.
Management in our organization has been involved throughout to ensure that the project aligns with our organization’s
overall business and strategic objectives. At the center of our objectives are of course legal and regulatory compliance
and customer satisfaction and these were the key objectives that management had in mind when it considered this project.
We are satisfied that this solution will ensure legal and regulatory compliance because of the key features (including the
security and regulator’s audit rights) forming part of the Dynamics 365 service. We are also satisfied that customer
satisfaction will be maintained because we believe that Dynamics 365 will actually have some major benefits for our IT
operations and, accordingly, improve the overall service that we are able to provide to customers.
Page 9 of 50
Ref. Question/requirement Template response and guidance
8. Outsourcing can allow
management to transfer their
day-to-day managerial
responsibility, but not
accountability, for an activity
or a function to a service
provider. ICs should
therefore continue to retain
ultimate control of the
outsourced activity.
IA Guideline on Outsourcing, Section 4.1.
The handing over of certain day to day responsibility to an outsourcing provider does present some challenges in relation
to control. Essential to us is that, despite the outsourcing, we retain control over our own business operations, including
control of who can access data and how they can use it. At a contractual level, we have dealt with this via our contract
with Microsoft, which provides us with legal mechanisms to manage the relationship including appropriate allocation of
responsibilities, oversight and remedies. At a practical level, we have selected the Dynamics 365 product since it provides
us with control over data location, authentication and advanced encryption controls. We (not Microsoft) will continue to
own and retain all rights to our data and our data will not be used for any purpose other than to provide us with the
Dynamics 365 services.
D. RISK ASSESSMENT
9. The IC should ensure that the
proposed outsourcing
arrangement has been
subject to a comprehensive
risk assessment (in respect
of financial, operational, legal
and reputation risks and any
potential losses to the
customers in the event of a
failure by the SP to perform)
and that all the risks identified
have been adequately
addressed before launch.
IA Guideline on Outsourcing, Section 5.6. Clearly the IA expects that your organization would have carried out a risk
assessment. In summary, this would need to include:
• risk identification;
• analysis and quantification of the potential impact and consequences of these risks;
• risk mitigation and control strategy; and
• ongoing risk monitoring and reporting.
Ideally this should also include all of the items listed in the next section. If you have any questions when putting together
a risk assessment, please do not hesitate to get in touch with your Microsoft contact.
Page 10 of 50
Ref. Question/requirement Template response and guidance
Yes, led by our management we have carried out a thorough risk assessment of the move to Dynamics 365. This risk
assessment included:
• [ ];
• [ ]; and
• [ ].
[A copy of the risk assessment can be provided to the IA upon request.]
10. Specifically, the risk assessment
should cover inter alia the
following:
• the impact on the
IC’s risk profile (in
respect of
operational, legal
and reputation risks
and potential losses
to the customers in
the event of a failure)
of the outsourcing.
See IA Guideline on Outsourcing, Section 5.6.
Yes, the risk assessment covered this.
• Operational risk: We managed this through our choice of service provider (see for example, question 14), the
controls we have in place to manage our relationship with the service provider (for example, our contractual
agreement, service levels, access to a Microsoft technical account manager and the regulator rights of audit and
inspection that we have in place) and our own internal controls (for example, our business continuity and disaster
recovery plans).
• Legal risk: We have in place with Microsoft a legally-binding agreement regarding our respective roles and
responsibilities in respect of the outsourcing. We chose Microsoft for this project because we believe it can help
Page 11 of 50
Ref. Question/requirement Template response and guidance
us to comply with our legal obligations – for example, the fact that Microsoft permits data audits by regulators was
a key advantage over other cloud solutions that we considered.
• Reputational risk: We chose Microsoft because of its reputation in this sector. It is an industry leader in cloud
computing. Dynamics 365 is built based on ISO 27001, a rigorous set of global standards covering physical,
logical, process and management controls.
• Risk of loss to customers in the event of a failure: The outsourcing will not involve critical functions so the
risks are greatly minimized in this respect. In addition, Microsoft’s accredited systems and processes mean that
there are robust procedures in place to prevent, detect and quickly act in relation to any service issues that do
arise.
11. After ICs implement an
outsourcing arrangement (or
renew or vary one), they
should regularly re-perform
this assessment.
IA Guideline on Outsourcing, Section 5.7. The IA wants an assurance that you plan to re-perform the assessment (e.g.
annually).
Yes. We will conduct regular reviews of the outsourcing [at least annually].
E. ABILITY OF THE SERVICE PROVIDER
12. Before selecting a service
provider ICs should perform
due diligence on the Service
Provider (including
considering factors such as
aggregate exposure to the
Service Provider, possible
IA Guideline on Outsourcing, Section 5.8.
We have undertaken a thorough due diligence of Microsoft’s processes and procedures in relation to Dynamics 365 and
no concerns have arisen including as to aggregate exposure and conflicts of interest.
As part of Microsoft’s certification requirements, they are required to undergo regular independent third party auditing and
Microsoft shares with us the independent third party audit reports. Microsoft also agrees as part of the compliance program
Page 12 of 50
Ref. Question/requirement Template response and guidance
conflict of interests that may
arise and price vis a vis the
benefit gained in assessing
and selecting a Service
Provider).
to customer right to monitor and supervise. We are confident that such arrangements provide us with the appropriate level
of up-front and on-going assessment of Microsoft’s ability to meet our policy, procedural, security control and regulatory
requirements.
13. ICs should conduct an (at
least) annual assessment to
confirm the adequacy of the
Service Provider to ascertain
whether it can continue to
provide the expected level of
service.
IA Guideline on Outsourcing, Section 5.9. The IA expects that you repeat your assessment of the adequacy of the
Dynamics 365 solution at least once a year. If you require any input from Microsoft, please do not hesitate to get in touch
with your Microsoft contact.
14. In assessing a provider, apart
from the cost factor and
quality of services ICs should
take into account the
provider’s (a) financial
soundness (and ability to
continue to provide the
expected level of service), (b)
reputation, experience and
quality of service, (c)
managerial skills, (d)
technical capabilities, (e)
operational capability and
IA Guideline on Outsourcing, Section 5.8.
(a) Financial Soundness: Microsoft Corporation is publicly-listed in the United States and is amongst the world’s
largest companies by market capitalization. Microsoft’s audited financial statements indicate its strong financial
position. Accordingly, we have no concerns regarding its financial strength.
(b) Reputation: Microsoft is an industry leader in cloud computing. Dynamics 365 is built based on ISO 27001, a
rigorous set of global standards covering physical, logical, process and management controls. Dynamics 365 is
used by many of the world’s top brands. Some case studies are available on https://customers.microsoft.com/en-
us.
Page 13 of 50
Ref. Question/requirement Template response and guidance
capacity, (f) any licence,
registration, permission or
authorization required by law
to perform the outsourced
service, (g) compatibility with
the IC's corporate culture and
future development
strategies, (h) familiarity with
the insurance industry and (i)
capacity to keep pace with
innovation in the market.
(c) Managerial skills: The fact that Microsoft already manages these services for financial institutions in leading
markets around the world and that it has achieved an ISO 27001 accreditation (which, amongst other things,
assesses management controls) gives us confidence that it has the necessary managerial skills.
(d) Technical capabilities: Microsoft’s ISO 27001 accreditation confirms that it has the technical capability required
for the service.
(e) Operational capability and capacity: Microsoft has demonstrated its operational capability through its reputation
(see above) and its ISO 27001 accreditations and we have no concerns as to its operational capacity as it is one
of the largest providers of cloud computing services in the world.
(f) Licence, registration, permission or authorization required by law to perform the outsourced service: We
are not aware of any licence, registration, permission or authorization required by the service provider to perform
the services that it does not already have in place. The service provider is already providing such services to
numerous financial institutions around the world.
(g) Compatibility with the IC’s corporate culture and future development strategies: We are confident that the
use of Dynamics 365 will align well with our corporate culture and the fact that the service is scalable (i.e. it can
be expanded or reduced to meet our demand) means that it is compatible with our future development strategy.
(h) Familiarity with the insurance industry: FSI including insurance company customers in leading markets,
including in the UK, France, Germany, Australia, Singapore, Canada, the United States and many other countries
have performed their due diligence and, working with their regulators, are satisfied that many Microsoft cloud-
based solutions can meet their respective regulatory requirements. This gives us confidence that the service
provider is able to help meet the high burden of financial services regulation and is experienced in meeting and
understanding these requirements. Where you have taken it up you may also add: [This is further evidenced by
Page 14 of 50
Ref. Question/requirement Template response and guidance
Microsoft’s Compliance Framework Program which shows that Microsoft has given consideration to the unique
requirements of the insurance industry (see further details below).]
(i) Capacity to keep pace with innovation in the market: Microsoft has the financial, operational and managerial
capacity to lead innovation in the cloud computing market and it has demonstrated this to date.
F. OUTSOURCING AGREEMENT
15. An outsourcing arrangement
should be undertaken in the
form of a legally binding
written agreement.
IA Guideline on Outsourcing, Section 5.
We have in place a legally binding written agreement. This is in the form of Microsoft’s Service Level Agreement (“SLA”)
and its Business and Services Agreement (“MBSA”). Amongst other things, they provide details of the contractual liabilities
and obligations of Microsoft, one of which is a contractual 99.5% to 99.9% uptime guarantee (depending on the specific
solution involved) for the Dynamics 365 product.
Please find a copy of the SLA at: https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx
MBSA is available upon request.
16. The IC should consider the
following when negotiating
the contract:
(a) Scope of the
outsourced service;
IA Guideline on Outsourcing, Section 5.10.
Taking each of the points in turn:
(a) Scope of the outsourced service: See responses to questions 2 and 3 above. The contract pack
comprehensively sets out the scope of the arrangement, the respective commitments of the parties, the online
services ordered and relevant price level information.
Page 15 of 50
Ref. Question/requirement Template response and guidance
(b) Location where the
outsourced service
will be performed;
(c) Effective period of
the outsourcing
arrangement;
(d) Contractual
obligations and
liabilities of the IC
and the Service
Provider;
(e) Performance
standards to be
attained in respect of
the outsourced
service. This is
particularly
appropriate when the
IC has committed to
a service standard or
performance pledge
to its customers;
(b) Location where the outsourced service will be performed: See response to question 4 above.
(c) Effective period of the outsourcing arrangement: EAs have a [three] year term, and may be renewed for a
further [three] year term.
(d) Reporting or notification requirements that the IC may wish to impose on the Service Provider: See
response to (f) below.
(e) Performance standards: See in particular the detailed performance standards and commitments set out in the
SLA and the MBSA above. These specify clearly the performance standards of Microsoft (for example, a 99.5%
to 99.9% uptime depending on the specific solution involved) and other obligations of Microsoft (for example, its
obligations to provide access in the event of an audit/inspection). They also cover clearly the issue of software
and hardware ownership (the software and hardware are both owned by Microsoft but use of the software and
hardware are licensed to us as users of the Dynamics 365 service).
(f) Reporting or notification requirements: As detailed below, Microsoft actually provides real time information to
us via the administrative dashboard. In our agreement with Microsoft, it agrees that it will notify us if it becomes
aware of any security incident, and will take reasonable steps to mitigate the effects and minimize the damage
resulting from the security incident.
(g) Performance monitoring: The extent of the rights to monitor performance that Microsoft provides was a key
differentiator with other service providers and a reason why we selected Microsoft. We may monitor the
performance of the online services via the administrative dashboard, which includes information as to Microsoft
compliance with its SLA commitments. Pursuant to the terms of the OST which is incorporated into the contract,
we can review the manner in which Microsoft provides the online services. As set out in the OST, we are entitled
to access the Microsoft Online Services Information Security Policy, which is the document where Microsoft sets
Page 16 of 50
Ref. Question/requirement Template response and guidance
(f) Reporting or
notification
requirements that
the IC may wish to
impose on the
Service Provider;
(g) The way in which the
IC and the Service
Provider should
monitor the
performance under
the agreement (e.g.
evaluation of
performance through
service delivery
reports, periodic self-
certifications,
independent reviews
by the IC’s or the
service provider’s
auditors);
(h) Information and
asset ownership
rights, information
technology security
out its information security management processes. Microsoft also commits to provide us with its audit report,
which is performed by an independent third party and measures compliance against Microsoft’s certifications.
(h) Information, security and protection of confidential information: The agreement ensures that we will retain
the rights in all of our intellectual property and data. The MBSA deals with confidentiality. The MBSA also states
that Microsoft and the customer each commit to comply with all applicable privacy and data protection laws and
regulations. We retain the ability to access our customer data at all times, and Microsoft will deal with customer
data in accordance with the requirements under the OST. In summary: following termination Microsoft will delete
the customer data after a 90 day retention period. Finally, from a technical perspective the wide availability and
usage of Microsoft’s products means that customer data can be extracted in a format that is readily reusable.
Microsoft also makes specific commitments with respect to customer data in the OST. In summary Microsoft
commits that:
• Ownership of our data remains at all times with us .
• Our data will only be used to provide the online services to us. Our data will not be used for any other purposes,
including for advertising or other commercial purposes.
• We retain the ability to access and extract our data at all material times. Except for free trials, Microsoft will retain
our data for 90 days after expiration or termination of service, and will delete our data after the said retention
period, and in the case of Dynamics 365 services, such deletion will take place no later than 180 days after
expiration or termination or service.
• Microsoft will not disclose our data to law enforcement unless it is legally obliged to do so, and only after not being
able to redirect the request to the customer.
Page 17 of 50
Ref. Question/requirement Template response and guidance
and protection of
confidential
information;
(i) Rules and
restrictions on sub-
contracting of the
outsourced service.
The IC should retain
the ability to maintain
similar control over
its outsourcing risks
when a Service
Provider uses a sub-
contractor;
(j) Remedial action and
escalation process
for dealing with
inadequate
performance;
(k) Contingency
planning of the
Service Provider to
provide business
• Microsoft will implement and maintain appropriate technical and organizational measures, internal controls, and
information security routines intended to protect customer data against accidental, unauthorized or unlawful
access, disclosure, alteration, loss, or destruction.
• Microsoft will notify us if it becomes aware of any security incident, and will take reasonable steps to mitigate the
effects and minimize the damage resulting from the security incident.
• Microsoft commits to reimburse our reasonable remediation costs incurred as a consequence of a security incident
involving customer data (see FSA under “Security Incident Notification”).
• See also the responses further on in this document in relation to security and confidentiality.
(i) Rules and restrictions on sub-contracting: Microsoft is permitted to hire subcontractors under the OST.
Microsoft maintains a list of authorized subcontractors for Dynamics 365 that have access to customer data and
provides us with a mechanism to obtain notice of any updates to that list. The actual list can be accessed via
https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-on-what-
terms#subcontractors. Contractually, if we do not approve of a subcontractor that will be given access to our data
to be added to the list, we are entitled to terminate our subscription to the Dynamics 365 services.
Microsoft commits that any subcontractors to whom Microsoft transfers our data will have entered into written
agreements with Microsoft that are no less protective than the data processing terms in the OST, and that Microsoft
remains contractually responsible (and therefore liable) for its subcontractors’ compliance with Microsoft’s
obligations in the OST. In addition, Microsoft’s commitment to ISO 27001 and ISO 27018 requires Microsoft to
ensure that its subcontractors are subject to the same security controls as Microsoft is subject to.
Page 18 of 50
Ref. Question/requirement Template response and guidance
continuity for the
outsourced service;
(l) Management and
approval process for
changes to the
outsourcing
arrangement;
(m) Conditions under
which the IC or
Service Provider can
terminate the
outsourcing
agreement;
(n) Termination
agreement, including
intellectual property
and information
rights and
clarification of the
process to ensure
the smooth transfer
of the outsourced
service either to
another Service
(j) Remedial action and escalation process: See our response below in relation to remedial action and escalation
processes for dealing with inadequate performance.
(k) Contingency planning and business continuity: Business Continuity Management forms part of the scope of
the accreditation that Microsoft remains in relation to the online services, and Microsoft commits to maintain a
data security policy that complies with these accreditations. Business Continuity Management also forms part of
the scope of Microsoft’s annual third party compliance audit. See also our response below in relation to
contingency planning.
(l) Management and approval of change: Changes to the MBSA have to be agreed by the parties in writing. You
may also wish to consider your own internal approval/sign-off processes for changes.
(m) Termination: The Enrollment under which online services are ordered are for an initial [three] year period. There
is no general exit right under the Enrollment; however in case of breach termination rights are provided under the
EA. There are also license subscription reduction provisions in the Enrollment which we may utilize to reduce the
number of online services subscriptions to a stated minimum number, which if exercised could substantially relieve
our subscription obligation. The OST and the FSA further set out situation-specific termination rights that we are
entitled to, e.g. where we do not approve the addition of a new subcontractor which has access to our customer
data, or where the IA expressly directs, or where we are unable to comply with new laws or regulatory
requirements as a result of the use of the online services.
(n) Termination issues and transfer: In the event of cessation, we can either move back on premise or to an
alternate Service Provider. Microsoft is contractually required to hold our data for an agreed period to enable such
transition to occur in an orderly manner. In relation to any data and assets of ours, post termination, Microsoft
uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be
wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of information
Page 19 of 50
Ref. Question/requirement Template response and guidance
Provider or back to
the IC;
(o) Guarantee or
indemnity from the
Service Provider
(e.g. an indemnity to
the effect that any
sub-contracting by
the Service Provider
of the outsourced
service will be the
responsibility of the
Service provider
including liability for
any failure on the
part of the sub-
contractor;
(p) Requirement for the
Service Provider to
hold relevant
insurance;
(q) Mechanism to
resolve disputes that
might arise under the
impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined
by the asset type. Records of the destruction are retained. All Microsoft Online Services utilize approved media
storage and disposal management services. Paper documents are destroyed by approved means at the pre-
determined end-of-life cycle. Secure disposal or re-use of equipment and disposal of media is also covered under
the ISO 27001 standard against which Microsoft is certified.
(o) Liability for sub-contracting: The MBSA deals with liability. Microsoft remains liable for the actions and inactions
of its sub-contractors..
(p) Insurance requirement: Microsoft maintains self-insurance arrangements for much of the areas where third party
insurance is typically obtained. Microsoft has taken the commercial decision to take this approach, and does not
believe that this detrimentally impacts upon its customers given that Microsoft is an extremely substantial entity.
(q) Disputes handling: The MBSA contains provisions that describe how a dispute under the contract is to be
conducted.
(r) Auditor access: Microsoft provides audit and examination rights for the IA under the FSA. The OST specifies the
audit and monitoring mechanisms that Microsoft puts in place in order to verify that the online services meet
appropriate security and compliance standards. In addition, the FSA details the examination and influence rights
that are granted to us and IA. The “Regulator Right to Examine” sets out a process which can culminate in the
regulator’s examination of Microsoft’s premises. We also have the opportunity to participate in the Microsoft’s
Customer Compliance Program, which is a for-fee program that facilitates our ability to (a) assess the services’
controls and effectiveness, (b) access data related to service operations, (c) maintain insight into operational risks
of the services, (d) be provided with additional notification of changes that may materially impact Microsoft’s ability
to provide the services, and (e) provide feedback on areas for improvement in the services.
Page 20 of 50
Ref. Question/requirement Template response and guidance
outsourcing
arrangement;
(r) The Service
Provider’s
agreement to allow
the access by the
auditors and
actuaries of the IC
and the IA to any
books, records and
information which
facilitated them to
discharge their
statutory duties and
obligations;
(s) Governing law of the
outsourcing
agreement. The
agreement should
preferably be
governed by Hong
Kong law.
Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework Program,
you may add this additional information about its key features: the regulator audit/inspection right, access to
Microsoft’s security policy, the right to participate at events to discuss Microsoft’s compliance program, the right
to receive audit reports and updates on significant events, including security incidents, risk-threat evaluations and
significant changes to the business resumption and contingency plans.
(s) Governing law: Our contract with Microsoft is subject to Washington State law [upon which we have obtained
separate legal advice to ensure that we are comfortable with the protection and control afforded to us].
Page 21 of 50
Ref. Question/requirement Template response and guidance
G. SUB-CONTRACTING
17. The IC should put in place
adequate procedures to
control and monitor any sub-
contracting arrangements
and ensure that the Service
Provider will take into
account the essential issues
covered in this document as
if it was the IC concerned
when further contracting out
the service.
IA Guideline on Outsourcing, Section 5.20.
Microsoft is permitted to hire subcontractors under the OST. Microsoft maintains a list of authorized subcontractors for
Dynamics 365 that have access to our data and provides us with a mechanism to obtain notice of any updates to that list.
The actual list can be accessed via https://www.microsoft.com/en-us/trustcenter/Privacy/Who-can-access-your-data-and-
on-what-terms#subcontractors. Contractually, if we do not approve of a subcontractor that will be given access to our data
to be added to the list, we are entitled to terminate our subscription to the Dynamics 365 services.
18. The IC should incorporate in
the outsourcing agreement
rules and restrictions on sub-
contracting e.g. requiring IC’s
prior consent for the sub-
contracting and making the
Service Provider liable for the
capability of the sub-
contractor.
IA Guideline on Outsourcing, Section 5.21.
Our contract with Microsoft, as detailed above, states that Microsoft remains responsible for its subcontractors’ compliance
with the contract. All subcontractors used have entered into written agreements with Microsoft requiring that the
subcontractor abide by terms no less protective than the relevant parts of the contract we have with Microsoft. The list of
all subcontractors is available for us to see.
19. The IC should ensure that its
Service Provider would not
engage in sub-contracting
IA Guideline on Outsourcing, Section 5.21.
Page 22 of 50
Ref. Question/requirement Template response and guidance
arrangements which may
impede its ability to carry out
the provisions of the
outsourcing agreement with
the IC, in particular, the
requirements on information
confidentiality, contingency
planning and information
access right by the regulator.
Microsoft assures us that it would not engage in sub-contracting arrangements which would impede such ability. In
particular, it assures us that it contractually obligates its subcontractors to security and privacy standards equivalent to its
own and Microsoft subcontractors only handle our data when required to provide or maintain the services. Nothing in such
arrangements would prevent obligations that we may have in relation to contingency planning and information access
rights by the regulator. In particular, our contract with Microsoft states that subcontractors are prohibited from using
customer data other that for the purposes of delivering the specific services they have been retained to provide and that
any subcontractors to whom Microsoft transfers Customer Data, even those used for storage purposes, will have entered
into written agreements with Microsoft requiring that the subcontractor abide by terms no less protective than this data
and confidentiality provisions of our contract with Microsoft.
H. CUSTOMER DATA CONFIDENTIALITY
20. ICs should ensure that the
proposed outsourcing
arrangement complies with
relevant statutory
requirements (e.g. the
Personal Data (Privacy)
Ordinance (“PDPO”)) and
common law customer
confidentiality.
