The Vendor Language Brief · Issue 002
What “72 Hours” Actually Commits Microsoft To in the Microsoft 365 Education Data Protection Addendum
Source: Microsoft Products and Services Data Protection Addendum, Security Incident Notification provisions, with the supporting public guidance at Microsoft Service Assurance, “Security incident management overview.”
Pulled: May 5, 2026 from aka.ms/DPA (April 2025 edition, current version September 2025) and learn.microsoft.com.
Document type: Cross-product Data Protection Addendum, processor-to-controller terms. Incorporated by reference into Microsoft 365 Education agreements through the Microsoft Customer Agreement or Enterprise Agreement.
If Microsoft becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, Professional Services Data, or Personal Data while processed by Microsoft (each a “Security Incident”), Microsoft will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
— DPA, Security Incident NotificationFor each security breach that is a Security Incident, notification by Microsoft (as described in the “Security Incident Notification” section above) will be made without undue delay and, in any event, within 72 hours.
— DPA, Domain Practices, Incident ManagementMicrosoft notifies affected customers within 72 hours as outlined in the Data Protection Addendum (DPA). The notification timeline commitment begins when the official security incident declaration occurs.
— Microsoft Service Assurance, Security Incident Management OverviewThis addendum sits underneath the majority of U.S. K-12 districts that operate on Microsoft 365 Education. Microsoft 365 Education is one of the two dominant productivity platforms in U.S. K-12 alongside Google Workspace for Education, examined in Issue 001. The two platforms together account for the vast majority of the contractual surface area covering student data in U.S. public schools.
Three findings, ranked by what a district should care about. After Issue 001 established the comparative baseline against the Google CDPA, this read applies the same method to a clause that, on first reading, looks meaningfully stronger.
Finding 01The 72-hour clock is anchored to a moment Microsoft controls.
The Microsoft DPA contains what the Google CDPA does not: a number. “In any event, within 72 hours.” A reader comparing the two contracts side by side would conclude that Microsoft has committed to a stronger notification posture than Google. The conclusion would be partly correct and partly wrong, and the difference between the two halves is the finding.
The 72-hour clock does not begin at the occurrence of a Security Incident. It does not begin at Microsoft’s detection of suspicious activity. Microsoft’s own published guidance, on the same page that confirms the 72-hour commitment, states it explicitly: “The notification timeline commitment begins when the official security incident declaration occurs.” Declaration is an internal Microsoft process. The DPA places no contractual cap on the time between detection of a potential incident and the formal declaration that triggers the 72-hour clock.
The number 72 is real. The question of when 72 starts counting is open. A district that reads the DPA as “72 hours from breach” is reading a commitment the contract does not contain.
Finding 02Notification can be lawfully withheld in circumstances Microsoft alone judges.
Microsoft’s GDPR Breach Notification page, in the Azure and Dynamics 365 subsection, describes how customer notices are delivered “in no more than 72 hours from the time we declared a breach except for the following circumstances: Microsoft believes the act of performing a notification increases the risk to other customers.” The exception is the operative interpretive guidance for how the 72-hour commitment is applied in practice, and the Azure subsection is where Microsoft cloud customers, including Microsoft 365 districts on the underlying cloud infrastructure, are directed to look for this guidance.
The exception is not unreasonable on its face. It may be appropriate in specific incidents. The forensic finding is structural: the determination of whether the exception applies is unilateral. The DPA does not specify a maximum period during which the withholding may continue, does not require Microsoft to disclose to the customer that information is being withheld, and does not commit Microsoft to a process by which the customer can challenge a withholding decision. The customer learns, only after the withholding ends, what was withheld and for how long, on a timeline Microsoft sets.
Finding 03The notification fulfills the contract when sent, not when received.
The DPA’s notification commitment is satisfied when Microsoft sends notification to the administrative contact information the Customer is responsible for keeping current. The standard channel is email to addresses recorded in the Microsoft 365 tenant’s administrator profile. Microsoft’s own published documentation states the burden plainly: “To ensure that notification can be successfully delivered, customers must ensure that the administrative contact information on each applicable account, subscription, and online services portal is correct.”
