Office 365 is a good fit for some folks. Not so good for others.
Like any decision concerning your company’s or customers’ data, you should know all the risks and caveats before making a decision. Here are some important details for you to consider.
As you may or may not know, I effectively prepare and negotiate hosting contracts and Service Level Agreements (SLA) on a daily basis and have been doing so for over 15 years. I’ve seen some fantastic agreements from small companies and weak ones from Fortune 100s.
In the end, the fine print is critical and will always be what both parties stand behind. Nothing herein is based on conjecture or taken out of context. The following is all accurate, current information which you can verify in one click. Read for yourself and ask hard questions. You owe it to your company and customers.
Where does my data live?
I’ve gone back and forth on this topic with several Office 365 consultants so I finally decided to put this in writing. Folks assume that since they pick the geographic area of their data center (country) where they want their data stored, that it will remain in that data center and country. False.
The fact is, Microsoft says they can move your data to another Microsoft data center in another country without notifying you. Huh? Now that I have your attention let’s continue. So while your data may start in the data center or country of your choice, it may end up in another and you won’t even know it happened.
In my experience with technology vendors, or vendors of any sort for that matter, when someone says they could do something you don’t want done and won’t tell you when they do it, that is a serious red flag and deal breaker.
So for those of you with data sovereignty or compliance issues and need your data to unequivocally live in a certain location for its duration, Office 365 may not be the best choice for you.
Limitation of Liability
Microsoft has a relatively low ceiling of liability for anything that may happen to you while you’re an Office 365 customer. This could include things like loss of data, excessive downtime, data breach, etc… I had actually missed this one before doing research for this blog. If you are a partner and receive Office 365 for free, you are limited to just $5,000 in damages. If you pay for the service, you are limited to the last 12 months of service as a maximum value for damages. If your data is important and someone else is acting as custodian, there should be a reasonable liability umbrella just like folks doing financial audits. Here is a reality check – people make mistakes and machines break. If you’re in the business of storing others’ data, you may lose some of it at some point. That’s why you have Cyber and E&O insurance.
This is a no-go for me if I am storing anything on Office 365 that I can’t afford to lose and am not able to back up locally on a schedule that makes me comfortable.
For those of you with compliance or regulatory requirements, it’s important to know what your audit rights are when storing data with a Cloud provider like Office 365. In Microsoft’s case, you do not have any audit rights other than Microsoft providing evidence of their ISO, SSAE, PCI, HIPAA or Safe Harbor status. And while these standards are important, audits are fundamentally based on being able to go where the data lives and verify that it exists, it is what you say it is and it’s secure.
As a former auditor, this is a heavy black mark if I’m storing sensitive information with compliance or regulatory requirements whose failure to comply may result in significant penalties.
So, as always, whenever dealing with your company or your customers’ data, make sure you know all the ins and outs of the hosting provider you’re dealing with.