IA Guideline on Outsourcing, Section 5.12.
Microsoft recommends that you do seek legal advice on the use of cloud computing services in relation to
statutory/regulatory/common law requirements.
We are confident that the proposed use of Dynamics 365 complies with relevant statutory requirements, including the
PDPO and common law confidentiality requirements.
Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls on par
with or better than on-premises data centers of even the most sophisticated organizations. In relation to the PDPO,
Dynamics 365 includes the following features and commitments from Microsoft to ensure compliance with the
requirements of the PDPO: (i) Microsoft will not use our data for other purposes other than providing the services; (ii)
Microsoft has security policies and controls and security measures which are verified by independent auditors. These
measures include security features on its hardware, software and physical data center, restricted physical data center
access, Dynamics 365 is ISO 27001 and ISO 27018 compliant and data is encrypted both at rest and via the network as
Page 23 of 50
Ref. Question/requirement Template response and guidance
it is transmitted between data center and a user; (iii) Microsoft will inform us promptly if our data has been accessed
improperly; (iv) there are specific data retention and deletion commitments in the OST governing handling of our data at
the end of the service term.
Microsoft commits to comply with ISO 27018. In February 2015, Microsoft became the first major cloud provider to adopt
the world’s first international standard for cloud privacy, ISO 27018. The standard was developed by the International
Organization for Standardization (ISO) to establish a uniform, international approach to protecting privacy for personal
data stored in the cloud. The British Standards Institute (BSI) has independently verified that Microsoft is aligned with the
standard’s code of practice for the protection of Personally Identifiable Information (PII) in the public cloud. The controls
set out in ISO 27018 match the protections required by the PDPO. For more information on this, follow this link.
In choosing Microsoft, we also took into account the fact that Microsoft offers access and audit rights, thereby allowing us
to comply with our regulatory obligations in this respect.
21. ICs should have controls in
place to ensure that the
requirements of customer
data confidentiality are
observed and proper
safeguards are established
to protect the integrity and
confidentiality of customer
information.
IA Guideline on Outsourcing, Section 5.12.
Microsoft recommends that you seek legal advice as to PDPO requirements
As above, Microsoft as an outsourcing partner is an industry leader in cloud security and implements policies and controls
on par with or better than on-premises data centers of even the most sophisticated organizations. Dynamics 365 is built
based on ISO 27001, a rigorous set of global standards covering physical, logical, process and management controls. In
particular:
• Undertakings by the service provider that the company and its staff will abide by confidentiality rules,
including taking account of the data protection principles set out in PDPO: Yes. We have contractual
confidentiality terms in our agreements with Microsoft.
Page 24 of 50
Ref. Question/requirement Template response and guidance
• ICs' contractual rights to take action against the service provider in the event of a breach of
confidentiality: Yes. Under our contractual terms with Microsoft, we would expect to have a breach of contract
claim in the event of a breach of confidentiality.
• Segregation or compartmentalization of ICs' customer data from those of the service provider and its
other clients: Yes. Data storage and processing is segregated through Active Directory structure and capabilities
specifically developed to help build, manage, and secure multi-tenant environments. Active Directory isolates
customers using security boundaries (also known as silos). This safeguards a customer’s data so that the data
cannot be accessed or compromised by other parties. Microsoft also provide us with our own database to
maximize the security and integrity of our data. This safeguards a customer’s data so that the data cannot be
accessed or compromised by co-tenants.
Select the following text if using Dynamics 365 dedicated version:
We have secured an offering that provides for a dedicated hosted offering, which means that our data is hosted
on hardware dedicated to us
• Access rights to ICs' data delegated to authorize employees of the service provider on a need basis: Yes.
Microsoft applies strict controls over which personnel roles and personnel will be granted access to customer
data. Personnel access to the IT systems that store customer data is strictly controlled via role-based access
control (“RBAC”) and lock box processes. Access control is an automated process that follows the separation of
duties principle and the principle of granting least privilege. This process ensures that the engineer requesting
access to these IT systems has met the eligibility requirements, such as a background screen, fingerprinting,
required security training and access approvals. In addition, the access levels are reviewed on a periodic basis to
ensure that only users who have appropriate business justification have access to the systems.
22. ICs should notify their
customers in general terms
IA Guideline on Outsourcing, Section 5.13. Where you have existing outsourcing arrangements in place you would already
have such notifications in place. If so, contracting for Dynamics 365 should not require additional notifications. Microsoft
Page 25 of 50
Ref. Question/requirement Template response and guidance
of the possibility that their
data may be outsourced and
the circumstances under
which their data may be
disclosed or lost.
recommends that you seek legal advice on your privacy policies and consent mechanisms to ensure that they do comply
with applicable law. If you require any information from Microsoft please do get in touch with your Microsoft contact.
23. In the event of a termination
of outsourcing agreement, for
whatever reason, ICs should
ensure that all customer data
is either retrieved from the
service provider or
destroyed.
IA Guideline on Outsourcing, Section 5.13.
As detailed above, Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard
drives that can’t be wiped it uses a destruction process that destroys it (i.e. shredding) and renders the recovery of
information impossible (e.g., disintegrate, shred, pulverize, or incinerate). The appropriate means of disposal is determined
by the asset type. Records of the destruction are retained. All Microsoft Online Services utilize approved media storage
and disposal management services. Paper documents are destroyed by approved means at the pre-determined end-of-
life cycle. Secure disposal or re-use of equipment and disposal of media is covered under the ISO 27001 standards
against which Microsoft is certified.
24. ICs should notify the IA
forthwith of any unauthorized
access or breach of
confidentiality by the Service
Provider or its sub-contractor
that affects the IC or its
customers.
IA Guideline on Outsourcing, Section 5.14. This is an internal process matter. However, please note that nothing in your
contractual arrangement with Microsoft would prevent or hinder your obligation to do so.
I. MONITORING AND CONTROL
Page 26 of 50
Ref. Question/requirement Template response and guidance
25. ICs should have sufficient
and appropriate resources in
place to monitor and control
the outsourcing
arrangements at all times.
Such monitoring should
cover, inter alia, ensuring that
the service is being delivered
in the manner expected and
to ensure that the provisions
included in the outsourcing
agreement are properly
effected.
IA Guideline on Outsourcing, Section 5.15. You may also in this context wish to refer to any internal monitoring procedures
you are putting in place.
Yes. Microsoft’s SLA applies to the Dynamics 365 product. Our IT administrators also have access to the Dynamics 365
Service Health Dashboard, which provides real-time and continuous monitoring of the Dynamics 365 service. The Service
Health Dashboard provides our IT administrators with information about the current availability of each service or tool (and
history of availability status) details about service disruption or outage, scheduled maintenance times. The information is
provided via an RSS feed.
Amongst other things, Microsoft provides a contractual 99.5% to 99.9% uptime guarantee (depending on the specific
solution involved) for the Dynamics 365 product and covers performance monitoring and reporting requirements which
enable us to monitor Microsoft’s performance on a continuous basis against service levels.
Please find a copy of the SLA at:
https://www.microsoft.com/en-us/Licensing/product-licensing/products.aspx
26. IC should maintain a central
list of the outsourcing
arrangements including the
name of the Service
Provider, service outsourced,
commencement date, expiry
or renewal date, contact
details or key Service
IA Guideline on Outsourcing, Section 5.15. The IA is looking for assurance that you have these records. The information
we have included at the top of this document will assist with this in conjunction with the information contained in our
contractual arrangements.
Page 27 of 50
Ref. Question/requirement Template response and guidance
Provider personnel. The list
should also record similar
information relating to any
sub-contracting arrangement
of the outsourced service.
27. Responsibility for monitoring
the service provider and the
outsourced activity should be
assigned to staff with
appropriate expertise.
