Information Security Policy for Microsoft Subprocessor Engagements

This policy is designed to demonstrate SOUTHWORKS’ commitment to complying with Microsoft’s data protection requirements when acting as a “Subprocessor,” defined as a third-party engaged by Microsoft to perform services where the processing of Microsoft Personal Data is involved. This policy outlines specific measures that SOUTHWORKS will implement to safeguard Microsoft Personal Data and to meet regulatory and contractual obligations under relevant privacy laws and standards.

This Information Security Policy applies to all SOUTHWORKS personnel, processes, and systems involved in handling Microsoft Personal Data under Subprocessor engagements with Microsoft. The policy is subject to an annual review and update cycle, or more frequently as required by changes in regulatory requirements, industry standards, or contractual obligations. Responsibility for enforcing this policy lies with the SOUTHWORKS Chief Technology Officer, who will coordinate with Microsoft to ensure compliance with all relevant data protection requirements.


Books Definitions

  • Subprocessor: As defined by Microsoft’s Supplier Security and Privacy Assurance (SSPA), a Subprocessor is a third party that Microsoft engages to perform services, where this performance includes the processing of Microsoft Personal Data for which Microsoft is a Processor. SOUTHWORKS, when engaged by Microsoft to handle Microsoft Personal Data under specific processing agreements, acts as a Subprocessor.
  • Personal Data: Also defined by Microsoft’s SSPA, Personal Data refers to any information relating to a Data Subject and any other information that constitutes “personal data” or “personal information” under applicable law. For SOUTHWORKS, this includes all information processed in connection with Microsoft engagements that can directly or indirectly identify an individual.


Goggles Data Protection Agreements and Compliance

Establishment of Data Protection Agreements
SOUTHWORKS shall ensure that all engagements where it acts as a Subprocessor for Microsoft are governed by comprehensive data protection agreements. These agreements will outline SOUTHWORKS’ obligations concerning the collection, processing, storage, and transfer of Microsoft Personal Data, adhering to Microsoft’s standards and applicable data privacy laws, including the GDPR.

Business Associate Agreements for PHI
In cases where SOUTHWORKS’ engagements involve the processing of Protected Health Information (PHI) on behalf of Microsoft, SOUTHWORKS will enter into a Business Associate Agreement (BAA) with Microsoft to address the legal and regulatory requirements specific to PHI, ensuring full compliance with HIPAA and other health data protection regulations.


Man Teacher Processing Instructions and Cross-Border Data Transfers

Compliance with Microsoft’s Documented Instructions
SOUTHWORKS shall process Microsoft Personal Data strictly according to Microsoft’s documented instructions. This includes adhering to Microsoft’s guidelines for any transfers of Microsoft Personal Data to a third country or international organization. SOUTHWORKS will not transfer Microsoft Personal Data across borders unless directed by Microsoft or required by law.

Notification of Legal Requirements
If SOUTHWORKS is required by law to process Microsoft Personal Data in a manner outside Microsoft’s instructions, SOUTHWORKS will notify Microsoft of the legal basis for such processing unless prohibited by law on grounds of public interest.

Shield Data Collection and Privacy Notice

Use of Microsoft Privacy Statement for Data Collection
When collecting Microsoft Personal Data, SOUTHWORKS will prominently display the Microsoft Privacy Statement, ensuring Data Subjects are clearly informed about how their data will be processed. The privacy notice will be presented in a manner that is visible, accessible, and comprehensive, allowing Data Subjects to make informed decisions about providing their data.

Supporting Microsoft with Data Subject Rights
SOUTHWORKS will implement the technical and organizational measures required to assist Microsoft in fulfilling Data Subject Rights requests, such as those related to data access, correction, or deletion, as mandated under GDPR and other applicable data privacy laws.

Referral of Data Subject Requests
Should a Data Subject contact SOUTHWORKS directly regarding their rights, SOUTHWORKS will, unless instructed otherwise by Microsoft, direct the Data Subject to Microsoft for handling of such requests, ensuring that Microsoft maintains control over Data Subject interactions.

Documentation of Data Subject Rights Requests
SOUTHWORKS will maintain accurate records of all Data Subject Rights requests received, including the date, time, and nature of the request, as well as the specific actions taken in response. These records will be provided to Microsoft upon request to demonstrate compliance.

Test Tube Data Accuracy and Integrity

Ensuring the Integrity and Accuracy of Microsoft Personal Data
SOUTHWORKS shall maintain the integrity of all Microsoft Personal Data, ensuring it remains accurate, complete, and relevant to the specific purposes for which it was originally collected and processed. Regular data accuracy reviews will be conducted to verify and update stored data as necessary.

Fire Extinguisher Formalized Complaint Handling Process

Implementation of a Complaint Response Process
SOUTHWORKS will establish a formal, documented process for handling data protection complaints related to Microsoft Personal Data. This process will enable SOUTHWORKS to receive, document, investigate, and resolve complaints efficiently and in coordination with Microsoft as necessary.

Building Construction Business Continuity and Disaster Recovery

Business Continuity and Disaster Recovery Planning and Testing
SOUTHWORKS is committed to maintaining robust business continuity and disaster recovery (BCDR) plans to protect the security and availability of Microsoft Personal Data. These plans will include regular testing and updates to ensure rapid recovery of critical systems and data in the event of an incident affecting SOUTHWORKS’ ability to process Microsoft Personal Data.

Monorail Data Protection in Transit and at Rest

Encryption of Microsoft Personal Data in Transit
To safeguard Microsoft Personal Data transmitted across networks, SOUTHWORKS will utilize Transport Layer Security (TLS) or Internet Protocol Security (IPsec), following NIST 800-52 and NIST 800-57 guidelines. SOUTHWORKS will reject any delivery of Microsoft Personal or Confidential Data transmitted through unencrypted means.

Encryption of Microsoft Personal Data at Rest
SOUTHWORKS will employ current industry-standard encryption methods, as defined by NIST 800-111, to secure Microsoft Personal and Confidential Data at rest. Encryption will be applied across all systems storing Microsoft data, ensuring its security throughout the data lifecycle.

Judge Handling of Data Subject Requests

Denial of Data Subject Requests and Provision of Explanations
In instances where a Data Subject request cannot be fulfilled, SOUTHWORKS will provide a clear written explanation to the Data Subject as directed by Microsoft, maintaining transparency and accountability in interactions with Data Subjects.

Record Keeping for Data Subject Requests
SOUTHWORKS will retain comprehensive records related to Data Subject requests and responses, allowing Microsoft access to these records upon request to facilitate auditing and compliance reporting.

The Information Security Policy for Microsoft Subprocessor Engagements discussed herein may be amended from time to time.