Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Microsoft Corporation Purchase Order Terms & Conditions (“PO Terms”)
1. Acceptance and Effect. These PO Terms are between Microsoft Corporation or any of its US subsidiaries
(“Microsoft”) and the supplier identified in the applicable SOW (“Supplier”) and cover:
a. “Cloud Services”: the services, websites (including hosting), solutions, platforms, and products that
Supplier makes available under or in relation to these PO Terms, including the software, mobile apps,
equipment, technology, and services necessary for Supplier to provide the foregoing.
b. “Deliverables”: all work product developed by Supplier (or Supplier’s approved
subcontractor) for Microsoft as part of the delivery of Goods, Services or Cloud Services, including
intellectual property (“IP”) in connection with these PO Terms. Deliverables are “work made for hire” for
Microsoft as that term is defined under copyright law.
c. “Goods”: software and/or tangible goods licensed or purchased by Microsoft under these PO Terms.
d. “Services”: professional services, advertising, consulting services, and support and maintenance
services purchased by Microsoft under these PO Terms.
e. “SOW” means any of the following: (1) Microsoft purchase orders; (2) statements of work or other
order forms signed by both parties’ authorized representatives; or (3) written agreements signed by
both parties’ authorized representatives referencing, and subject to, these PO Terms.
These PO Terms are effective upon Supplier’s commencement of performance or the date of Supplier’s
signature on the applicable SOW, whichever is earlier. Except as set forth in Section 2 below, Supplier’s
acceptance of these PO Terms is expressly limited to these terms and conditions without counterproposal.
2. Relationship to Other Agreements. The terms and conditions of these PO Terms are the complete and binding
agreement between Microsoft and Supplier except:
a. If the parties mutually executed an agreement, such as a Microsoft Supplier Services Agreement, which
is effective on the date of these PO Terms and applies to the Goods, Services, or Cloud Services ordered
with these PO Terms, and that agreement applies to the relationship of the parties governed by these
PO Terms, then the provisions of such agreement are incorporated. If a conflict arises between these PO
Terms and such agreement, to the extent of that conflict, the terms of such agreement will apply. For
the purposes of these PO Terms, online terms or agreements that Microsoft accepts to login or access
Goods, Services, or Cloud Services, such as installed applications, embedded software, software as a
service, or a platform, are not an agreement that has been “mutually executed” and will not replace,
supplement or amend the terms in these PO Terms in any way.
b. If multiple agreements with similar or contradictory provisions could apply to these PO Terms, the
parties agree the terms most favorable to Microsoft will apply, unless the result would be
unreasonable, unconscionable, or prohibited by law.
c. Except as stated above in this Section 2, and other than changes described in Section 9 and the
Termination provisions in Section 14, additional or different terms (for example, online terms or
agreements) will not supersede these PO Terms unless the parties mutually execute a written
document.
3. Packing, Shipment and Returns of Goods or Deliverables. Unless specifically provided in these PO Terms:
a. Packing.
(1) Price based on weight will include net weight only.
(2) Supplier will not charge Microsoft for packaging or pre-shipping costs, such as boxing,
crating, handling damage, drayage, or storage.
b. Shipping.
(1) Supplier will mark all containers with necessary handling and shipping information, PO number(s), date of
shipment, and names of the consignee and consignor.
(2) An itemized invoice and packing list, and other documentation required for domestic or international
transit, regulatory clearance or identification of the Goods or Deliverables will accompany each shipment.
(3) Microsoft will only pay for the quantity received, not to exceed the maximum quantity
ordered.
(4) Microsoft or its agent will hold over-shipments at Supplier’s risk and expense for a
reasonable time awaiting Supplier’s shipping instructions.
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
(5) Microsoft will not be charged for shipping or delivery costs.
(6) Unless otherwise agreed, Goods and Deliverables will be delivered on the 10t
h
day after the
purchase order date:
(1) FOB to the Microsoft designated delivery location if the Goods and Deliverables
originate in the same jurisdiction as the Microsoft designated delivery location; or
(2) DDP (Incoterms 2010) to the Microsoft designated delivery location for cross border delivery of
Goods and Deliverables to the Microsoft designated delivery location.
(7) Supplier will bear all risk of loss, damage, or destruction to the Goods or Deliverables, in whole or in part,
occurring before final acceptance by Microsoft at the designated delivery location. Microsoft is responsible
for any loss caused by the gross negligence of its employees before acceptance.
c. Returns. Supplier will bear the expense of return shipping charges for over-shipped quantities
or rejected items.
4. Invoices.
a. Unless otherwise agreed, Supplier will invoice Microsoft monthly in arrears and only for accepted
Goods, Services and Deliverables.
b. Supplier will invoice Microsoft using MS Invoice according to SupplierWeb (microsoft.com). The Microsoft
invoicing process is an electronic invoice submission process. MS Invoice (https://einvoice.microsoft.com) is a
web-based application, provided by Microsoft to its payees, which allows payees to submit electronic invoices
directly to Microsoft. The MS Invoice tool supports electronic invoice submissions on a one-on-one basis or via
mass upload if there are multiple invoices. Payee should contact the Microsoft Accounts Payable Help Desk at
https://www.microsoft.com/en-us/procurement/contracting-apsupport.aspx and provide a valid justification if
unable to submit invoices via this process; as an exception, Microsoft will provide an alternative invoice
submission process. Invoices must contain the following information: PO number, item number, description of
item, quantities, unit prices, extended totals, packing slip number, shipping, ship to city and state, taxes, and
any other information reasonably required by Microsoft. Supplier will not charge Microsoft for researching,
reporting on, or correcting any errors relating to its invoices.
c. Microsoft may dispute any invoice by providing written notice or partial payment. Microsoft will make
commercially reasonable efforts to notify Supplier in writing of any disputed amount within 60 days of receiving
the applicable invoice. Neither failing to provide notice nor payment of an invoice is a waiver of any claim or right.
5. Payment Terms, Cash Discounts, Offset, and Expenses.
a. After Microsoft accepts the Goods, Services or Cloud Services and receives a correct and undisputed invoice
(the “Create Date”), Microsoft will release payment by net 10 days less a 2% discount on the invoiced amount
or by net 60 days with no discount if Microsoft does not issue payment within 10 days following the Create
Date.
b. Microsoft is not obligated to pay any invoice received from Supplier more than 120 days after
Microsoft accepts the Goods, Services or Cloud Services.
c. Payment of an invoice will not constitute acceptance under these PO Terms, and is subject to
adjustment for errors, shortages, defects, or other failure of Supplier to meet the requirements of these
PO Terms.
d. Microsoft may set-off amounts owed to Microsoft against an amount Microsoft owes Supplier or
Supplier’s affiliated companies. Microsoft will provide notice to Supplier within a reasonable time after
the set-off.
e. Unless otherwise agreed, Supplier is responsible for all expenses incurred providing the Goods, Services
or Cloud Services and performing under these PO Terms.
6. Taxes.
a. Except as otherwise provided below, the amounts to be paid by Microsoft to Supplier do not include
taxes. Microsoft is not liable for any taxes that Supplier is legally obligated to pay, including net income
or gross receipts taxes, franchise taxes, and property taxes. Microsoft will pay Supplier any sales, use or
value added taxes it owes due to these PO Terms and which the law requires Supplier to collect from
Microsoft.
b. Microsoft will not be involved in the importation of the Goods, Services, or Cloud Services, and import taxes
are the responsibility of the Supplier unless otherwise agreed in a SOW.
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
c. If Microsoft provides Supplier a valid exemption certificate, Supplier will not collect the taxes
covered by such certificate.
d. If the law requires Microsoft to withhold taxes from payments to Supplier, Microsoft may withhold those
taxes and pay them to the appropriate taxing authority. Microsoft will deliver to Supplier an official
receipt for such taxes. Microsoft will use reasonable efforts to minimize any taxes withheld to the extent
allowed by law.
7. Inspection and Acceptance.
a. Microsoft may cancel these PO Terms or the applicable SOW if Supplier fails to comply with the
standards and specifications in these PO Terms.
b. All Goods and Services will be subject to Microsoft’s inspection and testing, at any time and place, including
the period of manufacture and before final acceptance. If Microsoft inspects or tests at Supplier’s premises,
Supplier, without additional charge, will provide all reasonable facilities and assistance for the safety and
convenience of Microsoft’s inspectors. No inspection or testing done or not done before final inspection and
acceptance will relieve the Supplier from responsibility for defects or for other failure to meet the
requirements of these PO Terms.
c. If any item provided under these PO Terms is defective in materials or workmanship or not in conformity with
the requirements, then Microsoft may reject it without correction, require its correction within a specified
time, accept it with an adjustment in price, or return it to Supplier for full credit. When Microsoft provides
notice to Supplier, Supplier will promptly replace or correct, at their expense, any item rejected or requiring
correction. If, after Microsoft’s request, Supplier fails to promptly replace or correct a defective item within
the delivery schedule, Microsoft may, at its sole option: (1) replace or correct such item and charge the cost
to Supplier; (2) without further notice terminate these PO Terms or the applicable SOW for default, return the
rejected item to Supplier at Supplier’s expense and Supplier will promptly refund any amounts paid by
Microsoft for the returned item; or (3) require a reduction in price.
d. Notwithstanding any prior inspections or payments made, all Goods and Services will be subject to final
inspection and acceptance at Microsoft’s designated location within a reasonable time after delivery or
performance. Records of all inspection work will be complete and available to Microsoft during
performance of these PO Terms and for such further period as Microsoft determines.
