Data residency and compliance in Dynamics 365
Where Dynamics 365 data lives, how compliance certifications stack up, GDPR and country-specific rules, and the customer's responsibilities.
For most Dynamics 365 customers, compliance is non-negotiable: GDPR, country-specific data-protection laws, industry-specific regulations (HIPAA, FINRA, ISO 27001), and contractual obligations to customers. Microsoft has invested heavily in compliance certifications and data residency controls; using them well is a customer responsibility, not automatic.
Data residency. Dynamics 365 SaaS environments are pinned to a region at creation time — Europe, North America, Asia Pacific, UK, etc. Customer data stored in Dataverse, Business Central, and Finance/SCM lives in Microsoft data centres in that region. Microsoft does not move customer data between regions for operational reasons; specific cross-region situations (disaster recovery between paired regions) are documented.
For customers with stricter requirements:
-
Sovereign clouds. Microsoft operates dedicated sovereign clouds: Microsoft Cloud for US Government (GCC, GCC High, DoD), Microsoft Cloud for German government, Microsoft Cloud for China (operated by 21Vianet). These have stronger residency guarantees, separate operational personnel, and often slower feature rollouts. Customers must qualify into these clouds.
-
Customer-managed encryption keys. For sensitive data, Dataverse supports Customer Lockbox controls — Microsoft engineers cannot access customer data without a customer-approved access request, logged and revocable.
Microsoft compliance certifications. Microsoft publishes the Service Trust Portal (servicetrust.microsoft.com) listing compliance certifications for each Dynamics 365 product. Most products certify for:
- ISO 27001 / 27017 / 27018 — security and cloud-data-protection management standards.
- SOC 1 Type 2 / SOC 2 Type 2 / SOC 3 — operational controls audits.
- GDPR — EU general data protection regulation.
- HIPAA / HITECH — US healthcare data (with Business Associate Agreement signed).
- FedRAMP High — US federal authorisation.
- PCI-DSS — payment card data (only for the specific services that handle cards).
- ISO 22301 — business continuity.
- Many country-specific certifications (Japan FISC, Korea K-FSI, EU EBA, etc.).
The customer's responsibility. Microsoft certifies the platform; the customer is responsible for the configuration that uses it compliantly. Compliance issues most often arise from:
- Misconfigured access — a Power Pages portal that grants too much data access; a security role too broad.
- Cross-region transfers — exporting Dataverse data to a non-compliant Excel or Power BI workspace.
- Connector usage — flows that send EU personal data to a non-EU SaaS service without proper safeguards.
- Custom code — plug-ins or AL extensions that bypass standard logging and audit.
GDPR considerations. GDPR-specific operational requirements include:
- Right to access — customers can request all personal data; Dynamics 365 has data-subject-rights export tools.
- Right to erasure — customers can request deletion; the platform has bulk-delete jobs and per-record purge for personal data, with the caveat that some records (financial transactions) cannot be deleted for statutory reasons.
- Data Processing Agreement — Microsoft's standard DPA covers Microsoft's role; customer-specific contractual addenda may apply.
- Privacy notices and consent — captured per contact, honoured per record.
Industry-specific. Pharma, financial services, government, defence each have additional requirements. Microsoft's compliance pages document specific industry packages and shared-responsibility models.
Audit support. When external auditors evaluate the customer's Dynamics 365 environment, Microsoft provides audit-support packages — SOC reports, ISO certificates, compliance attestations — that the customer's auditor can rely on. Customers complement these with their own configuration documentation.
Operating discipline. Maintain a compliance register for the tenant: applicable regulations, the configuration that addresses each, the Microsoft certifications relied on, the responsibilities retained by the customer, and the review schedule. Update annually.
Related guides
- Data classification for Dynamics 365How to classify data in Dynamics 365 to drive security, retention, and compliance decisions — classification tiers, where to record them, and the integration with Microsoft Purview.
- Backup strategy for Dynamics 365What Microsoft backs up automatically vs what customers need to plan for — Dataverse, F&O, third-party backup tools, and the difference between backup and disaster recovery.
- Capacity planning for Dynamics 365How to plan and monitor capacity in a Dynamics 365 tenant — Dataverse storage, API calls, AI Builder credits, environments, and the cost levers that matter.
- Disaster recovery and backups in Dynamics 365How Microsoft handles backup and disaster recovery for Dynamics 365 — point-in-time restore, regional pairing, RPO/RTO, and what customers should do on top.
- Documentation strategies for Dynamics 365 implementationsWhat to document, who reads it, and how to keep documentation current — functional design, runbooks, training materials, and the layered documentation model that actually works.