IA Guideline on Outsourcing, Section 5.15. If requested by IA, Microsoft would suggest that you provide details of the
relevant personnel and a brief summary of their experience.
28. The control procedures over
the outsourcing arrangement
should be subject to regular
audits by the IC (at least
annually).
IA Guideline on Outsourcing, Section 5.15. The IA expects that your internal audit function would regularly review the
outsourcing arrangement so you will need to confirm this. Nothing in your contract with Microsoft would hinder this.
29. ICs should establish
reporting procedures which
can promptly escalate
problems relating to the
outsourced activity to the
attention of the management
of the IC and their service
providers. The IC should then
take appropriate rectification
IA Guideline on Outsourcing, Section 5.16. Below are details of the escalation processes that Microsoft provides. You
should add to this your own escalation processes and any commitments to rectify issues that are identified.
Service Provider Escalation
As part of the support we receive from Microsoft we have access to a technical account manager who is responsible for
understanding our challenges and providing expertise, accelerated support and strategic advice tailored to our
organization. This includes both continuous hands-on assistance and immediate escalation of urgent issues to speed
Page 28 of 50
Ref. Question/requirement Template response and guidance
actions forthwith if
deficiencies are identified.
resolution and keep mission-critical systems functioning. We are confident that such arrangements provide us with the
appropriate mechanisms for managing performance and problems.
Internal escalation
[ ] You will need to describe your process for how any issues will be escalated internally.
30. The IC should notify the IA
forthwith of any significant
problem that has the
potential to materially affect
its financial position,
business operation or
compliance with legal and
regulatory requirements.
IA Guideline on Outsourcing, Section 5.16. The IA is looking for a commitment that you will do this. Nothing in your contract
with Microsoft would hinder you from complying with this.
J. CONTINGENCY PLANNING
31. ICs should develop a
contingency plan to ensure
that its business would not be
disrupted as a result of
undesired contingencies
(e.g. systems failure) of the
service provider. This should
also include procedures to be
followed and the people
IA Guideline on Outsourcing, Section5.17. The IA clearly expects you to have a contingency plan in place, covering
disaster recovery/business continuity. This would usually include:
• performing a business impact analysis of a disaster situation;
• considering the internal mechanisms to deal with such a situation; and
• considering Dynamics 365’s own disaster recovery and business continuity safeguards.
Page 29 of 50
Ref. Question/requirement Template response and guidance
responsible for respective
activities if business
continuity problems arise.
The IA also requires that you specify your internal processes in the contingency plan and set out the people in your
business who will be responsible in the event of issues arising.
The following outlines Dynamics 365’s own disaster recovery and business continuity safeguard which should be useful
to incorporate into your contingency plan:
Redundancy
• Physical redundancy at server, data center, and service levels.
• Data redundancy with robust failover capabilities.
• Functional redundancy with offline functionality.
• As an additional safeguard, Microsoft performs daily back-ups to a secure, offsite location.
Resiliency
• Active load balancing.
• Automated failover with human backup.
• Recovery testing across failure domains.
Distributed Services
Page 30 of 50
Ref. Question/requirement Template response and guidance
• Distributed component services limit scope and impact of any failures in a component.
• Directory data replicated across component services insulates one service from another in any failure events.
• Simplified operations and deployment.
Monitoring
• Internal monitoring built to drive automatic recovery.
• Outside-in monitoring raises alerts about incidents.
• Extensive diagnostics provide logging, auditing, and granular tracing.
Simplification
• Standardized hardware reduces issue isolation complexities.
• Fully automated deployment models.
• Standard built-in management mechanism.
Human backup
• Automated recovery actions with 24/7 on-call support.
• Team with diverse skills on the call provides rapid response and resolution.
Page 31 of 50
Ref. Question/requirement Template response and guidance
• Continuous improvement by learning from the on-call teams.
Continuous learning
• If an incident occurs, Microsoft does a thorough post-incident review every time.
• Microsoft’s post-incident review consists of analysis of what happened, Microsoft’s response, and Microsoft’s plan
to prevent it in the future.
In the event the organization was affected by a service incident, Microsoft shares the post-incident review with the
organization.
32. Procedures should be in
place for regular reviews and
testing of the contingency
plan.
IA Guideline on Outsourcing, Section 5.17.
Microsoft carries out disaster recovery testing at least once per year. Please see also above for a summary of the disaster
recovery/business continuity safeguards provided as part of the Dynamics 365 service.
33. Contingency arrangements
in respect of daily operational
and systems problems would
normally be covered in the
service provider’s own
contingency plan. ICs should
ensure that they have an
adequate understanding of
their service provider’s
contingency plan and
IA Guideline on Outsourcing, Section 5.18. The IA requirements indicate the importance of you understanding the disaster
recovery/business continuity safeguards forming part of Dynamics 365. As such, if you have any questions about these,
please do not hesitate to get in touch with your Microsoft contact.
Please see above for a summary of the disaster recovery/business continuity safeguards provided as part of the Dynamics
365 service.
Page 32 of 50
Ref. Question/requirement Template response and guidance
consider the implications for
their own contingency
planning in the event that an
outsourced service is
interrupted due to failure of
the service provider’s
system.
34. In establishing a viable
contingency plan, ICs should
consider, among other
things, the availability of
alternative service providers
or the possibility of bringing
the outsourced activity back
in-house in an emergency.
IA Guideline on Outsourcing, Section 5.17(a). The IA clearly expects you to have a plan in place if you did decide to stop
using the Dynamics 365 service.
To ensure control, transparency and consistency, it is necessary for the applications and services forming part of Dynamics
365 to be provided by one provider (i.e. Microsoft). Because of the due diligence and risk management processes we
have implemented we are of the view that use of Dynamics 365 would not represent an excessive reliance on service
provider. The terms of our contract with Microsoft does not limit our right to move to another provider (or to revert to a
local, non-cloud based offering) should we choose to do so.
K. ACCESS TO OUTSOURCED DATA
35. ICs should ensure that
appropriate up-to-date
records are maintained in
their premises and kept
available for inspection by
the IA and that data retrieved
from the service providers
IA Guideline on Outsourcing, Section 4.
The terms of our contract with Microsoft provide that if a regulator requests, Microsoft will provide the regulator a direct
right to examine the relevant service, including the ability to conduct an on-premise examination; to meet with Microsoft
personnel and Microsoft’s external auditors; and to access related information, records, reports and documents. Customer
will at all times have access to its data using the standard features of Dynamics 365, and may delegate its access to its
data to representatives of the IA.
Page 33 of 50
Ref. Question/requirement Template response and guidance
are accurate and available in
Hong Kong on a timely basis.
Access to data by the IA’s
examiners and the IC’s
internal and external auditors
should not be impeded by the
outsourcing. ICs should
ensure that the outsourcing
agreement with the service
provider contains a clause
which allows for supervisory
inspection or review of the
operations and controls of
the service provider as they
relate to the outsourced
activity.
L. ADDITIONAL CONCERNS IN RELATION TO OVERSEAS OUTSOURCING
36. ICs should understand the
risks arising from overseas
outsourcing, taking into
account relevant aspects of
an overseas country (e.g.
legal system, regulatory
regime, sophistication of
IA Guideline on Outsourcing, Section 5.19.The answer to this question will depend on the region you are in. You may
discuss this with your Microsoft contact. Microsoft enables customers to select the region that it is provisioned from.
Dynamics 365 is hosted out of […..]. This/These location(s) has/have been vetted for geopolitical/socioeconomic risks as
set out in this checklist requirement. As part of our usual processes, we constantly monitor the countries in which we
operate.