8. Additional Cloud Services Requirements.
a. Service Levels. Supplier will schedule any Cloud Services upgrades or maintenance during the Maintenance
Window defined in the applicable SOW. Supplier will provide Cloud Services in accordance with the service
levels and terms specified at https://aka.ms/CS_SLA (or any successor link), which is deemed part of
documentation (e.g., specifications) and incorporated and made part of these PO Terms.
b. Business continuity. Supplier will be responsible for establishing, implementing, testing, and maintaining an
effective enterprise-wide business continuity program (including disaster recovery and crisis management
procedures) to provide continuous access to, and support for, the Cloud Services to Microsoft. At a minimum,
Supplier must, at all times: (1) back up, archive and maintain duplicate or redundant systems that: (i) are located
at a secure physical location (other than the location of primary system(s) used to provide Cloud Services); (ii) are
updated and tested at least annually; and (iii) can fully recover the Cloud Services and all Microsoft Materials on
a daily basis; and (2) establish and follow procedures and frequency intervals for transmitting backup data and
systems to Supplier’s backup location. On request, Supplier will provide Microsoft with an overview of Supplier’s
enterprise business continuity program and will promptly and in good faith provide written responses to
Microsoft’s inquiries in connection with that program to enable Microsoft to review the adequacy of the program.
c. Transition. If the applicable SOW terminates or expires, or if Microsoft requests in writing, Supplier will
provide: (1) backup media to Microsoft (as reasonably requested by Microsoft) containing all Microsoft
Materials (unless the Cloud Services provide this as a self-service function to Microsoft); and (2) all
assistance Microsoft reasonably requires (at Microsoft’s expense) to timely and smoothly transition from the
Cloud Services.
9. Changes. Microsoft may suspend Supplier’s performance, increase or decrease the ordered quantities, or make
changes for Microsoft’s reasonable business needs (each, a “Change Order”), by written notice to Supplier, including
via e-mail, and without any notice to Supplier sureties, subcontractors, or assignees. Unless mutually agreed, a
Change Order does not apply to change the Goods and Services timely and fully delivered before the date of the
Change Order. If any change causes an increase or decrease in the cost of, or the time required for, Supplier’s
performance, an equitable adjustment may be made in the price or delivery schedule or both, if Microsoft agrees to
such adjustment in writing.
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
10. Tools and Equipment. All tools, equipment or materials acquired by Supplier for use in providing the Goods and
Services, which have been furnished to, paid for by or charged against Microsoft, including specifications, drawings,
tools, dies, molds, fixtures, patterns, hobs, electrodes, punches, artwork, screens, tapes, templates, special test
equipment, gauges, content, data, and software, will remain or become Microsoft’s property, treated as Microsoft
Confidential Information, and delivered in good condition, normal wear and tear excepted, by Supplier to Microsoft’s
designated delivery location per Section 3, immediately upon demand and without cost to Microsoft. Supplier
warrants the item(s) and information will not be used for any work or production of any materials or parts other than
for Microsoft, without Microsoft’s prior written permission. Supplier will identify for Microsoft all third-party IP or
software used in conjunction with the Services.
11. Reports. Upon request from Microsoft, Supplier will promptly provide Microsoft with a Software Bill of Materials
(“SBOM”) for all software provided under these PO Terms. Each SBOM will meet the minimum requirements
established by the U.S. Department of Commerce or otherwise set forth by Law.
12. Ownership and Use of the Parties’ Respective IP.
a. Each party will own and retain all rights to its pre-existing IP and any IP developed independently of
the Goods, Services and Cloud Services under these PO Terms, including any of such party’s IP rights
therein.
b. Microsoft will own all Deliverables, including all IP rights, all media in any format, hardware, and other
tangible materials created by Supplier while delivering the Services. Any Supplier work which is a
written or customized product or report related to, or to be used in, a Deliverable is regarded as
IP.
c. If Deliverables do not qualify as a work made for hire, Supplier assigns to Microsoft all right, title, and
interest in and to the Deliverables, including all IP rights. Supplier waives all moral rights in
Deliverables.
d. If Supplier uses any Supplier or third-party IP in any Good or Service, Supplier will continue to own Supplier’s
IP rights. Supplier will grant Microsoft a worldwide, nonexclusive, perpetual, irrevocable, royalty-free, fully
paid up right and license, under all current and future IP rights, to use Supplier’s and third-party IP consistent
with Microsoft’s ownership interests under this Section 12.
e. Supplier grants to Microsoft and its affiliated companies (including their employees, contractors, consultants,
outsourced workers, and interns engaged by Microsoft or any of its affiliated companies to perform services) a
worldwide, irrevocable, nonexclusive, perpetual, paid-up and royalty free license for any Goods that include
software or other IP not subject to a mutually executed separate license (including installed applications). The
license allows Microsoft to use such software and IP in connection with Goods. Microsoft may transfer this
license to a Microsoft affiliated company, or a successor owner by sale or lease.
f. Supplier grants to Microsoft and its affiliated companies (including their employees, contractors, consultants,
outsourced workers, and interns engaged by Microsoft or any of its affiliated companies to perform services)
and their end users (if any), to the limited extent necessary to the performance of the Cloud Services, a
worldwide, nonexclusive, unlimited, paid-up and royalty free right to access and use, during the term, Cloud
Services, in each case for Microsoft’s business purposes. Access to the Cloud Services is unlimited unless
otherwise specified in a SOW.
g. Pass through warranties and indemnities. Supplier assigns and passes through to Microsoft all of the third-party
manufacturers’ and licensors’ warranties and indemnities for the Goods.
h. Title to the Goods (other than licensed software) will pass from Supplier to Microsoft on final acceptance.
i. Microsoft IP.
(1) Supplier may use “Microsoft Materials,” meaning any tangible or intangible materials, provided by
or on behalf of Microsoft, any of its affiliated companies, or their respective end users, to Supplier
to perform Services or Cloud Services, or obtained or collected by Supplier in connection with the
Goods, Services, or Cloud Services (e.g., usage data) (including hardware, software, source code,
documentation, methodologies, know how, processes, techniques, ideas, concepts, technologies,
reports and data). Microsoft Materials may include any modifications to, or derivative works of, the
foregoing materials, (i) Personal Data, (ii) trademarks, (iii) inputs and prompts to and outputs
generated by an AI Model (as defined below), and any data entered into any Supplier database as
part of the Services or Cloud Services. Microsoft Materials do not include Microsoft products
obtained by Supplier outside of and unrelated to these PO Terms.
(2) Microsoft grants Supplier a nonexclusive, non-sublicensable (except to subcontractors approved by
Microsoft in accordance with these PO Terms), revocable license (i) under Microsoft’s IP rights in the
Microsoft Materials to copy, use and distribute Microsoft Materials provided to it only as necessary to
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
perform the Services in accordance with these PO Terms, and (ii) to use Microsoft Materials only as
necessary to perform the Cloud Services in accordance with these PO Terms. Supplier will not Sell,
share, license, or otherwise commercialize any Microsoft Materials.
(3) Microsoft retains all other interest in Microsoft Materials and related IP rights. Supplier has no
right to sublicense Microsoft Materials except to approved subcontractors as required to
perform the delivery of Goods, Services and CloudServices. If the Microsoft Materials come
with a separate license, the terms of that license will apply and those terms control in
the case of conflict with these PO Terms.
(4) Supplier will take reasonable precautions to protect and ensure against loss or damage,
theft, or disappearance of Microsoft Materials.
(5) Microsoft may revoke the license to Microsoft Materials at any time for any reasonable
business reason. The license will terminate automatically on the earlier of the expiration or
termination of these PO Terms or an applicable SOW. Supplier will promptly return any
Microsoft Materials on request or termination of Supplier’s license.
