{"id":23981,"date":"2025-03-27T07:30:23","date_gmt":"2025-03-27T14:30:23","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/?p=23981"},"modified":"2025-03-26T09:07:31","modified_gmt":"2025-03-26T16:07:31","slug":"microsoft-365-certification-control-spotlight-data-retention-back-up-and-disposal","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/microsoft-365-certification-control-spotlight-data-retention-back-up-and-disposal\/","title":{"rendered":"Microsoft 365 Certification control spotlight: Data retention, back-up, and disposal"},"content":{"rendered":"<p><span data-contrast=\"auto\">Wherever apps consume and store Microsoft 365 data, there is a risk of data compromise if a threat actor compromises the app environment. To reduce this risk, ISVs should only retain the data necessary for<\/span> <span data-contrast=\"auto\">service delivery and avoid keeping data that might be useful in the future.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Data should be retained only for the duration needed to provide the services intended. Data retention policies should be clearly defined and communicated to users. Once data surpasses the defined retention period, it must be securely deleted to ensure that it cannot be reconstructed or recovered.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">For ISVs, a documented retention policy is crucial for meeting legal obligations like GDPR and the Data Protection Act, and for limiting organizational risk. By knowing how long data is needed, organizations can dispose of it when it&#8217;s no longer useful, reducing exposure in case of data breach. Storing unnecessary data increases risk.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Microsoft 365 Certification confirms that app developers have a documented data backup policy that defines the frequency, scope, and location of data backups, and that they implement mechanisms to verify the integrity and availability of the backups. Ensuring a documented data retention period is in place for all relevant data types, specifying storage durations and procedures for deletion or archiving after expiration. ISVs may use features such as Azure Backup, Azure SQL Database automated backups, and Azure Storage accounts to back up data in Microsoft 365 services.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Certification validates that app developers have established data disposal practices for secure deletion or destruction of data. Implementing mechanisms to ensure the thoroughness and irreversibility of the disposal process. For instance, ISVs may utilize features such as shred storage, hard delete, and purge to manage data disposal within Microsoft 365 services.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Auditors will verify that an automated backup system is established and configured to perform backups at designated times. That backup information is tested in accordance with the backup scheduling procedure and restored periodically to ensure the reliability and integrity of the data. Appropriate access controls and protection mechanisms, such as immutable backups, should be implemented to secure backups and system snapshots against unauthorized access, thereby maintaining the confidentiality, integrity, and availability of the backup data.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">This control set is partially automated using <\/span><a href=\"https:\/\/learn.microsoft.com\/microsoft-365-app-certification\/docs\/acat-overview\"><span data-contrast=\"none\">ACAT<\/span><\/a><span data-contrast=\"none\">, the App Compliance Automation Tool. ACAT is a service within the Azure portal designed to ease the path to compliance for applications using Microsoft 365 customer data and published through Partner Center. ACAT also allows continuous compliance monitoring with customized daily reports.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Next steps<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">To learn how Microsoft 365 Certification validates that your application uses the most up to date data retention, disposal, and backup practices, visit the Microsoft 365 Certification control <\/span><a href=\"https:\/\/learn.microsoft.com\/microsoft-365-app-certification\/docs\/seg2_data#data-retention-back-up-and-disposal\"><span data-contrast=\"none\">evidence requirements<\/span><\/a><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">To start certification, go to the Microsoft Partner Center <\/span><a href=\"https:\/\/partner.microsoft.com\/dashboard\/\"><span data-contrast=\"none\">dashboard<\/span><\/a><span data-contrast=\"auto\">, select an app from <\/span><b><span data-contrast=\"auto\">Marketplace offers<\/span><\/b><span data-contrast=\"auto\"> overview, and select <\/span><b><span data-contrast=\"auto\">App Compliance<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how Microsoft 365 Certification validates data retention, back-up, and disposal controls for Microsoft 365 apps.<\/p>\n","protected":false},"author":69097,"featured_media":23983,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[193,192,29,30,202],"class_list":["post-23981","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-365-developer","tag-acat","tag-app-compliance-automation-tool","tag-microsoft-365-app-compliance-program","tag-microsoft-365-certification","tag-security"],"acf":[],"blog_post_summary":"<p>Learn how Microsoft 365 Certification validates data retention, back-up, and disposal controls for Microsoft 365 apps.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/23981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/69097"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=23981"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/23981\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/23983"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=23981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=23981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=23981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}