Overview of security and compliance in Yammer

Yammer Enterprise administrative tools help you protect your Yammer data and comply with legal and regulatory standards.

For information about policies, tools, and best practices for all of Office 365, see Overview of security and compliance in Office 365.

Yammer Enterprise offers admins security and compliance tools that are not part of the free Yammer Basic. Items marked with an asterisk (*) are not available inYammer Basic. The Security FAQ section of this article describes security, privacy, and business continuity features that apply to both Yammer Basic and Yammer Enterprise.

Security Admin Features

Task

How To

Set password policies and logical firewalls

Manage Yammer security settings*

Manage users

Add, block, or remove Yammer users*

Enforce office 365 identity for Yammer users*

Manage device access

Log a user off a device*

Manage Yammer with Microsoft Intune*

Use multiple levels of admin roles

Manage Yammer admins*

Control external network access

Manage Yammer security settings*

Track changes to users, groups,

Track Yammer Events in the Office 365 Audit log and with the Management Activity API*

Compliance Admin Features

Task

How To

Set up a usage policy

Set up a Yammer usage policy*

Control data retention policies, discovery

Manage Yammer data compliance*

Monitor keywords

Monitor Keywords*

Export data

Export data from Yammer*

Prevent specific data from being sent to external participants

Control external messaging in a Yammer network with Exchange Transport Rules*

Keep content appropriate and intervene if necessary

Manage Yammer data compliance*

Monitor private content in Yammer (Verified Admins)*

Security FAQ

Q: Who can access the Yammer network?

A: Only users with a valid and verified company email address can join your Yammer network. Yammer has functionality to create external networks to collaborate securely with third parties.

Q: Where is the data hosted?

A: Yammer data is hosted in Microsoft managed datacenters. See Where is your data located to find the data centers for the country in which your company is located. Yammer is operated out of Microsoft's global network of data centers with 24/7/365 video surveillance, biometric and pin-based locks, strict personnel access controls and detailed visitor entry logs.

Q: What is Yammer’s privacy policy? How do you treat my data?

A: Our privacy policy is publicly shared and available here, as part of the: Microsoft Online Services Privacy Statement.

Q: What is Yammer's security policy?

A: Yammer is included in the Office 365 Trust Center.

Q: Who has access to the data?

A: Only employees with a legitimate business need can access customer data, and all access is on an approval‐only basis. All access is logged and regularly audited.

Q: Is the data encrypted?

A: All data in transit into and out of the production environment is encrypted at all times. Communication with Yammer is over HTTPS (TLS 1.2 supported) regardless of user endpoint (web, desktop app, mobile app, API). In addition to being encrypted in transit, Yammer data is encrypted at rest with AES-256 bit key encryption.

Q: What is Yammer’s architecture?

A: Yammer's architecture is driven by the needs of an Enterprise Social Network (ESN). An ESN is successful only if users adopt and engage with the platform. As such, Yammer is architected and developed in a way to support adoption and engagement, allowing rapid iterations of technology.

Yammer is a set of loose components, coupled with APIs. These are developed and released independently using a variety of different best-in-class codes and technologies. Yammer is a public cloud, SaaS, multitenant architecture only. We use a data-driven, rapidly iterating development approach to measure the success of the platform using the key metrics of end-user engagement and adoption.

Q: Who owns the data posted in the Yammer network?

A: Data posted into a free Yammer Basic network is owned by the individuals posting that data. Those users are the data controllers for their content. Under Yammer Enterprise, the company is the data controller, and ownership of all data transfers to the company. Yammer is a data processor and has no rights to any content or responsibilities for the data posted within a Yammer network.

Q: Do you comply with the data protection act in my country?

A: It is the data controller's responsibility to comply with the data protection legislation that affects them. Yammer has controls in place to facilitate data controllers' (individuals and companies) compliance with their data protection legislation.

Q: Can we perform an on‐site visit or audit of your facilities?