(6) Regarding Supplier’s use of Microsoft Materials:
(i) Supplier will not modify, reverse engineer, decompile, or disassemble Microsoft
Materials except as allowed by Microsoft;
(ii) Supplier will leave in place, and not alter or obscure proprietary notices and
licenses contained in Microsoft Materials;
(iii) Microsoft is not obligated to provide technical support, maintenance, or updates for
Microsoft Materials;
(iv) all Microsoft Materials are provided “as-is” without warranty; and
(v) Supplier assumes the risk of loss, damage, unauthorized access or use, or theft
or disappearance of Microsoft Materials in Supplier’s (or subcontractor’s) care,
custody, or control.
(7) No Microsoft Materials, IP or Confidential Information, may be used by Supplier or an AI
Model to customize, train, or improve, directly or indirectly, any artificial intelligence
model or product (including the AI Model itself) without Microsoft’s express prior written
consent. Any failure to obtain such consent is a material breach and Supplier’s limitation
of liability in Section 19 will not apply to claims based on a breach of this section. If
Microsoft provides such consent, the parties will first enter into a separate written
agreement that addresses the terms under which customization, training, or other
improvements will occur and allocates the parties’ rights to and liabilities arising
therefrom. “AI Model” means any artificial intelligence model (including a deep learning
or machine learning model) used in connection with or incorporated into the Goods,
Services, or Cloud Services. Supplier will comply with all Microsoft Policies and
requirements related to the use of AI Models and the responsible use of AI.
13. Representations and Warranties. Supplier represents and warrants that:
a. it has full rights and authority to enter into, perform under, and grant the rights in according to
these PO Terms and its performance will not violate any agreement or obligation between it and
any third party;
b. Services will be performed professionally and be at or above industry standard;
c. Goods, Services, Cloud Services and Deliverables must meet the standards and
specifications in these PO Terms and be suitable for the intended use;
d. it will provide to Microsoft all Goods, Services and Deliverables free from: (1) any defects in design,
workmanship, and materials; (2) any liability for royalties; and (3) any mechanic’s liens or any other
statutory lien or security interest or encumbrance;
e. the Goods, Services, Cloud Services, Deliverables and any Supplier or third-party IP provided to
Microsoft under these PO Terms:
(1) are not governed, in whole or in part, by an Excluded License. “Excluded License” means
any software license that requires as a condition of use, modification and/or distribution,
that the software or other software combined and/or distributed with it be: (i) disclosed
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
or distributed in source code form; (ii) licensed to make derivative works; or (iii)
redistributable at no charge; and
(2) will not be subject to license terms that require any (i) Microsoft product, service, or documentation,
or any Supplier or third-party IP licensed to Microsoft, or documentation which incorporates or is
derived from such Goods, Services, Cloud Services, Deliverables, or Supplier or third-party IP, or (ii)
Microsoft Materials or Microsoft IP, to be licensed or shared with any third party;
f. the Goods, Services, Cloud Services, Deliverables and any Supplier or third-party IP provided to
Microsoft under these PO Terms will not:
(1) to the best of Supplier’s knowledge, infringe any third-party patent, copyright, trademark, trade
secret or other proprietary right of any third party; or
(2) contain any viruses or other malicious code that will degrade or infect any Goods, Deliverables,
products, services, or any other software or Microsoft’s network or systems;
g. Supplier will comply with all Laws, rules, and regulations, including Data Protection Law (as defined in
Exhibit A), artificial intelligence Laws, and Anti-Corruption Laws (i.e., all Laws against fraud, bribery,
corruption, inaccurate books and records, inadequate internal controls, and/or money-laundering, including
the U.S. Foreign Corrupt Practices Act), whether local, state, federal or foreign. The Goods, Services, Cloud
Services, parts, components, devices, software, technology, and other materials provided under these PO
Terms (collectively, “Items”) may be subject to applicable trade laws in one or more countries. The Supplier
will comply with all relevant laws and regulations applicable to the import or export of the Items, including
but not limited to, trade laws and regulations such as the U.S. Export Administration Regulations or other
end-user, end use, and destination restrictions by the U.S. and other governments, as well as sanctions
regulations administered by the U.S. Office of Foreign Assets Control (“Trade Laws”). Microsoft may suspend
or terminate these PO Terms immediately to the extent that Microsoft reasonably concludes that continued
performance would violate Trade Laws or put it at risk of becoming subject to sanctions or penalties under
Trade Laws. Supplier is responsible for ensuring compliance with the transfer or re-transfer of intangible
items, such as technology. Supplier agrees to provide Microsoft with the import/export control
classifications and information, including documentation, on the applicable import, export, or re-export
authorizations, and all necessary information about the Items for any required import, export or re-export
procedures and/or licenses, without additional cost to Microsoft. For additional information, see
https://www.microsoft.com/en-us/exporting. “Law” means all applicable laws, rules, statutes, decrees,
decisions, orders, regulations, judgments, codes, enactments, resolutions, and requirements of any
government authority (federal, state, local, or international) having jurisdiction;
h. Supplier will comply with all applicable Anti-Corruption Laws. While performing under these PO Terms,
Supplier will provide training to its employees on compliance with Anti-Corruption Laws and, upon request
by Microsoft, will complete Microsoft’s standard online training for supplier compliance with Anti-Corruption
Laws.
i. Supplier will, at its expense: (1) implement and maintain appropriate technical and organizational
measures to protect the Microsoft Materials, including Personal Data, and any other Microsoft
Confidential Information against accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, Microsoft Materials, including Personal Data, or any other Microsoft
Confidential Information, transmitted, stored or otherwise processed; (2) as soon as commercially and
technologically practicable, remediate any material vulnerabilities of which Supplier becomes aware;
and (3) comply with Supplier’s confidentiality, artificial intelligence, privacy and data protection
obligations under these PO Terms, including Sections 15, 16 and Exhibit A.
14. Termination. Microsoft may terminate these PO Terms or the applicable SOW with or without cause.
Termination is effective upon written notice. If Microsoft terminates for convenience, its only obligation
is to pay for:
a. Deliverables or Goods it accepts before the effective date of termination; or
b. Services performed, where Microsoft retains the benefit after the effective date of termination;
or
c. Cloud Services delivered before the effective date of termination (or any post termination transition
requested by Microsoft). Supplier will (without prejudice to any other remedies Microsoft may have) provide
a pro-rata refund to Microsoft for any prepaid unused fees.
15. Security, Privacy, Artificial Intelligence and Data Protection. Supplier will comply with the following, at its
own cost and expense.
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
a. Without limiting Microsoft’s audit rights in these PO Terms, Supplier will (1) participate in the
Microsoft Supplier Security and Privacy Assurance (“SSPA”) program, as required by Microsoft,
including by attesting to Supplier’s compliance status with respect to all applicable portions of
Microsoft’s then current Supplier Data Protection Requirements (“DPR”) on an annual basis (or more
frequently if additional portions of the DPR become available), and (2) comply with Microsoft’s then
current DPR. See https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx, Supplier
Security and Privacy Assurance (SSPA) (aka.ms), for SSPA program details, including the program
requirements and current DPR.
b. Supplier’s security procedures must include risk assessment and controls for: (1) system access; (2)
system and application development and maintenance; (3) change management; (4) asset
classification and control; (5) incident response, physical and environmental security; (6) disaster
recovery/business continuity; and (7) employee training. Those measures will be set forth in a Supplier
security policy. Supplier will make that policy available to Microsoft, along with descriptions of the
security controls in place for the Services and Cloud Services, upon Microsoft’s request and other
information reasonably requested by Microsoft regarding Supplier security practices and policies.
c. When Supplier provides Cloud Services, Supplier will only use the cloud infrastructure provider
(“CIP”) identified in the applicable SOW in providing Cloud Services and will notify Microsoft at least
90 days before it changes, adds, or undertakes any plan to change, the CIP and at least 30 days
before any change in location of Microsoft Materials. If Microsoft rejects the change, it may
terminate the applicable SOW immediately, with no further obligations.
d. Supplier will comply with the privacy and data protection requirements in Exhibit A.
e. Without limiting Supplier’s obligations under these PO Terms, including the DPR, on becoming
aware of any Security Incident (defined below), Supplier will:
(1) notify Microsoft without undue delay of the Security Incident (in any case no later than it
notifies any similarly situated customers of Supplier and in all cases before Supplier makes
any general public disclosure (e.g., a press release));
(2) promptly investigate or perform required assistance in the investigation of the Security
Incident and provide Microsoft with detailed information about the Security Incident,
including a description of the nature of the Security Incident, the approximate number of
Data Subjects affected, the Security Incident’s current and foreseeable impact, and the
measures Supplier is taking to address the Security Incident and mitigate its effects; and
(3) promptly take all commercially reasonable steps to mitigate the effects of the Security
Incident, or assist Microsoft in doing so.