Page 34 of 50
Ref. Question/requirement Template response and guidance
technology, infrastructure
and the ability of the IC to
monitor the outsourced
service and the SP).
a. Political (i.e. cross-broader conflict, political unrest etc). Dynamics 365 offers data-location transparency so that
the organizations and regulators are informed of the jurisdiction(s) in which data is hosted. We are confident that
Microsoft’s data center locations offer stable political environments.
b. Country/socioeconomic. Dynamics 365 offers data-location transparency so that the organizations and regulators
are informed of the jurisdiction(s) in which data is hosted. The centers are strategically located around the world taking
into account country and socioeconomic factors. We are confident that Microsoft’s data center locations offer stable
socioeconomic environments.
c. Infrastructure/security/terrorism. Microsoft’s data centers are built to exacting standards, designed to protect
customer data from harm and unauthorized access. Data center access is restricted 24 hours per day by job function
so that only essential personnel have access. Physical access control uses multiple authentication and security
processes, including badges and smart cards, biometric scanners, on-premises security officers, continuous video
surveillance and two-factor authentication. The data centers are monitored using motion sensors, video surveillance
and security breach alarms.
d. Environmental (i.e. earthquakes, typhoons, floods). Environmental controls have been implemented to protect the
data centers including temperature control, heating, ventilation and air-conditioning, fire detection and suppression
systems and power management systems, 24-hour monitored physical hardware and seismically-braced racks.
Microsoft Data centers are built in seismically safe zones. These requirements are covered by Microsoft’s ISO 27001
accreditation for Dynamics 365.
e. Legal and regulatory system. We will have in place a binding negotiated contractual agreement with Microsoft in
relation to the outsourced service, giving us direct contractual rights. We also took into account the fact that Dynamics
365 is built based on ISO 27001 standards, a rigorous set of global standards covering physical, logical, process and
Page 35 of 50
Ref. Question/requirement Template response and guidance
management controls. Finally, we took into account the fact that Microsoft offers access and regulator audit rights
thereby allowing us to comply with our regulatory obligations in this respect
f. Monitoring. Our contract with Microsoft provides extensive monitoring rights for us and for the IA.
37. Right of access to customers’
data by overseas authorities
such as the police and tax
authorities. ICs should, as
considered appropriate, seek
legal advice to clarify the
position. ICs should notify the
IA if overseas authorities
seek access to their
customers’ data.
IA Guideline on Outsourcing, Section 5.19. The answer to this question will partly depend on the region you are in. You
may discuss this with your Microsoft contact. Microsoft enables customers to select the region that it is provisioned from,
and adopts strict processes in dealing with disclosure requests by third parties and authorities. Microsoft recommends
that you obtain a legal opinion from an international or other reputable legal firm in the country where your data will be
hosted on this matter.
Microsoft is transparent in relation to the location of our data. Dynamics 365 is hosted out of […..]. This/These location(s)
has/have been thoroughly vetted and the circumstances in which the authorities may have rights to access customer
information are not considered unwarranted. Microsoft data center locations are made public on the Microsoft Trust Center
at https://www.microsoft.com/en-us/trustcenter.
Microsoft also provides contractual commitment on how data disclosure requests from authorities will be handled.
Microsoft will not disclose our data to law enforcement unless required by law. If law enforcement contacts Microsoft with
a demand for our data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from us.
If compelled to disclose our data to law enforcement, Microsoft will promptly notify us and provide a copy of the demand
unless legally prohibited from doing so. Over the past years, Microsoft has taken multiple court actions to challenge
different law enforcement data disclosure requests and has, through their action, established a track record and
demonstrated how they comply with their contractual commitment in this regard.
38. Notification to customers -
ICs should generally notify
IA Guideline on Outsourcing, Section 5.19. Microsoft recommends that you confirm in this section that you have informed
customers where services will be provided from (according to the specification of your final solution with Microsoft).
Page 36 of 50
Ref. Question/requirement Template response and guidance
their customers of the
country in which the service
provider is located (and of
any subsequent changes)
and the right of access, if any,
available to the overseas
authorities.
Microsoft also recommends that you confirm in this section that you have informed customers of the right of access
available to overseas authorities (for example in Singapore, for the purpose of the Dynamics 365 service, depending on
the specification of your final solution with Microsoft).
39. ICs should not outsource to a
jurisdiction that may hamper
access to data by the IA.
They should ensure that the
IA has right of access the
books and records and other
information of the IC as
necessary for the IA to be
able to carry out its statutory
responsibilities.
IA Guideline on Outsourcing, Section 5.19.
Dynamics 365 is hosted out of […..]. This/These location(s) has/have been thoroughly vetted and as far as we are aware,
there are no secrecy laws which would hamper access to data in the appropriate circumstances.
We will have in place a binding negotiated contractual agreement with Microsoft in relation to the outsourced service,
giving us direct contractual rights. There are provisions in the contract that enable the IA to carry out inspection or
examination of Microsoft’s facilities, systems, processes and data relating to the services. This is set out in the FSA. This
is a key advantage of the Microsoft product over competitor products, which often provide only very limited (or no) audit
and inspection rights. Where the IA wishes to access the books and records of the IC, in the first instance the IA will be
directed to the IC by Microsoft. The IC should be able to provide the IA with access to all the books and records. Where
such books and records are hosted by Microsoft, the IC has access to these by using the services in the normal way.
Microsoft also offers a Compliance Framework Program. If you take-up the Compliance Framework Program, you may
add this additional information about its key features: the regulator audit/inspection right, access to Microsoft’s security
policy, the right to participate at events to discuss Microsoft’s compliance program, the right to receive audit reports and
updates on significant events, including security incidents, risk-threat evaluations and significant changes to the business
resumption and contingency plans.
Page 37 of 50
Ref. Question/requirement Template response and guidance
40. §33 of the PDPO in respect of
transfer of personal data
outside Hong Kong –
although §33 has not yet
come into operation, ICs are
advised to take account of
the provisions therein and the
potential impact on their
plans in respect of overseas
outsourcing.
IA Guideline on Outsourcing, Section 5.19.
Section 33 of the PDPO, assuming it is in force, prohibits organizations from transferring data outside of Hong Kong except
in certain circumstances e.g. if the organization has taken all reasonable precaution and exercised due diligence that
personal data will not be handled in a manner in contravention of the PDPO requirements (commonly referred to as the
“Due Diligence Exception”). Putting in place an enforceable contract between all parties to the transfer is a way to satisfy
the Due Diligence Exception and the Office of the Privacy Commission for Personal Data, Hong Kong (PCPD) has
proposed a set of recommended model clauses to include in such contract. Microsoft's OST has in principle covered the
core areas of the recommended model clauses and should therefore satisfy the Due Diligence Exception.
41. Governing law of the
outsourcing agreement – the
agreement should preferably
be governed by Hong Kong
law.
IA Guideline on Outsourcing, Section 5.19.
The MBSA deals with what countries laws apply if there is a legal dispute.
The governing law is that of the State of Washington, U.S., however the parties have the ability to bring proceedings in
the locations as follows:
• If Microsoft brings the action, the jurisdiction will be where our contracting entity is located;
• If we bring the action, the jurisdiction will be the state of Washington; and
Both parties can seek injunctive relief with respect to a violation of intellectual property rights or confidentiality obligations
in any appropriate jurisdiction.
Page 38 of 50
ANNEX ONE
MANDATORY CONTRACTUAL REQUIREMENTS
The IA does not specifically mandate contractual requirements that must be agreed by ICs with their service providers. However, the Guideline on Outsourcing
does contain a long list of matters that it says that ICs should “consider” when negotiating the contract. The Annex contains a comprehensive list and details of
where in the Microsoft contractual documents these points are covered.
Key:
Where relevant, a cross-reference is included in red italics to the underlying regulation that sets out the contractual requirement.
