Wherever apps consume and store Microsoft 365 data, there is a risk of data compromise if a threat actor compromises the app environment. To reduce this risk, ISVs should only retain the data necessary for service delivery and avoid keeping data that might be useful in the future.  

Data should be retained only for the duration needed to provide the services intended. Data retention policies should be clearly defined and communicated to users. Once data surpasses the defined retention period, it must be securely deleted to ensure that it cannot be reconstructed or recovered. 

For ISVs, a documented retention policy is crucial for meeting legal obligations like GDPR and the Data Protection Act, and for limiting organizational risk. By knowing how long data is needed, organizations can dispose of it when it’s no longer useful, reducing exposure in case of data breach. Storing unnecessary data increases risk. 

Microsoft 365 Certification confirms that app developers have a documented data backup policy that defines the frequency, scope, and location of data backups, and that they implement mechanisms to verify the integrity and availability of the backups. Ensuring a documented data retention period is in place for all relevant data types, specifying storage durations and procedures for deletion or archiving after expiration. ISVs may use features such as Azure Backup, Azure SQL Database automated backups, and Azure Storage accounts to back up data in Microsoft 365 services. 

Certification validates that app developers have established data disposal practices for secure deletion or destruction of data. Implementing mechanisms to ensure the thoroughness and irreversibility of the disposal process. For instance, ISVs may utilize features such as shred storage, hard delete, and purge to manage data disposal within Microsoft 365 services. 

Auditors will verify that an automated backup system is established and configured to perform backups at designated times. That backup information is tested in accordance with the backup scheduling procedure and restored periodically to ensure the reliability and integrity of the data. Appropriate access controls and protection mechanisms, such as immutable backups, should be implemented to secure backups and system snapshots against unauthorized access, thereby maintaining the confidentiality, integrity, and availability of the backup data. 

This control set is partially automated using ACAT, the App Compliance Automation Tool. ACAT is a service within the Azure portal designed to ease the path to compliance for applications using Microsoft 365 customer data and published through Partner Center. ACAT also allows continuous compliance monitoring with customized daily reports. 

Next steps 

To learn how Microsoft 365 Certification validates that your application uses the most up to date data retention, disposal, and backup practices, visit the Microsoft 365 Certification control evidence requirements.  

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.