“Security Incident” means any: (1) accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to Confidential Information, including Personal Data, transmitted, stored, or
otherwise processed by Supplier or its subcontractors; or (2) Security Vulnerability (i) related to
Supplier’s handling of Confidential Information, including Personal Data, or (ii) impacting Microsoft
products, services, software, network, or systems. “Security Vulnerability” means a weakness, flaw,
or error found within a security system of Supplier or its subcontractors that has a reasonable
likelihood to be leveraged by a threat agent in an impactful way. Supplier will comply with this
Section 15(e) at Supplier’s cost unless the Security Incident arose from Microsoft’s negligent or
willful acts or Supplier’s compliance with Microsoft’s express written instructions.
Supplier must obtain Microsoft’s written approval before notifying any governmental entity, individual,
the press, or other third party of a Security Incident that affected or reasonably could affect Microsoft,
including any Confidential Information that Supplier received from Microsoft or Processed on behalf
of Microsoft.
f. Artificial Intelligence. If the Goods, Services or Cloud Services include artificial intelligence
technology, Supplier will, at its expense, implement and maintain appropriate technical and
organizational measures to ensure such artificial intelligence technology complies with all Laws
and industry standards, including standards and policies related to the ethical or responsible
use of artificial intelligence; the ability to explain algorithms and logic in decision making and
the output, the likely outcome of each AI Model with respect to end users, change management
to comply with Laws and appropriate industry standards and employee training. Supplier will
make that policy available to Microsoft on Microsoft’s request along with other information
reasonably requested by Microsoft regarding Supplier practices and policies.
g. Notifications.
(1) Supplier must obtain Microsoft’s written approval before notifying any governmental entity,
individual, the press, or other third party of a Security Incident or in connection with
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Supplier’s use of artificial intelligence technology including an AI Model (an “AI Inquiry”) that
affected or reasonably could affect Microsoft, including any Confidential Information that
Supplier received from Microsoft or Processed on behalf of Microsoft. For any disclosure of a
Security Incident or AI Inquiry to a third party, Supplier will, as part of its notification to
Microsoft, disclose the identity of the third party and a copy of the notification (if the
notification to the third party has not been sent, Supplier will provide a draft to Microsoft).
Supplier will permit Microsoft to offer edits or updates to the notification. Microsoft’s release
of information about an AI Model in relation to an AI Inquiry is not a breach of Microsoft’s
confidentiality obligations in these PO Terms.
(2) Supplier may notify a third party about a Security Incident affecting Personal Data if it is
under a legal obligation to do so, provided that Supplier makes every effort to give Microsoft
prior notification, as soon as possible and if prior notification is not possible, notify Microsoft
immediately once it becomes possible to give notification.
16. Supplier Code of Conduct. Supplier will comply with the most current Supplier Code of Conduct at
https://aka.ms/scoc and the most current Anti-Corruption Policy for Microsoft Representatives at
http://aka.ms/microsoftethics/representatives, and any other Policies (e.g., physical or information security or
artificial intelligence Policies) or training identified by Microsoft in a SOW or otherwise during the Term (and will
provide such training).
17. Accessibility. Any device, product, website, web-based application, cloud service, software, mobile applications, or
content developed or provided by or on behalf of Supplier or Supplier’s Affiliate under these PO Terms must
comply with all legal accessibility requirements. For purchases with a User Interface (UI) this includes conformance
to Level A and AA Success Criteria of the latest published version of the Web Content Accessibility Guidelines
(“WCAG”), available at https://www.w3.org/standards/techs/wcag#w3c_all, Section 508 of the Rehabilitation
Act, available at https://www.section508.gov and the European standard EN 301 549 available at https://eur-
lex.europa.eu/eli/dir/2016/2102/oj. Suggested documentation includes completion of the VPAT 2.4 INT: which
incorporates all three of the above standards and is available at https://www.itic.org/policy/accessibility/vpat.
18. No Waiver. Microsoft’s delay or failure to exercise any right or remedy will not result in a waiver of that or
any other right or remedy.
19. Insolvency; Limitations of Liability.
a. The insolvency or adjudication of bankruptcy, filing a voluntary petition in bankruptcy, or making an
assignment for the benefit of creditors by either party will be a material breach of these PO Terms. For
these PO Terms, “insolvency” means either (1) the party’s liabilities exceed its assets, each fairly stated, or
(2) the party’s failure to pay its business obligations on a timely basis in the regular course of business.
b. Limitations of Liability. EXCEPT FOR THE INDEMNIFICATION OBLIGATIONS STATED IN SECTION 21, A
BREACH OF A PARTY’S CONFIDENTIALITY, SECURITY, PRIVACY, DATA PROTECTION, ARTIFICIAL
INTELLIGENCE, AND PUBLICITY OBLIGATIONS UNDER THESE PO TERMS, INFRINGEMENT, MISUSE,
OR MISAPPROPRIATION OF IP RIGHTS IN CONNECTION WITH THESE PO TERMS, OR FRAUD,
NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL,
EXEMPLARY, OR PUNITIVE DAMAGES (INCLUDING DAMAGES FOR LOSS OF DATA, REVENUE,
AND/OR PROFITS), WHETHER FORESEEABLE OR UNFORESEEABLE, WHICH ARISE OUT OF THESE PO
TERMS, REGARDLESS OF WHETHER THE LIABILITY IS BASED ON BREACH OF CONTRACT, TORT,
STRICT LIABILITY, BREACH OF WARRANTIES OR OTHERWISE, AND EVEN IF THE PARTY IS ADVISED
OF THE POSSIBILITY OF THOSE DAMAGES.
20. Subcontracting. Supplier will not subcontract with any third party to furnish any Goods, Services or Cloud Services
without Microsoft’s prior written consent. If Supplier subcontracts any Services or Cloud Services to any
subcontractor, Supplier will be fully liable to Microsoft for any actions or inactions of subcontractor, remain subject
to all obligations under these PO Terms, require the subcontractor to agree in writing that Microsoft is an intended
third-party beneficiary of its agreement with Supplier and require the subcontractor to agre e in writing to terms no
less protective of Microsoft than the terms of these PO Terms applicable to the work performed by the
subcontractor, including the privacy and data protection terms in Section 15 of these PO Terms and Exhibit A.
21. Indemnification and Other Remedies.
a. Supplier will defend, indemnify and hold harmless Microsoft and Microsoft affiliates companies against all
claims, demands, loss, costs, damages, and actions for: (1) actual or alleged infringements of any third-
party IP or IP rights or Microsoft IP or IP Rights, which arise from the Goods, Services or Cloud Services
provided under these PO Terms; (2) any claim that, if true, would constitute a breach of Section 15, Exhibit
A, or any Supplier warranty contained herein; (3) any act or omission of or failure to comply with tax
obligations or Law by Supplier or Supplier’s agents, employees, or subcontractors; (4) any breach by
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Supplier or its subcontractors of confidentiality, security, or privacy, data protection, artificial
intelligence, or publicity obligations under these PO Terms; (5) the negligent or willful acts or
omissions of Supplier or its subcontractors, which results in any bodily injury, including mental injury,
or death to any person or loss, disappearance or damage to tangible or intangible property; and (6)
any claims of its employees, affiliated companies or subcontractors regardless of the basis, including,
but not limited to, the payment of settlements, judgments, and reasonable attorneys’ fees.
b. In addition to all other remedies available to Microsoft, if use of the Goods, Services, or Cloud Services
under these PO Terms are enjoined, injunction is threatened, or may violate applicable law, Supplier, at its
expense will notify Microsoft and immediately replace or modify such Goods, Services and Cloud Services
so they are non-infringing, compliant with applicable law, and useable to Microsoft’s satisfaction. If Supplier
does not comply with this Section 21(b), then in addition to any amounts reimbursed under this Section 21
(Indemnification and Other Remedies), Supplier will refund all amounts paid by Microsoft for infringing or
non-compliant Goods, Services and Cloud Services and pay reasonable costs to transition Services and
Cloud Services to a new supplier.
22. Insurance. Supplier will maintain sufficient insurance coverage to meet obligations required by these PO
Terms and by Law. Supplier’s insurance must include the following coverage (or the local currency equivalent)
to the extent these PO Terms or the applicable SOW creates risks generally covered by these insurance
policies:
Table A1 – Required Insurance Coverage
Coverage
Form
Limit
1
Commercial general liability, including contractual and
product liability
2
Occurrence
$2,000,000 USD
Automobile liability
Occurrence
$2,000,000 USD
Privacy and cybersecurity liability, as reasonably commercially
available (including costs arising from data destruction,
hacking or intentional breaches, crisis management activity
related to data breaches, and legal claims for security breach,
privacy violations, and notification costs)
Per claim
$2,000,000 USD
Workers’ compensation
Statutory
Statutory
Employer’s liability
Occurrence
$500,000 USD
Professional liability/E&O, covering third-party proprietary
rights infringement (e.g., copyright and trademark) if
reasonably commercially available
Per claim
3
$2,000,000 USD
NOTES:
1 All limits per claim or occurrence unless statutory requirements are otherwise may be converted
to local currency.
2 Supplier will name Microsoft, its subsidiaries, and their respective directors, officers, and employees
as additional insureds in the Commercial general liability policy, to the extent of contractual liability
assumed by Supplier in Section 21.
3 With a retroactive coverage date no later than the effective date of these PO Terms or the applicable
SOW or Order. Supplier will maintain active policy coverage or an extended reporting period providing
coverage for claims first made and reported to the insurer within 12 months after these PO Terms
terminate or expire or the applicable SOW or Order is fulfilled.
Supplier must obtain Microsoft’s prior written approval for any deductible or retention in excess of $100,000
USD per occurrence or accident. Supplier will deliver to Microsoft proof of the insurance coverage required under
these PO Terms on request. Supplier will promptly buy additional coverage, and notify Microsoft in writing, if
Microsoft reasonably determines Supplier’s coverage is less than required to meet its obligations.
23. Non-Disclosure of Confidential Matters. If the parties have entered into a standard Microsoft Non-Disclosure
Agreement, the terms of such agreement will apply to and be incorporated in these PO Terms and the
existence of and all terms and conditions of these PO Terms and Microsoft Materials will be deemed Microsoft
Confidential Information. If the parties have not entered into a standard Microsoft Non-Disclosure Agreement,
then Supplier agrees that during the term of these PO Terms and for 5 years thereafter, Supplier will hold in
strictest confidence, and will not use or disclose to any third party (except to a Microsoft Affiliate), any
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Microsoft Confidential Information. The term “Microsoft Confidential Information” means all nonpublic
information that Microsoft or an affiliated company designates in writing or orally as being confidential, or
which, under the circumstances of disclosure would indicate to a reasonable person that it ought to be treated
as confidential. Notwithstanding anything to the contrary in these PO Terms, all Personal Data shared with
Supplier or a Supplier affiliate and in connection with these PO Terms is Microsoft Confidential Information. If
Supplier has questions regarding what comprises Microsoft Confidential Information, Supplier will consult
Microsoft. Microsoft Confidential Information will not include information known to Supplier before Microsoft’s
disclosure to Supplier, or information publicly available through no fault of Supplier.
On expiration or termination of these PO Terms or the applicable SOW, or on request by Microsoft or
Microsoft’s Affiliate, Supplier will without undue delay: (i) return all Microsoft Confidential Information
(including copies thereof) to Microsoft or the applicable Microsoft Affiliate; or (ii) where requested by Microsoft
or its Affiliate, destroy the Microsoft Confidential Information (including copies thereof) and certify its
destruction, in each case unless the Law expressly requires otherwise or the parties otherwise expressly agree
in writing. For any Microsoft Confidential Information that Supplier retains after expiration or termination of
these PO Terms or the applicable SOW (for example, because Supplier is legally required to retain the
information), Supplier will continue to comply with all terms of these PO Terms applicable to that Confidential
Information, including all confidentiality obligations, and those applicable terms will survive such termination
or expiration.
24. Independent Development. Nothing in these PO Terms restricts Microsoft’s ability to, directly or indirectly,
acquire, license, develop, manufacture, or distribute, same or similar technology or services to the Goods,
Services or Cloud Services contemplated by these PO Terms. Microsoft may use, market, and distribute such
similar technology or services in addition to, or in lieu of, the technology or services contemplated by these PO
Terms, including any software or cloud services (in whole or in part).
25. Audit. During the term of these PO Terms and for 4 years after, Supplier will keep usual and proper records and
books of account and quality and performance reports related to Goods, Services or Cloud Services, the
Processing of Personal Data, and as otherwise required for legal compliance (“Supplier Records”). During this
period, Microsoft may audit and/or inspect the applicable records and facilities to verify Supplier’s compliance
with these PO Terms, including privacy, security, export compliance, accessibility, and taxes. Microsoft or its
designated independent consultant or certified public accountant (“Auditor”) will conduct audits and inspections.
Microsoft will provide reasonable notice (15 days except in emergencies) to Supplier before the audit or inspection
and will instruct the Auditor to avoid disrupting Supplier’s operations, including consolidating audits where
practical. Supplier agrees to provide Microsoft’s designated audit or inspection team reasonable access to the
Supplier records and facilities. If the auditors determine that Microsoft overpaid Supplier, Supplier will reimburse
Microsoft for any such overpayment. If Supplier overcharged Microsoft 5% or more during an audited period, it will
immediately refund Microsoft all overpayments plus pay interest at 0.5% per month on such overcharge. Microsoft
will bear the expense of its auditors or inspection team. However, if the audit shows Supplier overcharged
Microsoft by 5% or more during such audit period, Supplier will reimburse Microsoft for such expenses. Nothing in
this Section limits Microsoft’s right to audit Supplier under any other Section of these PO Terms, including
Exhibit A.
26. Assignments. No right or obligation under these PO Terms (including the right to receive monies due) will be
assigned without the prior written consent of Microsoft. Any assignment without such consent will be void.
Microsoft may assign its rights under these PO Terms.
27. Notice of Labor Disputes. Whenever an actual or potential labor dispute delays or threatens to delay the timely
performance of these PO Terms, Supplier will immediately notify Microsoft in writing of such dispute and furnish all
relevant details. Supplier will include a provision identical to the above in each subcontract and, immediately upon
receipt of such notice, give written notice to Microsoft.
28. Patent License. Notwithstanding other conditions stated herein, if Supplier fails in performance according to the
terms of these PO Terms, Supplier, as part of the consideration for these PO Terms
and without further cost to Microsoft, automatically grants to Microsoft an irrevocable, non-exclusive, royalty-free right
and license to use, sell, manufacture, and cause to be manufactured any and all products, which embody any and all
inventions and discoveries made, conceived, or actually reduced to practice by or on behalf of Supplier in connection
with a Deliverable under these PO Terms.
29. Jurisdiction and Governing Law. For Goods, Deliverables, Services and Cloud Services provided to Microsoft in the
United States, these PO Terms are governed by Washington State Law (disregarding conflicts of law principles), and the
parties consent to exclusive jurisdiction and venue in the state and federal courts in King County, Washington. All Cloud
Services are deemed provided in the United States if any access or use of Cloud Services by Microsoft occurs in the
United States. For all other Goods, Services and Cloud Services provided to Microsoft, the Laws, jurisdiction and venue of
the country where Microsoft (i.e., the entity other than Supplier who is the contracting entity to these PO Terms) is
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
incorporated or otherwise formed will govern these PO Terms. Neither party will claim lack of personal jurisdiction or
forum non conveniens in these courts. In any action or suit related to these PO Terms, the prevailing party is entitled
to recover its costs including reasonable attorneys’ fees.
30. Publicity; Use of Trademarks. Supplier will not issue press releases or other publicity related to Supplier’s
relationship with Microsoft or these PO Terms without prior written approval from Microsoft. If written approval is
granted, Supplier may only use Trademarks for Services, Cloud Services and Deliverables in compliance with the
guidelines at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx.
31. Severability, URLs. If a court of competent jurisdiction determines that any provision of these PO Terms is illegal,
invalid, or unenforceable, the remaining provisions will remain in full force and effect. URLs also refer to
successors, localizations, and information or resources linked from within websites at those URLs. Neither party
has entered into these PO Terms in reliance on anything not contained or incorporated in these PO Terms. These
PO Terms will be interpreted according to their plain meaning without presuming that they should favor either
party.
32. Survival. The provisions of these PO Terms which, by their terms, require performance after the termination or
expiration or have application to events that may occur after the termination or expiration of these PO Terms or
the applicable SOW, will survive the termination or expiration of these PO Terms and the applicable SOW. All
indemnity obligations and indemnification procedures will survive the termination or expiration of these PO Terms
and the applicable SOW.
[Remainder of this page is intentionally left blank]
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Exhibit A – Data Protection
SECTION 1 Scope, Order of Precedence, and Term
(a) This Exhibit modifies and supplements the terms and conditions in the PO Terms as they relate to Supplier’s
Processing of Personal Data and compliance with Data Protection Law. The SOW (if any) designates the Supplier’s
status as a Controller or a Processor. Notwithstanding anything to the contrary in the PO Terms, if there is a
conflict between this Exhibit and the PO Terms, this Exhibit will control. This Exhibit will be attached to and
incorporated into the PO Terms.
(b) This Exhibit applies only to the extent that Supplier receives, stores, or Processes Personal Data or Confidential
Information in connection with the Goods, Services, or Cloud Services.
SECTION 2 Definitions
(a) All capitalized terms not defined in this Exhibit will have the meanings set forth in the PO Terms.
(b) The following terms have the definitions given to them in the CCPA: “Business,” “Business Purpose,” “Sale,”
“Share,” “Service Provider,” “Contractor,” and “Third Party.”
(c) “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Controller” includes a Business, Controller (as that term is defined in the GDPR), and equivalent terms in Data
Protection Laws, as context requires.
(d) “Data Exporter” means the party that (1) has a corporate presence or other stable arrangement in a jurisdiction
that requires an International Data Transfer Mechanism and (2) transfers Personal Data, or makes Personal Data
available to, the Data Importer.
(e) “Data Importer” means the party that is (1) located in a jurisdiction that is not the same as the Data Exporter’s
jurisdiction and (2) receives Personal Data from the Data Exporter or is able to access Personal Data made
available by the Data Exporter.
(f) “Personal Data Incident” means any:
(1) destruction, alteration, use, loss, disclosure of, or access to Personal Data transmitted, stored, or otherwise
processed by Supplier or its subcontractors that is not authorized by law or these PO Terms or any other
breach of the protection of Personal Data; or
(2) Security Vulnerability related to Supplier’s handling of Personal Data. “Security Vulnerability” means a
weakness, flaw, or error found within a security system of Supplier or its subcontractors that has a reasonable
likelihood to be leveraged by a threat agent in an impactful way.
(g) “Data Protection Law” means any Law applicable to Supplier or Microsoft, relating to data security, data protection,
and/or privacy, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to processing of personal data and the free movement of that
data (“GDPR”), and Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”), and
any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended,
extended, repealed and replaced, or re-enacted.
(h) “Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by
referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or
more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that
natural person.
(i) “De-identified Data” means information that cannot reasonably be linked to an identified or identifiable
individual.
(j) “EEA” means the European Economic Area.
(k) “Personal Data” means any information relating to an identified or identifiable natural person (“Data
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Subject”) and any other data or information that constitutes personal data or personal information under any
applicable Data Protection Law. An identifiable natural person is one who can be identified, directly or indirectly, in
particular by referencing an identifier such as a name, an identification number, location data, an online identifier,
or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity
of that natural person.
(l) “Process” or “Processing” means any operation or set of operations that a party performs on Personal Data,
including collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure
by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or
destruction.
(m) “Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes
Service Provider, Contractor, Processor (as that term is defined in the GDPR), and equivalent terms in Data
Protection Laws, as context requires.
(n) “Protected Health Information” or “PHI” means Microsoft Personal Data that is protected by the Health
Information Portability and Accountability Act (HIPAA).
(o) “Pseudonymous Data” means information that cannot be attributed to a specific individual without the use of
additional information provided that it is kept separately and subject to appropriate technical and organizational
measures to ensure that it is not attributed to the individual.
(p) “Sensitive Data” means the following types and categories of data: (1) data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, immigration or citizenship status, or trade union membership;
genetic data; (2) biometric data; (3) data concerning health, including protected health information governed by the
Health Insurance Portability and Accountability Act; (4) data concerning a natural person’s sex life or sexual
orientation; (5) government identification numbers (e.g., SSNs, driver’s license); (6) payment card information; (7)
nonpublic personal information governed by the Gramm Leach Bliley Act; (8) an unencrypted identifier in
combination with a password or other access code that would permit access to a data subject’s account; (9)
personal bank account numbers; (10) data related to children; and (11) precise geolocation.
(q) “Standard Contractual Clauses” means the European Union standard contractual clauses for international
transfers from the European Economic Area to third countries, Commission Implementing Decision (EU)
2021/914 of 4 June 2021, available at https://ec.europa.eu/info/law/law-topic/data-
protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
(r) “Subprocessor” means a Processor engaged by a party who is acting as a Processor.
SECTION 3 Description of the Parties’ Personal Data Processing Activities and Statuses of the Parties
(a) Schedule 1 describes the purposes of the parties’ Processing, the types or categories of Personal Data involved in
the Processing, and the categories of Data Subjects affected by the Processing.
(b) Schedule 1 lists the parties’ statuses under relevant Data Protection Law.
(c) The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of
Personal Data and categories of Data Subjects may be more specifically described in a statement of work,
Microsoft purchase order, or written agreement signed by the parties’ authorized representatives, which forms an
integral part of the PO Terms; if this is the case, the more specific description will control over Schedule 1.
SECTION 4 International Data Transfer
(a) Some jurisdictions require that an entity transferring Personal Data to a recipient in another jurisdiction take extra
measures to ensure that the Personal Data has special protections if the law of the recipient’s jurisdiction does
not protect Personal Data in a manner equivalent to the transferring entity’s jurisdiction (an “International Data
Transfer Mechanism”). The parties will comply with any International Data Transfer Mechanism that may be
required by applicable Data Protection Law, including the Standard Contractual Clauses.
(b) If the International Data Transfer Mechanism on which the parties rely is invalidated or superseded, the parties
will work together in good faith to find a suitable alternative.
(c) With respect to Personal Data of Data Subjects located in a jurisdiction that requires an International
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Data Transfer Mechanism, (e.g., the EEA, Switzerland, or the United Kingdom) that Microsoft transfers to Supplier or
permits Supplier to access, the parties agree upon these PO Terms becoming effective they also execute the
Standard Contractual Clauses, which will be incorporated by reference and form an integral part of the PO Terms.
The parties agree that, with respect to the elements of the Standard Contractual Clauses that require the parties’
input, Schedules 1 and 2 contain information relevant to the Standard Contractual Clauses’ Annexes. The parties
agree that, for Personal Data of Data Subjects in the United Kingdom, Switzerland, or another country specified in
Schedule 1, they adopt the modifications to the Standard Contractual Clauses listed in Schedule 1 to adapt the
Standard Contractual Clauses to local law, as applicable.
SECTION 5 Mutual Obligations of the Parties
(a) Compliance. The parties will comply with their respective obligations under Data Protection Law and their privacy
notices, including by providing the same level of privacy protection that is required of Businesses under the CCPA.
(b) Information. Upon request, Supplier will provide reasonably relevant information to Microsoft to enable Microsoft to
fulfill its obligations (if any) to conduct data protection assessments or prior consultations with data protection
authorities.
(c) Notification. Supplier will notify Microsoft if it determines that it can no longer meet its obligations under applicable
Data Protection Law.
(d) Cooperation. If Supplier receives any type of request or inquiry from a governmental, legislative, judicial, law
enforcement, or regulatory authority, or faces an actual or potential claim, inquiry, or complaint in connection with
Parties’ Processing of Personal Data provided to Supplier by or on behalf of Microsoft, its affiliates, or its respective
end users, or obtained or collected by Supplier in connection with the purposes described in Schedule 1 (collectively,
an “Inquiry”), then Supplier will notify Microsoft without undue delay, but in no event later than ten (10) business
days, unless such notification is prohibited by applicable law. Supplier will promptly provide Microsoft with
information relevant to the Inquiry, including any information relevant to the defense of a claim, to enable Microsoft
to respond to the Inquiry.
(e) Confidentiality. Supplier will ensure that persons authorized to Process the Personal Data have committed
themselves to confidentiality obligations no less protective than those set forth in the PO Terms or are under an
appropriate statutory obligation of confidentiality.
(f) Security Controls. Supplier will abide by Schedule 2 and take all measures required in accordance with good industry
practice and by Data Protection Law relating to data security (including pursuant to Article 32 of the GDPR). Supplier
will implement appropriate technical and organizational measures to ensure a level of security appropriate to the
risk.
(g) Obligations Related to PHI. If Supplier’s engagement involves the Processing of PHI, Supplier must have a Business
Associate PO Terms and/or other required PO Terms in place with Microsoft.
SECTION 6 Supplier’s Obligations as Independent Controller (if applicable). If Supplier is a Controller of Personal Data
that is collected, exchanged, or otherwise Processed in connection with Supplier’s performance of the PO Terms (see
Schedule 1), then:
(a) Supplier acknowledges and agrees that Supplier is independently responsible for compliance and will comply
with applicable Data Protection Law (e.g., obligations of Controllers);
(b) Supplier will not Sell Personal Data;
(c) Supplier agrees to be responsible for providing notice to Data Subjects as may be required by applicable Data
Protection Law (e.g., GDPR Articles 13 and 14, as applicable) and responding, as required by Data Protection
Laws such as Chapter III of GDPR, to Data Subject’s requests to exercise their rights and identifying a lawful
basis of Processing (e.g., consent or legitimate interest);
(d) Supplier agrees that will keep Pseudonymous Data separate from any additional information necessary to
make such Pseudonymous Data attributable to a specific individual and will subject such Pseudonymous Data
to appropriate technical and organizational measures to ensure that it is not attributed to specific individual;
and
(e) Supplier agrees that it will take reasonable measures to ensure that De-identified Data cannot be associated
with a specific consumer or household, publicly commit to maintain the De-identified Data in de-identified
form and not attempt to reidentify it, and contractually commit any Subprocessors to do the same
SECTION 7 Supplier’s Obligations as Third Party (if applicable). If Supplier Processes Personal Data as a Third Party under
the CCPA in connection with Supplier’s performance of the PO Terms (see Schedule 1), then:
(a) Supplier will Process Personal Data only for the limited and specific business purpose(s) described in Schedule 1.
