Microsoft 365 Defender @ U of T

Notice of Data Collection

The Microsoft 365 Defender Extended Detection and Response (XDR) Security Platform will use University of Toronto data to provide only the security services University of Toronto has chosen to use. University of Toronto is the Data Controller, and Microsoft is the Data Processor. Microsoft treats all University of Toronto data collected through the use of the services with the same level of protection that is does information under GDPR. Microsoft has provided the University of Toronto access to independent audit reports of their compliance with privacy, confidentiality, and security standards, which in turn offers support for meeting our own privacy, confidentiality, and security obligations.

With state-of-the-art encryption, Microsoft’s platform protects the University of Toronto’s data both at rest and in transit. Their encryption protocols erect barriers against unauthorized access to the data, including two or more independent encryption layers to protect against compromises of any one layer.

Microsoft 365 Defender operates in Microsoft Azure data centers in the European Union, The United Kingdom, and the United States. University of Toronto data collected by Microsoft 365 Defender is stored at rest in the European Union. Pseudonymized data derived from customer data might also be stored in central storage and processing systems in the United States.

The security platform collects and processes information to help protect the University of Toronto. This information includes file data (including file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs, Domains, URLs, and ports), and device details (such as device identifiers, names, and the operating system version), Windows Server Active Directory authentication data including network activity related to that entity, and Azure Active Directory authentication data. Files processed by Microsoft 365 Defender are not retained after analysis unless they are malicious or have been marked for collection by University of Toronto staff as part of a security incident.

How Microsoft uses data to improve the service:

  • Troubleshoot: Troubleshooting for preventing, detecting, and repairing problems affecting operations of services
  • Feature Improvement: Ongoing improvement of features including increasing reliability and protection of services and data
  • Personalized customer experience: Data is used to provide personalized improvements and better customer experiences

How University of Toronto uses Microsoft 365 Defender data:

  • Proactively identify indicators of attack (IOAs) within University of Toronto
  • Generate alerts if a possible attack was detected
  • Provide University of Toronto security operations with a view into entities related to threat signals from our network, enabling us to investigate and explore the presence of security threats on the network.



Last updated: September 14, 2021