In blue text, Microsoft has provided you with a reference to where in the agreement the contractual requirement is covered for ease of reference.
Terms used below as follows:
OST = Online Services Terms
EA = Enterprise Agreement
Enrolment = Enterprise Enrolment
FSA = Financial Services Amendment
MBSA = Microsoft Business and Services Agreement
PT = Product Terms
SLA = Online Services Service Level Agreement
Page 39 of 50
Ref. Requirement Microsoft agreement reference
1. Scope of the outsourced service. Section 5.10(a) of the Guideline on Outsourcing.
Yes.
The contract pack comprehensively sets out the scope of the arrangement and the
respective commitments of the parties.
The services are broadly described, along with the applicable usage rights, in the PT and
the OST. The services are described in more detail in the OST, which includes a list of
service functionality in the Data Processing Terms section and core features of the
Dynamics 365 services in the Online Service Specific Terms section. The MBSA
addressed liability and rights of action.
2. Location where the outsourced service will be performed. Section 5.10(b) of the Guideline on Outsourcing.
Yes.
The OST contain general commitments around data location. Microsoft will ensure that
Customer Data will always be stored and processed in accordance with the EU and Swiss
Safe Harbour Frameworks as maintained by the US Government. Microsoft data center
locations are made public on the Microsoft Trust Center at https://www.microsoft.com/en-
us/trustcenter.
Microsoft also commits that Customer Data transfers out of the EU will be governed by the
EU in the OST. Also, as noted in the OST, any subcontractors to whom Microsoft transfers
Page 40 of 50
Ref. Requirement Microsoft agreement reference
Customer Data, even those used for storage purposes, will have entered into written
agreements with Microsoft that are no less protective than the DPT section of the OST.
Commitments on the location of data at rest is discussed in the OST, and may depend on
where a customer provisions its service tenancy or specify as a Geo for the online service.
More details are set out, non-contractually, at the Trust Centers for each applicable online
service.
3. Effective period of the outsourcing arrangement. Section 5.10(c) of the Guideline on Outsourcing.
EAs have a [three] year term, and may be renewed for a further [three] year term.
Please insert the proposed start date of the outsourcing service.
4. Contractual obligations and liabilities of the IC and the
Service Provider.
Section 5.10(d) of the Guideline on Outsourcing
Yes.
The contract pack comprehensively sets out the scope of the arrangement and the
respective commitments of the parties.
The services are broadly described, along with the applicable usage rights, in the PT and
the OST. The services are described in more detail in the OST, which includes a list of
service functionality in OST.
The MBSA deals with liability and the rights of action.
Page 41 of 50
Ref. Requirement Microsoft agreement reference
5. Performance standards to be attained in respect of the
outsourced service. This is particularly appropriate when the
IC has committed to a service standard or performance
pledge to its customers.
Section 5.10(e) of the Guideline on Outsourcing.
Yes.
See in particular the detailed performance standards and commitments set out in the SLA
and the MBSA above. These specify clearly the performance standards of Microsoft (for
example, a 99.5% to 99.9% uptime depending on the specific solution involved) and other
obligations of Microsoft (for example, its obligations to provide access in the event of an
audit/inspection).
6. Reporting or notification requirements that the IC may wish
to impose on the Service Provider.
Section 5.10(f) of the Guideline on Outsourcing.
Yes.
The customer may monitor the performance of the online services via the administrative
dashboard, which includes information as to Microsoft compliance with its SLA
commitments.
In addition, Customers can review the manner in which Microsoft provides the online
services. As set out in the OST, the customer is entitled to access the Microsoft Online
Services Information Security Policy, which is the document where Microsoft sets out its
information security management processes. Microsoft also commits to providing the
customer with a summary of Microsoft’s annual audit report, which is performed by an
independent third party and measures compliance against Microsoft’s certifications.
Page 42 of 50
Ref. Requirement Microsoft agreement reference
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in
order to verify that the online services meet appropriate security and compliance standards.
This commitment is reiterated in the FSA.
In Addition, the FSA gives us the opportunity to participate in the Microsoft Online Services
Customer Compliance Program, which is a for-fee program that facilitates our ability to (a)
assess the services’ controls and effectiveness, (b) access data related to service
operations, (c) maintain insight into operational risks of the services, (d) be provided with
additional notification of changes that may materially impact Microsoft’s ability to provide
the services, and (e) provide feedback on areas for improvement in the services.
7. The way in which the IC and the Service Provider should
monitor the performance under the agreement (e.g.
evaluation of performance through service delivery reports,
periodic self-certifications, independent reviews by the IC’s
or the service provider’s auditors).
Section 5.10(g) of the Guideline on Outsourcing.
Yes.
Customers can review the manner in which Microsoft provides the online services.
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in
order to verify that the online services meet appropriate security and compliance standards.
This commitment is reiterated in the FSA.
In addition, the FSA gives us the opportunity to participate in the Microsoft Online Services
Customer Compliance Program, which is a for-fee program that facilitates our ability to (a)
assess the services’ controls and effectiveness, (b) access data related to service
operations, (c) maintain insight into operational risks of the services, (d) be provided with
Page 43 of 50
Ref. Requirement Microsoft agreement reference
additional notification of changes that may materially impact Microsoft’s ability to provide
the services, and (e) provide feedback on areas for improvement in the services.
In addition, as part of Microsoft’s certification requirements, they are required to undergo
regular independent third party auditing and Microsoft shares with us the independent third
party audit reports. Under the FSA, Microsoft will provide to us copies of its audit reports
so that we can verify Microsoft’s compliance with its obligations.
Finally, as set out in the OST, the customer is entitled to access the Microsoft Online
Services Information Security Policy, which is the document where Microsoft sets out its
information security management processes. Microsoft also commits to provide us with its
audit report, which is performed by an independent third party and measures compliance
against Microsoft’s certifications.
8. Information and asset ownership rights, information
technology security and protection of confidential
information.
Section 5.10(h) of the Guideline on Outsourcing.
The Microsoft makes specific commitments with respect to our data in the OST. In
summary Microsoft commits that:
1. Ownership of our data remains at all times with us.
2. Our data will only be used to provide the online services to us. Our data will not be
used for any other purposes, including for advertising or other commercial purposes.
3. Microsoft will not disclose our data to law enforcement unless it is legally obliged to do
so, and only after not being able to redirect the request to us.
Page 44 of 50
Ref. Requirement Microsoft agreement reference
4. Microsoft will implement and maintain appropriate technical and organizational
measures, internal controls, and information security routines intended to protect
Customer Data against accidental, unauthorized or unlawful access, disclosure,
alteration, loss, or destruction.
5. Microsoft will notify the customer if it becomes aware of any security incident, and will
take reasonable steps to mitigate the effects and minimize the damage resulting from
the security incident.
The MBSA deals with confidentiality.Microsoft commits not to disclose our confidential
information (which includes our data) to third parties and to only use our confidential
information for the purposes of Microsoft’s business relationship with us. If there is a
breach of confidentiality by Microsoft, we are able to bring a claim for breach of contract
against Microsoft.
9. Rules and restrictions on sub-contracting of the outsourced
service. The IC should retain the ability to maintain similar
control over its outsourcing risks when a Service Provider
uses a sub-contractor.
Section 5.10(i) of the Guideline on Outsourcing.
Yes.
Under the term of OST, Microsoft is permitted to hire subcontractors.
Microsoft maintains a list of authorized subcontractors for the online services that have
access to our data and provides us with a mechanism to obtain notice of any updates to
that list. The actual list is published on the applicable Trust Center, and it sets out the
identity of such subcontractors, their respective location and the function(s) that they
Page 45 of 50
Ref. Requirement Microsoft agreement reference
perform. If we do not approve of a subcontractor that is added to the list, then we are
entitled to terminate the affected online services.
