OneDrive for Business, Teams and SharePoint online are all a part of Office 365; a Microsoft cloud based storage solution. The data is stored off-campus in a non-university owned data center.  The University of Iowa has an agreement with Microsoft that protects data in the following manner, making it safe for sensitive data:

• The University has a signed Business Associate's Agreement (BAA) with Microsoft to reasonably safeguard personal data against inappropriate use and or disclosure. All production Office 365 services fall under this agreement.
• There is system wide auditing turned on OneDrive for Business which allows administrators to audit activity.
• Files are encrypted both at rest (in OneDrive storage) and in transit (between your workstation and the cloud). 

What services are not covered under the BAA agreement?

• Preview services
• Third-party integrations (plug-in's, connectors and add-in's) are not covered.  An example would be connecting your Google Drive to a Teams site and moving the data to Google Drive.  The BAA no longer applies because the data left Microsoft's platform.
• Once something is shared externally, either from OneDrive or SharePoint, the data is no longer considered secure because it has left Microsoft's platform.  OneDrive and SharePoint allow you to restrict downloading of Office files when sharing. 

Contact your IT support person or the ITS Help Desk for further information.