Strong privacy and security practices are critical to our mission, essential to customer trust, and required by law in several jurisdictions. The standards captured in Microsoft’s privacy and security policies reflect our values as a company, and extend to suppliers who handle Microsoft data on our behalf.

Supplier Security and Privacy Assurance (SSPA) is Microsoft’s corporate program to deliver Microsoft’s data processing instructions to our suppliers in the form of the Microsoft Supplier Data Protection Requirements (DPR). SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Microsoft Personal and/or Confidential data, they will partner with their business sponsor to enroll in the SSPA program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.

The DPR includes a requirement to provide privacy and security awareness training. Companies may download this training storyboard outline to customize for their own purposes. Microsoft provides privacy awareness materials for informational purposes only. Nothing in this material is intended to reflect Microsoft’s internal policies or privacy programs, or to provide legal advice to the recipient. If the recipient uses these materials for its own internal purposes, such use should be in consultation with the recipient’s privacy compliance experts and legal counsel.

Microsoft Supplier Data Protection Requirements (DPR), SSPA Program Guide, and Preferred Assessors List

Explore the DPR to understand requirements for Microsoft Personal and/or Confidential data and learn more about the SSPA program through the program guide. The current DPR is available below in multiple languages, these documents are refreshed annually in November.

 

Training & resources FAQs Microsoft Supplier Compliance Portal