Privacy and Security Terms

Scope
The terms in this privacy policy apply only to Visual Studio App Center Test as an Online Service. For all other features of Visual Studio App Center, the Microsoft Privacy Statement applies.

Use of Customer Data
Customer may not use Visual Studio App Center Test to store or process Personal Data. Customer Data will be used only to provide Customer the Online Service including purposes compatible with providing such service. Microsoft will not use Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide the Online Service to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft licenses to Customer.

Use of Support Data
Support Data will be used only to provide Customer with support, including purposes compatible with providing support, such as troubleshooting recurring issues and improvements to support or to the Online Service. Microsoft will not use Support Data or derive information from it for advertising or similar commercial purposes without Customer’s permission. As between the parties, Customer retains all right, title and interest in and to Support Data. Microsoft acquires no rights in Support Data, other than the rights Customer grants to Microsoft to provide support to Customer. This paragraph does not affect Microsoft’s rights in software or services Microsoft licenses to Customer.

Disclosure of Customer Data and Support Data
Microsoft will not disclose Customer Data or Support Data outside of Microsoft or its controlled subsidiaries and affiliates except (1) as Customer directs, (2) as described in the OST, or (3) as required by law.
Microsoft will not disclose Customer Data or Support Data to law enforcement unless required by law. If law enforcement contacts Microsoft with a demand for Customer Data or Support Data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose Customer Data or Support Data to law enforcement, Microsoft will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so.
Upon receipt of any other third party request for Customer Data or Support Data, Microsoft will promptly notify Customer unless prohibited by law. Microsoft will reject the request unless required by law to comply. If the request is valid, Microsoft will attempt to redirect the third party to request the data directly from Customer.
Microsoft will not provide any third party: (a) direct, indirect, blanket or unfettered access to Customer Data or Support Data; (b) platform encryption keys used to secure Customer Data or the ability to break such encryption; or (c) access to Customer Data or Support Data if Microsoft is aware that the data is to be used for purposes other than those stated in the third party’s request.
In support of the above, Microsoft may provide Customer’s basic contact information to the third party.

Educational Institutions
If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA) apply, Microsoft acknowledges that for the purposes of the OST, Microsoft is a “school official” with “legitimate educational interests” in the Customer Data and Support Data, as those terms have been defined under FERPA and its implementing regulations, and Microsoft agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials.
Customer understands that Microsoft may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer will be responsible for obtaining any parental consent for any end user’s use of the Online Service that may be required by applicable law and to convey notification on behalf of Microsoft to students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data or Support Data in Microsoft’s possession as may be required under applicable law.

HIPAA Business Associate
If Customer is a “covered entity” or a “business associate” and includes “protected health information” in Customer Data as those terms are defined in 45 CFR § 160.103, execution of Customer’s volume licensing agreement includes execution of the HIPAA Business Associate Agreement (“BAA”), the full text of which identifies the Online Services to which it applies and is available at http://aka.ms/BAA. Customer may opt out of the BAA by sending the following information to Microsoft in a written notice (under the terms of the Customer’s volume licensing agreement):
the full legal name of the Customer and any Affiliate that is opting out;
if Customer has multiple volume licensing agreements, the volume licensing agreement to which the opt out applies.

Security
Microsoft is committed to helping protect the security of Customer’s information. Microsoft has implemented and will maintain and follow appropriate technical and organizational measures intended to protect Customer Data and Support Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction.

Security Incident Notification
If Microsoft becomes aware of any unlawful access to any Customer Data or Support Data stored on Microsoft’s equipment or in Microsoft’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Customer Data or Support Data (each a “Security Incident”), Microsoft will promptly (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means Microsoft selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable Online Services portal. Microsoft’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Microsoft of any fault or liability with respect to the Security Incident.
Customer must notify Microsoft promptly about any possible misuse of its accounts or authentication credentials or any security incident related to an Online Service.

Location of Data Processing
Except as described elsewhere in the OST, Customer Data and Support Data that Microsoft processes on Customer’s behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its affiliates or subcontractors maintain facilities. Customer appoints Microsoft to perform any such transfer of Customer Data and Support Data to any such country and to store and process Customer Data and Support Data in order to provide the Online Service.

Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. Upon the start of enforcement of the GDPR, Microsoft will ensure that transfers of Personal Data to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR and that such transfers and safeguards are documented according to Article 30(2) of the GDPR. In addition to Microsoft’s commitments under applicable model contracts, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify Customer in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles. Notwithstanding anything to the contrary herein, in connection with Visual Studio App Center Test, Microsoft is not bound by the Data Processing Terms or Standard Contractual Clauses.

Preview Releases
Microsoft may offer preview, beta or other pre-release features, data center locations, and services (“Previews”) for optional evaluation. Unless otherwise provided, (i) Previews employ lesser or different privacy and security measures than those typically present in the Online Services, (ii) Previews are not included in the SLA for the corresponding Online Service, and (iii) Customer should not use Previews to process Personal Data or other data that is subject to heightened compliance requirements.

Use of Subcontractors
Microsoft may hire subcontractors to provide services on its behalf. Any such subcontractors will be permitted to obtain Customer Data and Support Data only to deliver the services Microsoft has retained them to provide and will be prohibited from using Customer Data and Support Data for any other purpose. Microsoft remains responsible for its subcontractors’ compliance with Microsoft’s obligations in the OST. Customer has previously consented to Microsoft’s transfer of Customer Data and Support Data to subcontractors as described in the OST.

How to Contact Microsoft
If Customer believes that Microsoft is not adhering to its privacy or security commitments, Customer may contact customer support or use Microsoft’s Privacy web form, located at http://go.microsoft.com/?linkid=9846224. Microsoft’s mailing address is:
Microsoft Enterprise Service Privacy
Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052 USA

Microsoft Ireland Operations Limited is Microsoft’s data protection representative for the European Economic Area and Switzerland. The privacy representative of Microsoft Ireland Operations Limited can be reached at the following address:
Microsoft Ireland Operations, Ltd.
Attn: Data Protection
Carmenhall Road
Sandyford, Dublin 18, Ireland

 

Attachment 1 – European Union General Data Protection Regulation Terms

A. Definitions

Terms used but not defined in these GDPR Terms, such as “personal data breach”, “processing”, “controller”, “processor” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR.

The following definition is also used in these GDPR Terms:

“Subprocessors” means the other processors that are used by Microsoft to process Personal Data.

B. Roles and Scope

1. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on behalf of Customer.
2. For purposes of these GDPR Terms, Customer and Microsoft agree that Customer is the controller of Customer Personal Data and Microsoft is the processor of such data, except when Customer acts as a processor of Personal Data, in which case Microsoft is a subprocessor.
3. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to Customer in the OST or other agreement between Microsoft and Customer.
4. These GDPR Terms do not apply where Microsoft is a controller of Personal Data.

C. Relevant GDPR Obligations: Articles 28, 32, and 33

1. Microsoft shall not engage another processor without prior specific or general written authorisation of Customer. In the case of general written authorisation, Microsoft shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes. (Article 28(2))
2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Customer are set forth in the Customer’s volume licensing agreement, including these GDPR Terms. In particular, Microsoft shall:
(a) process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required pursuant to Article 32 of the GDPR;
(d) respect the conditions referred to in paragraphs 2 and 3 for engaging another processor;
(e) taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
(f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft;
(g) at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
(h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Microsoft shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
3. Where Microsoft engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to the Customer for the performance of that other processor’s obligations. (Article 28(4))
4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Microsoft shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (Article 32(1))
5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
6. Customer and Microsoft shall take steps to ensure that any natural person acting under the authority of Customer or Microsoft who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law. (Article 32(4))
7. Microsoft shall notify Customer without undue delay after becoming aware of a personal data breach. (Article 33(2). Such notice will, at a minimum,
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact where more information can be obtained;
(c) describe the likely consequences of the personal data breach; and
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. (Article 33(3))

 

