Recently one of my customers inquired about the ownership of CRM data. This leads us to an interesting fact, as it is not entirely clear for companies whether or not they loose ownership once they put their data in the “cloud”. Moreover, what if they want to quit using the services of Microsoft and stop their subscription? So lets ask 3 BIG questions:
- Who is the owner of the CRM online data?
- Is it possible to have back ups of the online data?
- Where is your online data saved?
Who is the owner of the CRM data?
According to the Microsoft Trust Center it is clear who is the owner:
You are the owner of your data. We do not mine your data for advertising. If you ever choose to terminate the service, you can take your data with you.
The legal document on the Trust Center of Microsoft Online Services confirms the ownership of the data.
It’s your data. You own the data you store and process with Microsoft® Office 365 and Dynamics 365. We use your data only to provide the services you want.
But it remains unclear to me what Microsoft means with “if you ever choose to terminate the service, you can take your data with you“. How is it possible to take your data out of a data center where it is saved multiple times? How can you be sure nothing of data stays behind? A lot of of unanswered questions rise up. But lets focus on some we can answer:
For which services does Microsoft use your data?
Microsoft admits using your data to provide certain services. But what kind of services are we talking about?
We use your data for just what you pay us for: to maintain and provide Office 365 and Dynamics 365. We make it our policy to not use your data for other purposes. While some data may be stored or processed on systems used for both consumer and business services, our business services are designed and operated separately from Microsoft consumer services. Microsoft does not scan emails or documents for advertising purposes. – Trust Center of Microsoft Online Services
So what kind of data are we talking about? Is this basic data like the name of a company? Email addresses of users? It seems Microsoft makes a distinction between customer data and content.
Customer Data is all the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the services. Customer Data does not include Administrator Data, Payment Data or operational information about the services. – Trust Center of Microsoft Online Services
Content is a subset of Customer Data. Content is generally considered confidential information, and in normal service operation, is not sent over the Internet without encryption. Content includes, for example, Exchange Online e-mail body and attachments, SharePoint Online site content (not URL) and file body, instant messaging conversation body and voice conversation, and CRM files containing data about your end customer interactions. – Trust Center of Microsoft Online Services
Is it possible to have back ups of the data?
So this is an easy one, everybody knows that if you put data in the cloud, it is saved forever! Or a least, back-upped in a data server. But is it possible for you to have a physical backup of your data? Since Dynamics CRM 2016 Update 1 you have multiple options for backing up and restoring your CRM Online (Production and Sandbox) instances. There are two types of backups: system backups and on demand backups.
About CRM Online system backups:
- All your instances are backed up.
- System backups occur daily.
- System backups are retained up to three days. Check your expiration date.
- System backups do not count against your storage limits.
- System backups are identified as created by System on the Manage backups page.
About CRM Online On demand backups:
- You can back up Production and Sandbox instances.
- You can only restore to a Sandbox instance. To restore to a Production instance, first switch it to a Sandbox instance.
- Only CRM Online 2016 Update 1 or later versions are supported for backup.
- On demand backups are retained for up to three days. Check your expiration date.
- On demand backups are identified as created by someone other than System and by the presence of Edit | Delete | Restore in the details section. System backups only have Restore.
Side question: Can you request a physical backup of your organization database?
So it took me a while to find out whether or not you can receive a physical copy of your CRM online database. This led me to several Dynamics CRM forum posts but eventually I stumbled upon this short message on TechNet:
To request a backup of your Microsoft Dynamics 365 (online) database contact Microsoft Customer Support Services for Microsoft Dynamics 365 (online).
Once you got the backup, how can you restore a Copy of the Microsoft Dynamics CRM Online SQL Database?
I found the following guide lines on the Developer Network of Microsoft:
The backup of your Microsoft Dynamics CRM Online SQL Server database must be restored by using a server running the same (or a newer) version of Microsoft SQL Server as is running in Microsoft’s data centers. At the time of this writing, Microsoft Dynamics CRM Online data centers are running SQL Server 2008.
Where is your data saved?
Microsoft created a nice interactive data maps which provides specific geographic details about where customer data is stored in Microsoft Office 365 and Microsoft Dynamics 365.
You can go to this interactive data map and select your region. For me in Europe, Belgium, I suspect my data is being saved in the data center in The Netherlands. Ofcourse, you can never be sure that your data is never back-upped somewhere else…
Side question: What if Microsoft would transfer my data to a data center outside the EU?
The data centers of Microsoft are regulated by the “European Union (EU) data protection law“. These laws regulate the transfer of EU customer personal data to countries outside the European Economic Area (EEA), which includes all EU countries and Iceland, Liechtenstein, and Norway.
There are however some clauses to this law:
The EU Model Clauses are standardized contractual clauses used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law and meet the requirements of the EU Data Protection Directive 95/46/EC.
For me, this kind of law text makes things just impossible to comprehend. One thing I wanted to point out is the following text in the text provided on the Microsoft Trust Center page:
On a practical level, compliance with EU data protection laws also means that customers need fewer approvals from individual authorities to transfer personal data outside of the EU, since most EU member states do not require additional authorization if the transfer is based on an agreement that complies with the Model Clauses.
So correct me if I’m wrong; but does this mean Microsoft can move data outside the European data center, as long as it complies with the Model Clauses without asking fewer (or none?) approvals from the company? I would really appreciate it if somebody could shed some more light on these kind of data-questions. So if you feel up to the task, feel free to add a comment and share your vision!