A: Yammer does not permit customers to perform on‐site audits. With over 200,000 customers, this is not feasible, and it is also a risk to the security of the service. We will answer any security questions openly and transparently.

Q: Do you conduct third‐party audits or testing?

A: Penetration tests of the Yammer infrastructure are conducted yearly as part of Office 365.

Q: How is data separated from other customers?

A: Yammer is a true multi-tenant model. As such, customers’ data is logically separated with strict controls to ensure separation of tenant data. The web application servers of Yammer are physically and logically separated from servers that store customer data.

Q: What is the difference between the security of an enterprise social network and Facebook?

A: Your Yammer network is private to your company. Only users with a valid and verified email address for your company can join your Yammer network. Yammer was built from the ground up as an Enterprise Social Network with security built‐in at every level and a high degree of control available as well as integration with corporate security systems such as Active Directory and single sign-on.

Q: What is the difference between security of Yammer Basic and Yammer Enterprise?

A: The underlying security of both is identical. Yammer Enterprise brings more administrative control and provides the ability to integrate with other systems (e.g. Active Directory, Active Directory Federation Services, SharePoint, Microsoft Dynamics CRM, Salesforce).

For details of the security-related administrative controls available in Yammer Enterprise, see the tables at the beginning of this article.

Q: Does Yammer sell our data?

A: No. Yammer does not mine or sell any customer data. All data belongs to the customer (either the user or the organization, dependent on the Yammer version in use).

Q: Can I export all my data?

A: In Yammer Enterprise, verified admins can export messages and uploaded files, along with their metadata. The data export can also include any content that has been deleted, if the Soft Delete data retention option has been configured.

Q: What are Yammer's business continuity features?

A: Your data is backed up multiple times a day and protected with strong encryption on disk. Backups are transferred off-site over SSH and properly deleted after six months.

Q: Is Yammer covered under the materials in the Office 365 Trust Center?

A: Yes it is. See Office 365 Trust Center.

Q: Is Yammer security independently verified?

A: Yes. ISO27001 is the global standard in information security. Independent auditors have verified that Yammer meets the rigorous set of physical, logical, process, and management controls defined by the ISO 27001 standard.

Yammer participates in the Microsoft Online Services Bug Bounty, which allows thousands of security researchers to test Yammer and help make our products even safer for users.

User Management FAQs

Q: Can I enforce multifactor authentication?

A: For Yammer Enterprise, if you enforce Office 365 identity in Yammer. For more information, see Set up multi-factor authentication for Office 365 users and Enforce office 365 identity for Yammer users.

Q: How do I manage Yammer on mobile devices?

A: Yammer is available for all major mobile platforms, including Windows Phone, iPhone, iPad, and Android. Users can install the Yammer application from their respective app store.

Yammer Enterprise offers session management capabilities so that a user or administrator can end any Yammer session on any device if required.

Yammer Enterprise devices can be managed with Microsoft Intune. For more information, see Manage Yammer with Microsoft Intune.

Q: How can I manage my users?

A: Only users with a valid and verified company email address can join your Yammer network.

In a free Yammer Basic network, users can invite their colleagues with the same email address suffix to collaborate. Users can also suspend other users from having access to the Yammer network.

In Yammer Enterprise, administrators can provision and remove users in bulk using a .csv file and also to synchronize with Azure Active Directory to automatically add users who are not already on Yammer and remove users from Yammer if their Active Directory account is disabled or deleted.

For more information, see Manage Yammer users across their lifecycle from Office 365 and Bulk Update Users.

Q: How can users without email addresses access Yammer?

A: Yammer works with many large organizations where it is important to hear the voice of all workers, including those without email addresses. In this case, Yammer can grant these users access based on a unique identifier.

See Also

Yammer - Admin Help

Manage Yammer security settings

Manage Yammer data compliance

Get support
Contact us
Expand your Office skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×