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
(b) Supplier agrees that the Personal Data is made available only for the limited and specified purpose(s) set forth in
the contract, and that Supplier may use the information only for those purposes.
(c) Supplier will not Sell or Share Personal Data made available to it by Microsoft .
(d) Supplier will allow Microsoft to take reasonable and appropriate steps to ensure that Supplier uses the Personal
Data that it received from, or on behalf of, Microsoft in a manner consistent with Microsoft’s obligations under the
CCPA.
(e) Supplier will allow Microsoft, upon notice, to take reasonable and appropriate steps to stop and remediate any
unauthorized use of Personal Data.
SECTION 8 Supplier’s Obligations as a Processor, Contractor, Subprocessor, or Service Provider.
Supplier will have the obligations set forth in this Section 8 if it Processes the Personal Data of Data Subjects in its
capacity as Microsoft’s Processor, Contractor, or Service Provider; for clarity, these obligations do not apply to
Supplier in its capacity as an Independent Controller, Business, or Third Party.
(a) Scope of Processing
(1) Supplier will Process Personal Data solely to (i) provide Services to Microsoft (and where applicable
for the Business Purposes specified in the applicable SOW, (ii) carry out its obligations under the PO
Terms, and (iii) carry out Microsoft’s documented instructions. Supplier will not Process Personal Data
for any other purpose, unless required by applicable law, and will not Sell or Share Personal Data that
it collects or obtains pursuant to the PO Terms.
(2) Processing any Personal Data outside the scope of the PO Terms and this Exhibit will require prior
written PO Terms between Supplier and Microsoft by way of written amendment to the PO Terms.
(3) Supplier will notify Microsoft if it believes that it cannot follow Microsoft’s instructions or fulfill its
obligations under the PO Terms because of a legal obligation to which Supplier is subject, unless
Supplier is prohibited by law from making such notification.
(4) Supplier is prohibited from retaining, using, or disclosing the Personal Data (1) for any purpose other
than the Business Purposes specified in Schedule 1, including retaining, using, or disclosing the
Personal Data for a commercial purpose other than carrying out Microsoft’s instructions; (2) outside
of the Parties’ direct business relationship, unless permitted by applicable Data Protection Law, or (3)
by combining Personal data that Supplier receives from, or on behalf of, Microsoft with Personal Data
that it receives from, or on behalf of, another person or persons, or collects from its own interaction
with the Data Subject, provided that Supplier may combine Personal Data to perform any Business
Purposes permitted by applicable Data Protection Law. Supplier certifies that it understands with and
will comply with the prohibitions set forth in this paragraph (8)(a)(4).
(5) Supplier will allow Microsoft, upon notice, to take reasonable and appropriate steps to stop and
remediate any unauthorized use of Personal Data.
(b) Obligations Regarding Pseudonymous Data and De-identified Data
(1) Supplier agrees that will keep Pseudonymous Data separate from any additional information
necessary to make such Pseudonymous Data attributable to a specific individual and will subject
such Pseudonymous Data to appropriate technical and organizational measures to ensure that it is
not attributed to specific individual;
(2) Supplier agrees that it will (i) take reasonable measures to ensure that De-identified Data cannot be
associated with a specific consumer or household, (ii) commit to maintain the De-identified Data in
de-identified form and not attempt to reidentify it, and (iii) contractually commit any Subprocessors to
do the same.
(c) Data Subjects’ Requests to Exercise Rights. Supplier will promptly inform Microsoft if Supplier receives a
request from a Data Subject to exercise their rights with respect to their Personal Data under applicable Data
Protection Law. Supplier will not respond to such Data Subjects except to acknowledge their requests.
Supplier will provide Microsoft with assistance, upon request, to help Microsoft to respond to a Data Subject’s
request. Microsoft will notify the Supplier of any consumer request that the Supplier must comply with and
will provide information necessary for compliance.
(d) Supplier’s Subprocessors. Supplier will not engage a Subprocessor without Microsoft’s prior written
authorization. Supplier will be liable for the acts or omissions of its Subprocessors to the same extent as
Supplier would be liable if performing the services of the Subprocessor directly under this Exhibit, except as
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
otherwise set forth in the PO Terms. Supplier will require Subprocessors to agree in writing to terms no less
protective than the terms in this Exhibit.
(e) Personal Data Incident
(1) Without limiting Supplier’s obligations under the PO Terms, including the DPR and this Exhibit with respect to
Personal Data, on becoming aware of any Personal Data Incident, Supplier will:
(i) notify Microsoft without undue delay of the Personal Data Incident (in any case no later than it
notifies any similarly situated customers of Supplier and in all cases before Supplier makes
any general public disclosure (e.g., a press release));
(ii) promptly investigate or perform required assistance in the investigation of the Data Incident and
provide Microsoft with detailed information about the Personal Data Incident, including a
description of the nature of the Personal Data Incident, the approximate number of Data Subjects
affected, the Personal Data Incident’s current and foreseeable impact, and the measures Supplier
is taking to address the Personal Data Incident and mitigate its effects; and
(iii) promptly take all commercially reasonable steps to mitigate the effects of the Data Incident,
or assist Microsoft in doing so.
(2) Supplier will comply with this Section 8(e) at Supplier’s cost unless the Personal Data Incident arose from
Microsoft’s negligent or willful acts or Supplier’s compliance with Microsoft’s express written instructions.
(3) Supplier must obtain Microsoft’s written approval before notifying any governmental entity, individual, the
press, or other third party of a Data Incident that affected or reasonably could affect Personal Data that
Supplier received from Microsoft or Processed on behalf of Microsoft. Notwithstanding anything to the
contrary in this Exhibit, Supplier may notify a third party about a Personal Data Incident affecting Personal
Data if it is under a legal obligation to do so, provided that Supplier must: (i) make every effort to give
Microsoft prior notification, as soon as possible, if it intends to disclose the Personal Data Incident to a third
party; and (ii) if it is not possible to give Microsoft such prior notification, notify Microsoft immediately once it
becomes possible to give notification. For any disclosure of a Personal Data Incident to a third party,
Supplier will, as part of its notification to Microsoft, disclose the identity of the third party and a copy of the
notification (if the notification to the third party has not been sent, Supplier will provide a draft to Microsoft).
Supplier will permit Microsoft to offer edits or updates to the notification.
(f) Deletion and Return of Personal Data. On expiration or termination of the applicable statement of work, cloud order,
purchase order, or other written agreement between the parties, or upon request by Microsoft or Microsoft’s Affiliate,
Supplier will, without undue delay: (1) return all Personal Data (including copies thereof) to Microsoft or the
applicable Microsoft Affiliate; or (2) on request by Microsoft or its Affiliate, destroy all Microsoft Personal Data
(including copies thereof), and certify its destruction, in each case unless the Law expressly requires otherwise or the
parties otherwise expressly agree in writing. For any Microsoft Personal Data that Supplier retains after expiration or
termination of the applicable statement of work, cloud order, purchase order, or other written agreement between
the parties (for example, because Supplier is legally required to retain the information), (A) Supplier will continue to
comply all terms of the PO Terms applicable to that Personal Data, including all with the data security and privacy
provisions in this Exhibit and those applicable terms will survive such expiration or termination and (B) Supplier must
De-identify or aggregate Personal Data (if any) to the extent feasible. All Personal Data is Microsoft Confidential
Information.
(g) Audits. Without limiting any of Microsoft’s existing audit rights under the PO Terms (if any), Supplier will make
available to Microsoft all information necessary to demonstrate compliance with Data Protection Law and allow for
and contribute to audits, including inspections, conducted by Microsoft or another auditor mandated by Microsoft.
[Remainder of this page is intentionally left blank]
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Schedule 1: Description of the Processing and Subprocessors
Processing Activity
Status of
the Parties
Categories of Personal
Data that May Be
Processed
The categories listed
are descriptive and do
not necessarily mean
that the parties are
processing each
category of data listed.
Categories of Sensitive
Data that May Be
Processed
The categories listed
are descriptive and do
not necessarily mean
that the parties are
processing each
category of data listed.
Applicable
SCCs
Module
Supplier Processes
Microsoft
• Location data
• Data related to
Module 2
Personal Data to
is a
• IP address
Children
Module 3, if
provide the Goods,
Services, or Cloud
Services.
