About SSPA

What is the Supplier Security and Privacy Assurance (SSPA) Program?

The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft's data processing instructions, through the Microsoft Supplier Data Protection Requirements (DPR), to suppliers working with Personal Data and/or Microsoft Confidential Data.

SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data and/or Microsoft Confidential Data, they will partner with their business sponsor to enroll in the SSPA Program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.

When is a supplier in scope for SSPA?

The scope of the Supplier Security and Privacy Assurance Program covers all suppliers globally that process Personal Data or Microsoft Confidential Data in connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services), under the terms of its contract with Microsoft (e.g., Purchase Order terms, Master agreement) (“Perform”, “Performing” or “Performance”).

For definitions and examples of Personal Data and/or Microsoft Confidential Data, visit the Definitions section of the Supplier Data Protection Requirements (DPR), located below on this page. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.


SSPA Program Guide, Supplier Data Protection Requirements (DPR), and Preferred Assessors List

Learn more about the SSPA Program through the Program Guide and explore the DPR to understand requirements for Personal Data and/or Microsoft Confidential Data. The current versions are available below in multiple languages, these documents are refreshed annually in November.

 

Need help? Search the FAQs for answers to common questions, or if you can’t find what you’re looking for, contact support to receive assistance.


Microsoft Supplier Compliance Portal Program scope Data Protection Requirements (DPR) Independent Assessment Subprocessor Incident Management
|

Use the username and password you received from microsoft@aravo.com to log in for the first time:

  • You must change your password on the first log in
  • You will have the option to change your username after the first log in

Note: Your username is initially autogenerated and does not default to your email address. Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login.

Go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account? for assistance.

 

Trouble signing in? If you have your username and password but the Microsoft Supplier Compliance Portal is not accepting them, try the following:

  1. Type the username and/or password instead of copy and paste. It is common to copy the space at the end of the username and/or password which will result in a failed login.
  2. Validate you are not using credentials for another portal, such as Microsoft Payment Central (as these are two unique sets of credentials)

If you haven't received your username or password via email try the following:

  1. Check your junk mail folders for emails from microsoft@aravo.com. Look for one email with your username and one with your password.
  2. If you don’t have the emails on hand, go to the Microsoft Supplier Compliance Portal login page and select “Need help accessing your account?”

Note: The Microsoft Accounts Payable contact for your company is set as the default administrator of the Microsoft Supplier Compliance Portal account. The administrator can add additional users. You can also request that the administrator be changed as needed.

 

If you have five failed login attempts using incorrect credentials your login account is locked for five minutes. After five minutes your login account is automatically unlocked, and you can log in with correct credentials.

 

Note: If your login account does not automatically unlock after ten minutes, send an email to SSPAHelp@microsoft.com for assistance.

The Microsoft Accounts Payable contact is set as the default administrator of the Microsoft Supplier Compliance Portal account upon SSPA enrollment. The administrator can add additional users or request that the administrator be changed by following the directions below.

  1. Login to the Microsoft Supplier Compliance Portal
  2. From the defaulted Home tab, select Administration under your username dropdown menu in the top right navigation
  3. Select the Add New button
  4. Fill out all required fields marked with an asterisk (*)
    Important: Make sure to check the Login Access box in order for the new user to receive an email with login credentials**
  5. Under the Supplier Contact Types section, associate the new user to one of the listed contact types 
    Note: You can assign the new user as an Administrator to enable them to create new users, edit credentials, or lock their account. To do so, use any of the check boxes on the right-hand side.
  6. Select Save. The new user will receive an email with login credentials and a temporary password which will need to be reset upon login.

TIPS:

If the new user has not received their username or password via email, try the following:

  1. Check your junk mail folders for emails from microsoft@aravo.com. Look for one email with your username and one with your password.
  2. If you don’t have the emails on hand, go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account?

Access to the tool can be set to expire after a certain number of days.

 

The current users listed against the account can be viewed by selecting the Support Contacts button under the Contact Information on the Home tab in the Microsoft Supplier Compliance Portal.

Upon initial enrollment, a supplier data processing profile is required by SSPA to set appropriate compliance activity. It allows suppliers to decide which engagements they want to be eligible to Perform. Pay careful attention to the selections and consider the compliance activity that must be completed to achieve the approval. For more details visit the SSPA Data Processing Profile section of the SSPA Program Guide located above on this page.

 

Updating an existing profile: After initial enrollment, suppliers are able to update their data processing profile at any time during the year if there are no open tasks.

Important:

  • When a change is made, the corresponding activity will be issued and must be completed before the approval is secured. If the newly issued tasks are not completed within the 90-day time period allowed, the SSPA status will turn to Red (non-compliant) and the account will be at risk of being deactivated from the Microsoft Accounts Payable systems.
  • If you start a profile update before the annual renewal but decide not to make any changes, the system will still execute the corresponding requirements which will need to be completed again.

Steps to update an existing profile prior to your anniversary/renewal date:

  1. Log into the Microsoft Supplier Compliance Portal 
  2. Select the SSPA Data Processing Profile Actions button
  3. Review your current SSPA Data Processing Profile and determine if an update is required 
    IMPORTANT: Once the profile update is started, all activity must be completed for the new profile to take effect. If tasks remain outstanding for longer than 90 days, your SSPA Status will turn Red (non-compliant)
  4. To proceed, scroll to the bottom, choose the acknowledgement box and then select Submit to acknowledge you have reviewed your profile and wish to make a change.
  5. The Supplier Profile page will display, scroll down to the Profile Details section
  6. Complete all required fields, and select Next
  7. On the Review & Submit page, select Save & Send Updates to complete your profile update
  8. Return to your dashboard on the homepage to review and complete newly added SSPA tasks

SSPA communications are sent from two communications email addresses listed below. To avoid missing SSPA related communications, make the above trusted email addresses and/or check your junk mail folders.

  1. microsoft@aravo.com: These are communications sent from the Microsoft Supplier Compliance Portal
  2. sspahelp@microsoft.com: These are assisted support communications sent from the SSPA Service Desk

If your account is SSPA Red (non-compliant), visit the Microsoft Supplier Compliance Portal to view and complete outstanding tasks.

 

Need assistance with outstanding tasks? Review the SSPA Program Guide located above or check out our other FAQs tabs.

 

If you still need assistance after reviewing our resources, contact SSPA. Include:

  1. Your supplier account number
  2. Company name
  3. Details about specific issues you need help with


Resources