The concern on where the data resides goes with all Cloud solutions. The data storage as part of the agreement is at the discretion of the service provider (usually unless particularly called out). The data security requirement differs between regions and there is an array of regulations that apply to the data depending on the location of the subscriber and the industry that they belong to.
Regulations apply to particular type of data (e.g. HIPPA), so the data needs to be understood and segregated to apply required safeguard.
If your primary focus is where the data resides, then Microsoft provides data maps (vague but available) that’s shows the region where the data resides based on your subscription. It’s important that you specify the correct location in your subscription because data store is solely based on that. This also is the biggest drawback of Office 365. In scenarios where users in a single tenancy reside in multiple geography, the data is stored based on the location specified in the Office 365 setting (single location). This can lead to data compliance issues especially if a set of your users reside in EU due to the EU safe harbor clause. To overcome this you can choose a EU location and ensure that the data resides with EU thus complying with the norm but then the performance will be highly degraded for users in other region. This is one of the biggest data related drawback of Office 365
To quote from Microsoft website – Microsoft Office 365 supports the following where applicable and/or possible:
- ISO 27001 (International Organization for Standardization)
- FISMA (Federal Information Security Management Act)
- HIPAA, with Business Associate Agreement memorializing implementation of physical, technical and administrative safeguards, and breach notification requirements of ARRA/HITECH
- EU Safe Harbor
- EU Model Clauses
- Data Processing Agreement
You have to ensure that you sign the relevant contracts to ensure your subscription covers a particular compliance. You can get further details at http://office.microsoft.com/en-in/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx
Email data at rest is encrypted by default in Office 365 but other content (e.g.) SharePoint online content is not encrypted. Email encryption is also available with non-federated, enabling ad hoc encryption services with any recipient. For the other content, you can identify and set encryption using the Rights Management Service (RMS) in Office 365. Office 365 is very comprehensive when it comes to data security and compliance.