Data Protection Commitments and Online Services Terms
This webpage contains Infralegal’s Data Protection Commitments and the terms that apply to any Online Services that Infralegal provides to you.
Infralegal uses Microsoft 365 for Business Premium – one of Microsoft’s Online Services – to enable secure remote work, including to:
- Connect with clients and co-workers using Outlook and Exchange;
- Use, share and collaborate on Word, Excel and PowerPoint files; and
- Host online meetings, make calls, chat, share files and collaborate in real time with Microsoft Teams; and
- Store, access and share files in the cloud
Infralegal has chosen this solution for a variety of reasons including:
- Microsoft’s commitment ensure the Online Services are available of 99.9% of the time, which is financially backed by its Service Level Agreement; and
- Microsoft’s advanced cyberthreat protection and device management.
Data Protection Commitments
Infralegal’s obligations to you with respect to the processing and security of Customer Data and Personal Data that Infralegal obtains from you and provides to Microsoft, will correspond with the equivalent obligations that Microsoft owes to Infralegal.
Microsoft’s obligations to Infralegal with respect to the processing and security of Customer Data and Personal Data in connection with the Online Service are set forth in Microsoft’s Online Services Data Protection Addendum (DPA).
The DPA terms will apply as between you and Infralegal as if references in the DPA to “Microsoft” are to Infralegal, and all references to “Customer” are to you.
Accordingly, and subject to the more detailed terms set out in the DPA:
- Data ownership: As between you and Infralegal, you retain all right, title and interest in and to Customer Data. Infralegal acquires no rights in Customer Data, other than the rights you grant to Infralegal.
- Use of Data: Infralegal will use Customer Data and Personal Data only for Infralegal’s legimate business operations incident to delivery of Infralegal’s services to you. Infralegal will ensure that Microsoft uses Customer Data and Personal Data only to (a) provide Infralegal with the Online Services and (b) for Microsoft’s legitimate business operations incident to delivery of the Online Services to Infralegal.
- Prohibited uses: Infralegal will not use or otherwise process (and will ensure that Microsoft does not use or otherwise process) Customer Data or Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, or (c) market research aimed at creating new functionalities, services, or products or any other purpose, unless such use or processing is in accordance with your documented instructions.
- Disclosure of Data: Infralegal will not disclose or provide access to (and will ensure that Microsoft does not disclose or provide access to) any Customer Data, Personal Data or other data processed by Infralegal that is your confidential information except: (a) as you direct; (b) as described in the DPA; or (c) as required by law.
- Security measures: Infralegal will implement and maintain (and will ensure that Microsoft implements and maintains) appropriate technical and organizational measures to protect Customer Data and Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The measures maintained by Microsoft will comply with ISO 27001, ISO 27002 and ISO 27018 (unless it is no longer used in the industry and it is replaced with a successor (if any)).
- Data encryption: Customer Data (including any Personal Data therein) in transit over public networks (a) between you and Infralegal, (b) between Infralegal and Microsoft, or (c) between Microsoft data centers, is encrypted by default. Microsoft also encrypts Customer Data stored at rest in Online Services.
- Data access: Infralegal will employ (and will ensure that Microsoft employs) least privilege access mechanisms to control access to Customer Data (including any Personal Data therein).
- Your responsibilities: You are solely responsible for making an independent determination as to whether the technical and organizational measures for any service (including any Online Service) that Infralegal provides to you meet your requirements. You acknowledge and agree that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of your Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by Infralegal and Microsoft provide a level of security appropriate to the risk with respect to your Personal Data.
- Audits: Infralegal will ensure that Microsoft conducts audits of the security of the computers, computing environment and physical data centers that it uses in processing Customer Data and Personal Data, as set out in the DPA. Each audit will result in the generation of an audit report (“Microsoft Audit Report”), which Microsoft will make available at https://servicetrust.microsoft.com/ or another location identified by Microsoft. Infralegal will ensure that Microsoft promptly remediates issues raised in any Microsoft Audit Report to the satisfaction of the auditor.
- Security Incident notification: If Infralegal becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by Infralegal (each a “Security Incident”), Infralegal will promptly and without undue delay (a) notify you of the Security Incident; (2) investigate (and, if appropriate, ensure that Microsoft investigates) the Security Incident and provide you with detailed information about the Security Incident; (3) take reasonable steps (and, if appropriate, ensure that Microsoft takes reasonable steps) to mitigate the effects and to minimize any damage resulting from the Security Incident. You must notify Infralegal promptly about any possible misuse of your accounts or authentication credentials or any security incident related to any Online Service that Infralegal provides to you.
- Data transfers: Customer Data and Personal Data that Infralegal processes on your behalf (or that Microsoft processes on Infralegal’s behalf) may not be transferred to, or stored and processed in a geographic location except in accordance with the DPA Terms and the safeguards provided therein.
- Location of Customer Data at rest: Infralegal will ensure that Microsoft stores the following Customer Data at rest only within Australia: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, and (3) files uploaded to OneDrive for Business.
If Infralegal allows you to use an Online Service (for example, a cloud-based data room or client portal), by assigning a User Subscription Licence to you, or by allowing you to use a device that has been assigned a Device Subscription Licence, you may only use the Online Service as permitted by Microsoft. You will owe to Infralegal the same obligations that Infralegal owes to Microsoft in relation to such use, except that you will only be required to pay a licence or subscription fee to Infralegal if our Legal Services Agreement with you requires this. Similarly, Infralegal will have the same rights against you that Microsoft has against Infralegal in relation to such use (aside from the right to charge a licence or subscription fee, which will be as set out in our Legal Services Agreement with you).
The terms and conditions on which Infralegal obtains the Online Services from Microsoft are set out in Microsoft’s Universal Licence Terms for all Online Services (Microsoft’s Online Services Terms). Microsoft’s Online Services Terms can be accessed via this web page.
Service Level Agreement
If the Online Services that you use are covered by Microsoft’s Service Level Agreement for Microsoft Online Services (SLA), the terms of the SLA will apply as if:
- references in the SLA to “Microsoft” and “we” are to Infralegal, and all references to “you” are to you;
- references to “Applicable Monthly Services Fees” are to the Applicable Monthly Services Fees under the SLA between Microsoft and Infralegal; and
- references to “Service Credit” are to the value of the corresponding Service Credit to Infralegal under its SLA with Microsoft.
Accordingly, the value of any corresponding Service Credit to Infralegal under its SLA with Microsoft will be your sole and exclusive remedy for any performance or availability issues for any Online Service that Infralegal allows you to use.
Advanced threat detection
Infralegal’s Microsoft 365 for Business Premium subscription includes advanced cyberthreat protection capabilities, that enable Infralegal to:
- Help protect against sophisticated threats hidden in email attachments and links, and access to cutting-edge defences against zero-day threats, ransomware, and other advanced malware attempts with Microsoft Defender for Office 365;
- Remotely wipe company data from lost or stolen devices with selective wipe from Intune;
- Restrict the copying or saving of company information to unauthorised apps and locations with app protection for Office mobile apps;
- Control who has access to company information by applying restrictions like do not copy and do not forward with Information Rights Management;
- Apply policies that provide prebreach threat resistance in Windows 10 with Windows Defender Exploit Guard;
- Enforce malware protection to help keep Infralegal’s Windows 10 devices safe from viruses, spyware, and other malicious software with Windows Defender; and
- Enable unlimited cloud archive and long-term preservation policies to ensure Infralegal never loses an email with Exchange Online Archiving.
PC and device management
Infralegal’s Microsoft 365 for Business Premium subscription includes device management capabilities, that enable Infralegal to:
- Configure security features and settings on Windows 10 PCs and mobile devices running iOS or Android with an easy-to-use setup wizard5;
- Use simplified controls to manage policies applied to Windows 10 PCs;
- Automatically deploy the Office apps to Windows 10 PCs;
- Configure Infralegal’s PCs to automatically install Office and Windows 10 updates; and
- Apply security policies to protect business data on all Infralegal devices, including iOS, Android, and Windows PCs with mobile device management from Intune.
Updates to Microsoft Product Terms
Microsoft updates its Product Terms from time to time, including Microsoft’s Online Services Terms, the DLA and the SLA. The terms that will form the basis of Infralegal’s obligations to you at any time will be the terms that apply as between Infralegal and Microsoft at that time.
Infralegal renews its subscriptions for Microsoft’s Online Services on a monthly basis. When Infralegal renews a subscription to an Online Service, Microsoft’s then-current Product Terms apply to Infralegal from that date until the subscription is next renewed.
Capitalised Terms that are defined in Microsoft’s Online Services Terms have the same meaning in this web page.