The Confidentiality Agreement You Can Request

When a formal audit begins, there is a strong pull to be cooperative, to hand over what is asked and keep the relationship smooth. Cooperation is wise. Handing over sensitive data with no terms around how it is used is not. Before any information leaves your estate, you are entitled to ask the auditor and Microsoft for confidentiality and scope terms in writing. This is not an act of hostility. It is normal commercial hygiene, and a competent auditor will expect it.

Why this matters

A formal audit runs through a third party accounting firm under the audit clause in the Microsoft Business and Services Agreement. That firm will request deployment records, configuration data, customer information, and usage logs. Much of this is commercially sensitive. Some of it may touch obligations you owe your own customers and regulators. Once it leaves your control, you want clear, written limits on how it is stored, who sees it, how long it is kept, and what it can be used for.

What to ask for

A confidentiality and scope arrangement around an audit usually covers the following. Treat this as a starting checklist, not legal advice, and involve your own counsel.

• Purpose limitation. The data is used only to assess your licensing position, and for nothing else, not sales targeting and not unrelated programs.
• Access controls. A named, limited set of people at the auditor may see the data, and Microsoft sees conclusions rather than your raw underlying records where possible.
• Storage and security. Where the data lives, how it is protected, and the standard the auditor is held to.
• Retention and destruction. The data is returned or destroyed at the end of the engagement, with confirmation in writing.
• Scope boundaries. Which entities, products, regions, and time periods are in scope, so the request cannot quietly expand.
• Handling of third party data. How customer and partner information that appears in your records is protected, which matters especially if you have your own confidentiality obligations.

Scope is part of confidentiality

People think of a confidentiality agreement as being about secrecy, but in an audit it is also about boundaries. An open ended data request is an open ended audit. By pinning scope, which entities, which products, which time period, you keep the exercise contained. The auditor has broad authority under the clause, but broad is not unlimited, and a defined scope is a reasonable thing to agree at the start.

How to make the request

1. Make it early. Raise terms during scoping, before the first data request is answered, not after data has already moved.
2. Make it in writing. A friendly verbal assurance is not a term. Get the arrangement documented.
3. Make it through one channel. Name a single point of contact so the conversation is consistent and nothing is agreed by accident in a side thread.
4. Involve counsel. Confidentiality and scope terms are legal instruments. Your general counsel or external advisers should review them.

What to do if the answer is no

A reasonable auditor will engage on reasonable terms. If you meet resistance to basic confidentiality and scope provisions, that itself is information. It is a signal to slow down, document the exchange, and get buyer side advice before any sensitive data moves. You can be fully cooperative and still insist that cooperation happens under terms. The two are not in tension.

The bottom line

Asking for confidentiality and scope terms in writing before data leaves your estate is standard, reasonable, and protective. It keeps the audit contained, safeguards sensitive information, and signals from the start that you are running a controlled, buyer side process. If you want help framing the request or reviewing what the auditor proposes, book a strategy call.