Controller.
Supplier is
a
Processor.
• Device preferences &
personalization
• Service usage for
• Genetic data
• Biometric data
• Health data
Microsoft
acts as a
Processor
to
another
websites, webpage
click tracking
• Racial or ethnic origin
Controller
• Political opinions
• Social media data,
social graph
relationships
• Religious or
philosophical beliefs
• Activity data from
connected
devices such as
fitness monitors
• Contact data such as
name, address,
phone number, email
address, date of
birth, dependent and
emergency contacts
• Fraud and risk
assessment,
background check
• Insurance, pension,
benefit detail
• Trade union
membership
• A natural person’s
sex life or sexual
orientation
• Immigration
status (visa, work
authorization, etc.)
• Government Identifiers
(passport, driver’s
license, visa, social
security numbers,
national identify
numbers)
• Candidate resumes,
interview
notes/feedback
• Metadata and
telemetry
• Payment instrument
data
• Credit card no. &
expiration date
• Bank routing
information
• Bank account number
• Credit requests – Line
of credit
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Processing Activity
Status of
the Parties
Categories of Personal
Data that May Be
Processed
The categories listed
are descriptive and do
not necessarily mean
that the parties are
processing each
category of data listed.
Categories of Sensitive
Data that May Be
Processed
The categories listed
are descriptive and do
not necessarily mean
that the parties are
processing each
category of data listed.
Applicable
SCCs
Module
• Tax documents and
identifiers
• Investment data
• Corporate cards
• Expense data
• Azure tenant, M365
tenant
• Xbox Live, OneDrive
Consumer
• Customer originated
support ticket
• Billing data
• e-commerce data
• Event registration
• Training
• Globally Unique
Identified (GUID)
• Passport User ID or
Unique Identifier
(PUID)
• Hashed End-User
Identifiable
Information (EUII)
-Session IDs
• Device IDs
• Diagnostic Data
• Log Data
The parties Process
Personal Data of
Microsof
t is a
• Employee name, title,
and other contact
None
Module 2
Module 3, if
their employees to,
e.g., administer and
provide the Goods,
Controller.
Supplier is
a
information
• Employee IDs
Microsoft
acts as a
Processor
Services, or Cloud
Processor.
• Device and/or activity
to another
Services; manage
invoices; manage
the PO Terms and
resolve any
disputes relating to
it; respond and/or
raise general
Data related to a
Microsoft’s
employees’ clicks,
presses, or other
interactions with
Supplier’s hardware
and software
Controller
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Processing Activity
Status of
the Parties
Categories of Personal
Data that May Be
Processed
The categories listed
are descriptive and do
not necessarily mean
that the parties are
processing each
category of data listed.
Categories of Sensitive
Data that May Be
Processed
The categories listed
are descriptive and do
not necessarily mean
that the parties are
processing each
category of data listed.
Applicable
SCCs
Module
queries; comply
with their respective
regulatory
obligations; and
create and
administer web-
based accounts.
Supplier collects or
Microsoft
• Location data
• Data related to
Module 1
receives Personal
is a
• IP address
Children
Data as a
Controller.
Controller/Third
Supplier is
• Device preferences &
• Genetic data
Party.
a
personalization
• Biometric data
Controller/
• Service usage for
• Health data
Third
Party.
websites, webpage
click tracking
• Racial or ethnic origin
• Political opinions
• Social media data,
social graph
relationships
• Religious or
philosophical beliefs
• Activity data from
connected
devices such as
fitness monitors
• Contact data such as
name, address,
phone number, email
address, date of
birth, dependent and
emergency contacts
• Fraud and risk
assessment,
background check
• Insurance, pension,
benefit detail
• Trade union
membership
• A natural person’s
sex life or sexual
orientation
• Immigration
status (visa, work
authorization etc.)
• Government
Identifiers
(passport; driver’s
license; visa; social
security numbers;
national identify
numbers)
• Candidate resumes,
interview
notes/feedback
• Metadata and
telemetry
• Payment instrument
data
• Credit card no. &
expiration date
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Processing Activity
Status of
Categories of Personal
Categories of Sensitive
Applicable
the Parties
Data that May Be
Data that May Be
SCCs
Processed
Processed
Module
The categories listed
are descriptive and do
not necessarily mean
that the parties are
processing each
category of data listed.
The categories listed
are descriptive and do
not necessarily mean
that the parties are
processing each
category of data listed.
• Bank routing
information
• Bank account number
• Credit requests – Line
of credit
• Tax documents and
identifiers
• Investment data
• Corporate cards
• Expense data
• Azure tenant, M365
tenant
• Xbox Live, OneDrive
Consumer
• Customer originated
support ticket-
• Billing data o e-
commerce data
• Event registration
• Training
• Globally Unique
Identified (GUID)
• Passport User ID or
Unique Identifier
(PUID)
• Hashed End-User
Identifiable
Information (EUII)-
Session IDs
• Device IDs
• Diagnostic Data
• Log Data
Subprocessors
Supplier uses the Subprocessors listed in a statement of work or written agreement signed by the parties’ authorized
representatives when it acts as a Processor.
Information for International Transfers
Frequency of Transfer
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Continuous for all Personal Data.
Retention Periods
As Controllers, the parties retain Personal Data for as long as they have a business purpose for it or for the longest
time allowable by applicable law.
As a Processor, Supplier retains Personal Data it collects or receives from Microsoft for the duration of the PO Terms and
consistent with its obligations in this Exhibit.
For the purpose of the Standard Contractual Clauses:
• Clause 7: The parties do not adopt the optional docking clause.
• Clause 9, Module 2(a), if applicable: The parties select Option 1. The time period is 30 days.
• Clause 9, Module 3(a), if applicable: The parties select Option 1. The time period is 30 days.
• Clause 11(a): The parties do not select the independent dispute resolution option.
• Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Republic of Ireland.
• Clause 18: The parties agree that the forum is the High Court in Dublin, Ireland.
• Annex I(A): The data exporter is the Data Exporter (defined above) and the data importer is the Data Importer
(defined above).
• Annex I(B): The parties agree that Schedule 1 describes the transfer.
• Annex I(C): The competent supervisory authority is the Irish Data Protection Commission.
• Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable
to the transfer.
For the purpose of localizing the Standard Contractual Clauses:
• Switzerland
o The parties adopt the GDPR standard for all data transfers.
o Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the
Federal Data Protection and Information Commissioner and, concurrently, the EEA member state
authority identified above.
o Clause 17: The parties agree that the governing jurisdiction is Republic of Ireland.
o Clause 18: The parties agree that the forum is the High Court in Dublin, Ireland. The parties agree to
interpret the Standard Contractual Clauses so that Data Subjects in Switzerland are able to sue for
their rights in Switzerland in accordance with Clause 18(c).
o The parties agree to interpret the Standard Contractual Clauses so that “Data Subjects” includes
information about Swiss legal entities until the revised Federal Act on Data Protection becomes
operative.
• United Kingdom
o “UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard
Contractual Clauses issued by the UK’s Information Commissioner’s Office under S119A(1) Data
Protection Act 2018, as modified by the Information Commissioner’s office from time to time, available
at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/international-data-transfer-agreement-and-guidance/.
o For transfers from the United Kingdom that are not subject to an adequacy decision or exception, the
parties hereby incorporate the UK SCC Addendum by reference and, by signing this DPA, also enter
into and agree to be bound by the Mandatory Clauses of the UK SCC Addendum.
o The parties agree that the following information is relevant to Tables 1 – 4 of the UK SCC Addendum and that by
changing the format and content of the Tables neither party intends to reduce the Appropriate Safeguards (as defined in
the UK SCC Addendum).
▪ Table 1: The parties’ details, key contacts, data subject contacts, and signatures are in the signature block of
the DPA.
▪ Table 2: The selected SCCs, Modules and Selected Clauses are described in Schedule 1.
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
▪ Table 3: The list of parties, description of transfer, and list of sub-processors are described in Schedule 1. The
Technical and Organizational measures to ensure the security of the data are described in Schedule 2.
▪ Table 4: Neither party may end the UK SCC Addendum when the Approved Addendum changes.
o Clause 17 of the Standard Contractual Clauses: The parties agree that the governing jurisdiction is the United
Kingdom.
o Clause 18 of the Standard Contractual Clauses: The parties agree that the forum is the courts of England and Wales.
The parties agree that Data Subjects may bring legal proceedings against either party in the courts of any country in
the United Kingdom.
Microsoft Corporation Purchase Order Terms and Conditions (January 2024)
Schedule 2: Technical and Organizational Security Measures
Supplier will comply with Microsoft’s DPR as agreed in Section 15(a) of the PO Terms.
[Remainder of this page is intentionally left blank]
