Azure Data Processor Agreement¶
Microsoft has Online Service Terms (OST) that govern Customer’s use of the Online Services and the Microsoft Online Services Data Protection Addendum (DPA) that sets forth the parties obligations with respect to the processing and security of Customer Data and Personal Data by the Online Services. In addition to the generic OST a set of online services have their own service specific OST. In the event of any conflict or inconsistency between the DPA and any other terms in Customer’s volume licensing agreement (including the Product Terms or the Online Services Terms), the DPA shall prevail.
When moving to Microsoft Azure risk assessment for your application must be updated. Beslutningsrapport - Avtale med Microsoft lists the risks related to NAVs use of the services available in Microsoft Azure regarding privacy/GDPR and information security in the overall platform.
NAV has, based on the Schrems II verdict that invalidated The EU-US Privacy Shield transfer mechanism, decided that all cloud services and all storage of data in cloud services shall take place in the EU / EEA. Apart from this, the DPA with Microsoft is still valid.
Other relevant documents: