Office 365 data is stored in the Microsoft network of data centers, run by Microsoft Global Foundation Services and strategically located around the world.
These data centers are built from the ground up to protect services and data from harm by natural disaster or unauthorized access. Data center access is restricted 24 hours per day by job function so that only essential personnel have access to customer applications and services.
Physical access control uses multiple authentication and security processes, including badges and smart cards, biometric scanners, on-premises security officers, continuous video surveillance, and two-factor authentication.
The data centers are monitored using motion sensors, video surveillance, and security breach alarms. In case of a natural disaster, security also includes seismically braced racks where required and automated fire prevention and extinguishing systems.
Read more in this whitepaper “Security in Office 365 White Paper” – link