Legal considerations FAQ

This article provides answers to frequently asked questions (FAQ) about legal considerations in Microsoft Dynamics 365 Fraud Protection.

How does Fraud Protection ensure that it doesn't collect data from users who are under the minimum age that is legally allowed in connection with data profiling and collection?

It's the responsibility of the merchant to ensure that the data that is collected is legally valid in each jurisdiction (for example, as required by the Children's Online Privacy Protection Act [COPPA] in the United States).

Is Fraud Protection staff required to sign confidentiality or non-disclosure agreements?

Yes.

Are customers notified when Fraud Protection makes material changes to information security and/or privacy policies?

Yes. Fraud Protection will notify customers if there are changes to policies that aren't reflected in Microsoft or Dynamics communications. However, Fraud Protection tries to closely follow policies that are set by Microsoft and Dynamics, and those policies are communicated via the Service Trust Portal.

For more information about Dynamics 365 security, see the Microsoft Trust Center.

For information about Microsoft's new European Union (EU) privacy campaign (Schrems II) and commitments, see New steps to defend your data.

For information about Fraud Protection and Microsoft's EU Data Boundary commitment, refer to the EU Data Boundary exceptions for Fraud Protection article.

For information about how Microsoft handles government requests, see the US National Security Order Report and the Law Enforcement Requests Report.

Does Fraud Protection support litigation holds (freezes of data from a specific point in time) for a specific tenant without freezing other tenant data?

When a party is in litigation, Microsoft (at an organizational level) can isolate data by taking a snapshot of the data and securing it separately, so that it will be "untouched." Fraud Protection can do a full backup as a snapshot. However, it doesn't provide this functionality as a self-service service, because it isn't expected to function as a system of record for customers.

Yes.

For information about Microsoft's data subprocessors, see the Microsoft Cloud Services Subprocessors List.

Additional resources

Service FAQ

Privacy and security FAQ

Data residency FAQ

Compliance FAQ

EU Data Boundary exceptions for Fraud Protection