The confidentiality of our data is protected when Microsoft uses subcontractors because
Microsoft commits that its subcontractors will be permitted to obtain our data only to deliver
the services Microsoft has retained them to provide and will be prohibited from using our
data for any other purpose.
Microsoft also commits that any subcontractors to whom Microsoft transfers our data will
have entered into written agreements with Microsoft that are no less protective than the
data processing terms in the OST.
Under the terms of the OST, Microsoft remains contractually responsible (and therefore
liable) for its subcontractors’ compliance with Microsoft’s obligations in the OST. In
addition, Microsoft’s commitment to ISO 27018, requires Microsoft to ensure that its
subcontractors are subject to the same security controls as Microsoft is subject to. Finally,
the EU Model Clauses, which are included in the OST, require Microsoft to ensure that its
subcontractors outside of Europe comply with the same requirements as Microsoft and set
out in detail how Microsoft must achieve this.
10. Remedial action and escalation process for dealing with
inadequate performance.
Section 5.10(j) of the Guideline on Outsourcing.
Under the service credits mechanism in the SLA, we may be entitled to a service credit of
up to 100% of the service charges. If a failure by Microsoft also constitutes a breach of
contract to which the service credits regime does not apply, we would of course have
ordinary contractual claims available to us too under the contract.
Page 46 of 50
Ref. Requirement Microsoft agreement reference
The MBSA deals with liability and rights of action. The MBSA deals with how a dispute
under the contract is to be conducted.
11. Contingency planning of the Service Provider to provide
business continuity for the outsourced service.
Section 5.10(k) of the Guideline on Outsourcing.
Yes.
Business Continuity Management forms part of the scope of the accreditation that Microsoft
remains in relation to the online services, and Microsoft commits to maintain a data security
policy that complies with these accreditations. Business Continuity Management also
forms part of the scope of Microsoft’s annual third party compliance audit.
12. Management and approval process for changes to the
outsourcing arrangement.
Section 5.10(l) of the Guideline on Outsourcing.
Yes.
The MBSA states that the contract may be amended only by a formal written agreement
signed by both parties. However, there is minimal requirement (if any) for change
management provisions for the Microsoft Dynamics 365 services. These online services
are “commodity” services and are designed to be delivered as a standardized offering,
thereby removing the requirement or need for changes or alterations to be made at an
organization level. Microsoft will manage upgrades and patches to its services and testing
for these will be carried out by Microsoft. Microsoft has its own operational change control
procedure in place. The operational change control procedure includes an assessment
process of possible changes and their impact. The testing of changes takes place in an
approved non-production environment.
Page 47 of 50
Ref. Requirement Microsoft agreement reference
13. Conditions under which the IC or Service Provider can
terminate the outsourcing agreement.
Section 5.10(m) of the Guideline on Outsourcing.
Yes.
The Enrollment under which online services are ordered are for an initial [three] year
period. There is no general exit right under the Enrollment; however in case of breach
termination rights are provided under the EA. There are also license subscription reduction
provisions in the Enrollment which we may utilize to reduce the number of online services
subscriptions to a stated minimum number, which if exercised could substantially relieve
our subscription obligation. The OST and the FSA further set out situation-specific
termination rights that we are entitled to, e.g. where we do not approve the addition of a
new subcontractor which has access to our customer data, or where the IA expressly
directs, or where we are unable to comply with new laws or regulatory requirements as a
result of the use of the online services.
14. Termination agreement, including intellectual property and
information rights and clarification of the process to ensure
the smooth transfer of the outsourced service either to
another Service Provider or back to the IC.
Section 5.10(n) of the Guideline on Outsourcing.
Yes.
Microsoft contractually commits to retain our data stored in the Online Service in a limited
function account for 90 days after expiration or termination of our subscription so that we
may extract the data. After the 90 day retention period ends, Microsoft will disable our
account and delete our data. The MBSA deals with confidentiality. The OST states, in the
General Terms section, that Microsoft will comply with all laws and regulations applicable
to its provision of Dynamics 365 services, including security breach notification law.
Microsoft is not responsible for compliance with any laws or regulations applicable to us,
Page 48 of 50
Ref. Requirement Microsoft agreement reference
or the financial services industry, that are not generally applicable to information technology
service providers.
Note that ownership of documents, records and other data remain with the customer
organization and at no point transfer to Microsoft or anyone else, so this does not need to
be addressed through transition. As set out in the OST, we retain the ability to access and
extract our data at all material times. Upon expiration or termination, Microsoft will delete
our data.
See the response above for more information about the termination rights.
15. Guarantee or indemnity from the Service Provider, e.g. an
indemnity to the effect that any sub-contracting by the
Service Provider of the outsourced service will be the
responsibility of the Service provider including liability for any
failure on the part of the sub-contractor.
Section 5.10(o) of the Guideline on Outsourcing
Yes.
Under the terms of the OST, Microsoft remains contractually responsible (and therefore
liable) for its subcontractors’ compliance with Microsoft’s obligations in the OST.
The MBSA deals with liability.
16. Requirement for the Service Provide to hold relevant
insurance.
Section 5.10(p) of the Guideline on Outsourcing.
Yes.
In practice, Microsoft maintains self-insurance arrangements for much of the areas where
third party insurance is typically obtained. Microsoft has taken the commercial decision to
Page 49 of 50
Ref. Requirement Microsoft agreement reference
take this approach, and does not believe that this detrimentally impacts upon its customers
given that Microsoft is an extremely substantial entity.
17. Mechanism to resolve disputes that might arise under the
outsourcing arrangement.
Section 5.10(q) of the Guideline on Outsourcing.
Yes.
The MBSA contains provisions that describe how a dispute under the contract is to be
conducted.
The MBSA sets out the jurisdictions in which parties should bring their actions. Microsoft
must bring actions against the customer in the countries where the customer’s contracting
party is headquartered. The customer must bring actions against: (a) in Ireland if the action
is against a Microsoft affiliates in Europe; (b) in the State of Washington, if the action is
against a Microsoft affiliate outside of Europe; or (c) in the country where the Microsoft
affiliate delivering the services has its headquarters if the action is to enforce a Statement
of Services.
18. The Service Provider’s agreement to allow the access by the
auditors and actuaries of the IC and the IA to any books,
records and information which facilitated them to discharge
their statutory duties and obligations.
Section 5.10(r) of the Guideline on Outsourcing.
The OST specifies the audit and monitoring mechanisms that Microsoft puts in place in
order to verify that the online services meet appropriate security and compliance standards.
The FSA detail the examination and influence rights that are granted to us and IA. The FSA
sets out a process which can culminate in the IA’s examination of Microsoft’s premises and
gives us the opportunity to participate in the Microsoft Online Services Customer
Compliance Program, which is a for-fee program that facilitates our ability to (a) assess the
Page 50 of 50
Ref. Requirement Microsoft agreement reference
services’ controls and effectiveness, (b) access data related to service operations, (c)
maintain insight into operational risks of the services, (d) be provided with additional
notification of changes that may materially impact Microsoft’s ability to provide the services,
and (e) provide feedback on areas for improvement in the services.
19. Governing law of the outsourcing agreement. The agreement
should preferably be governed by Hong Kong law.
Section 5.10(s) of the Guideline on Outsourcing.
The MBSA deals with what countries laws apply if there is a legal dispute.
The governing law is that of the State of Washington, U.S., however the parties have the
ability to bring proceedings in the locations as follows:
• If Microsoft brings the action, the jurisdiction will be where our contracting entity is
located;
• If we bring the action, the jurisdiction will be the state of Washington; and
• Both parties can seek injunctive relief with respect to a violation of intellectual property
rights or confidentiality obligations in any appropriate jurisdiction.