A district whose tenant administrator is a person who left two years ago will see Microsoft fulfill its 72-hour commitment by sending notification to a stale address. Microsoft will have notified the customer. The district will not have been informed. The contractual obligation has been satisfied. The operational reality has not. The gap is borne by the district, and the contract makes the gap the district’s gap by writing, in advance, that the responsibility for current contact information is the customer’s.
If you are a superintendent or technology director at a district that uses Microsoft 365 Education, the addendum you signed is stronger than the equivalent Google addendum on the question of timing, and not stronger on three other questions that matter.
It is stronger because there is a number. 72 hours is a contractual floor that the Google CDPA does not have. Compared to GDPR Article 33 (also 72 hours, but capped at the awareness-to-notification window) and to the SDPC National Data Privacy Agreement (72 hours from confirmation), the Microsoft commitment is in the same family. That is the part of the contract that is genuinely stronger.
It is not stronger on three points. The clock is anchored to declaration, not to occurrence or detection, with no cap on the detection-to-declaration interval. Notification can be withheld, in Microsoft’s sole judgment, on a timeline Microsoft sets and without disclosure to the customer that withholding has occurred. And the contract treats notification as fulfilled at sending, with the burden of receivability shifted to the customer in advance. A district that planned its FERPA notification process around the Microsoft 72-hour figure has built that process on a number that begins to count at a moment Microsoft alone determines.
This matters under FERPA, COPPA, and state student data privacy laws because the district is the entity legally responsible for notifying parents when a notifiable event occurs. The district’s notification clock is set by state law, not by the addendum. Microsoft’s 72-hour commitment, even fully honored, can land the district inside or outside its state-law notification window depending on how long the detection-to-declaration interval ran and whether withholding was invoked. The district that does not know how long that interval can run does not know how exposed it is.
A note about Issues 001 and 002 read together. Both contracts use the same disclaimer that notification is not an acknowledgement of fault. Both contracts define the notifiable event as a breach of the vendor’s own security, narrowing the scope of incidents that activate the clause. Both contracts make the vendor’s internal awareness or declaration the trigger, not the underlying compromise. The two largest vendor agreements in U.S. K-12 share a structural pattern, and the pattern is older than either contract.
The Action Line
This week, send one email to your Microsoft account representative with two questions.
First: “What is Microsoft’s committed maximum elapsed time, in hours, between the occurrence of a Security Incident affecting our tenant’s Customer Data and Microsoft’s internal declaration of that incident?”
Second: “Under the exception described in Microsoft’s GDPR Breach Notification page, where customer notification may be withheld if ‘Microsoft believes the act of performing a notification increases the risk to other customers,’ what is the maximum period during which Microsoft may withhold notification from our district, and is that period documented in our agreement?”
While you are waiting for the response, run a parallel internal action: have IT verify, in writing, the current Microsoft 365 tenant administrator contact and the date that contact was last confirmed. File all three records in your governance binder. The vendor’s response, the partial response, or the non-response is one piece of evidence. The internal contact verification is another. Both belong on file.
This brief uses the Forensic Read, a four-stage method (Read, Trace, Surface, Build) for analyzing the operative language of vendor agreements, privacy policies, and federal compliance documents. Stage 1 inventories modal verbs, agentless passives, and indefinite phrases. Stage 2 traces how those features distribute across the clause. Stage 3 surfaces what the distribution conceals or commits. Stage 4 builds the finding into action a named accountable human can take. The full method is at languagefirm.org/the-forensic-read.
The Vendor Language Brief is a free weekly publication of The Language Firm. It is not legal advice. Each issue performs a forensic read on one piece of vendor language used widely in K-12 or higher education. Issues are filed Tuesdays. Forthcoming archive: languagefirm.org/toolvault.