Appendix 1 – Additional GDPR Terms

A. Subprocessors

1. Customer consents to Microsoft engaging Subprocessors for the processing of Personal Data in accordance with these GDPR Terms.
2. Microsoft will ensure that Subprocessors are bound by written agreements that require them to provide at least the level of data protection required of Microsoft by these GDPR Terms.
3. A list of Microsoft’s current Subprocessors is available at: https://aka.ms/Online_Serv_Subcontractor_List (such URL may be updated by Microsoft from time to time). At least 14 days before authorizing any new Subprocessor to access Personal Data, Microsoft will update the website and provide Customer with a mechanism to obtain notice of that update. Where Microsoft is a processor (and not a subprocessor), the following terms apply:
(a) If Customer does not approve of a new Subprocessor, then Customer may terminate any subscription for the affected Online Service without penalty by providing, before the end of the notice period, written notice of termination that includes an explanation of the grounds for non-approval.
(b) If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite.
(c) After termination, Microsoft will remove payment obligations for any subscriptions for the terminated Online Service from subsequent invoices to Customer or its reseller.

B. Assisting Customer Response to Requests from Data Subjects

1. Microsoft will make available to Customer the Personal Data of its data subjects and the ability to fulfill data subject requests to exercise one or more of their rights under the GDPR in a manner consistent with the functionality of the Product and Microsoft’s role as a processor. Microsoft shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.
2. If Microsoft receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR, Microsoft will redirect the data subject to make its request directly to Customer.

C. Processing of Personal Data

1. Customer’s volume licensing agreement (including these GDPR Terms), along with Customer’s use and configuration of features in the Product, are Customer’s complete and final instructions to Microsoft for the processing of Personal Data.
2. Microsoft may also transfer Personal Data if required by applicable law.
3. Microsoft will ensure that its personnel engaged in the processing of Personal Data (i) will process Personal Data only on instructions from Customer, unless required to do so by Union, Member State, or other applicable law and (ii) have committed to maintain the confidentiality of any Personal Data even after their engagement ends.
4. The subject-matter of the processing is limited to Personal Data within the scope of the GDPR, and the duration of the processing shall be for the duration of the Customer’s right to use the Product or the Customer’s Professional Services engagement. The nature and purpose of the processing shall be to provide the Product or Professional Services pursuant to Customer’s volume licensing agreement. The types of Personal Data processed by the Product or Professional Services include those expressly identified in Article 4 of the GDPR as well as other Personal Data submitted by Customer to the Product or through the Professional Services engagement. The categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers.
5. On expiration or termination of Customer’s right to use the Product or the conclusion of Customer’s Professional Services engagement, Microsoft shall delete or return Personal Data in accordance with the terms and timelines for each of the Online Services set forth in the applicable OST, for each Product as identified in the Product documentation, and for Professional Services as stated in the applicable engagement terms, unless Union, Member State, or other applicable law requires storage of the Personal Data.

D. Security

Microsoft shall (i) maintain security practices and policies for the protection of Personal Data as set forth in the written data security policy (that policy an “Information Security Policy”) for each Product and for Professional Services, and (ii) subject to non-disclosure obligations, make the Information Security Policy available to Customer, along with descriptions of the security controls in place for the Product or Professional Services and other information reasonably requested by Customer regarding Microsoft security practices and policies.

E. Personal Data Breach

Microsoft shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation to notify the relevant supervisory authority and data subjects of a personal data breach under Articles 33 and 34 of the GDPR.

F. Records of Processing Activities

Microsoft shall maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer, make them available to Customer upon request.

G. Modification, Supplementation, and Term

1. Microsoft may modify or supplement these GDPR Terms, with notice to Customer, (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with applicable law, (iii) to implement standard contractual clauses laid down by the European Commission or (iv) to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40, 42 and 43 of the GDPR.
2. Without prejudice to these GDPR Terms, Microsoft may from time to time provide additional information and detail about how it will execute these GDPR Terms in its Product-specific technical, privacy, or policy documentation.
3. These GDPR Terms become effective upon the later of (a) the start of enforcement of the GDPR or (b) Customer’s use of a Product or Microsoft’s provision of Professional Services for which Microsoft is a processor or subprocessor.