SSPA: Supplier Security & Privacy Assurance Program
Sets privacy and security requirements for Microsoft suppliers and drives compliance to these requirements.
What is the Supplier Security and Privacy Assurance (SSPA) Program?
The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft's data processing instructions, through the Microsoft Supplier Data Protection Requirements (DPR), to suppliers working with Personal Data and/or Microsoft Confidential Data.
SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data and/or Microsoft Confidential Data, they will partner with their business sponsor to enroll in the SSPA Program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.
When is a supplier in scope for SSPA?
The scope of the Supplier Security and Privacy Assurance Program covers all suppliers globally that process Personal Data or Microsoft Confidential Data in connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services), under the terms of its contract with Microsoft (e.g., Purchase Order terms, Master agreement) (“Perform”, “Performing” or “Performance”).
For definitions and examples of Personal Data and/or Microsoft Confidential Data, visit the Definitions section of the Supplier Data Protection Requirements (DPR), located below on this page. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.
FAQs
Suppliers that process higher risk data may also need to provide independent verification of compliance to the Data Protection Requirements (DPR).
The scope of the assessment engagement is limited to Personal Data and/or Microsoft Confidential Data Processed (e.g., collected, used, retained, or disclosed) as part of the performance per the terms of the supplier’s purchase order, contract, or statement of work with Microsoft.
The scope of the engagement is limited to those business segments and/or geographic locations that Process Personal Data and/or Microsoft Confidential Data. The letter of attestation must include the list of locations included in the assessment.
For more details, visit the Independent Assessment Requirement section of the SSPA Program Guide which can be downloaded above.
Your SSPA data processing profile includes selections considered higher risk to Microsoft. Please review the SSPA Program Guide (located above) which indicates the compliance requirements of different profile combinations so that your company makes an informed decision when setting the profile.
To satisfy the Independent Assessment requirement, select an independent assessor to assess your company’s compliance against the Data Protection Requirements (DPR). The assessor must provide an unqualified letter of attestation to the SSPA. For more details on how to approach this requirement, visit the Independent Assessment Requirement section of the SSPA Program Guide located above.
Yes, if they met our industry requirement. SSPA will accept industry certifications where they provide coverage for the standards contained in the DPR.
Your assessor per that meets the following:
- Assessors must be affiliated with the International Federation of Accountants (IFAC); or
- The American Institute of Certified Public Accountants (AICPA), or must possess certifications from other relevant privacy and security organizations, such as the International Association of Privacy Professionals (IAPP) or the Information Systems Audit and Control Association (ISACA).
Note: Each supplier is responsible for paying the assessment cost.
Download a copy of the SSPA Program Guide, DPR, and Preferred Assessors List above.
The document submitted by the supplier to the SSPA program must take the form of an unqualified letter of attestation.
The assessor must use the most current Data Protection Requirements (DPR) which includes the Evidence Required to support each requirement. You will need to provide your approved DPR attestation to the assessor.
In the case of a newly enrolled supplier, the assessor will test the design of the controls.
Download a copy of the SSPA Program Guide, DPR, and Preferred Assessors List above.
Letters of attestation can be rejected for a variety of reasons. The most common reason is when information or scope within the assessment is incomplete. If your letter was rejected, log onto the Microsoft Supplier Compliance Portal, review the audit documentation to address the specific comments from the SSPA team to resolve.
For step-by-step assistance using the Microsoft Supplier Compliance Portal, select Quick Reference Guide from the Welcome screen.
The system will not display the option to upload documentation while an extension is being requested.
To view the option to upload and submit your documentation, follow these steps:
- Open the Independent Assessment task on the dashboard
- Change the radio button to the question Do you need to request an extension? from “Yes” to “No”. Then you can view the option to upload your documentations and submit for review.
For step-by-step assistance using the Microsoft Supplier Compliance Portal (MSCP), select Quick Reference Guide from the Welcome screen.
Independent Assessments (and all other compliance actions) must be completed within 90 days of the anniversary date.
Suppliers can request a one-time 90-day extension for the Independent Assessment via the Microsoft Supplier Compliance Portal (MSCP).
Supplier steps to request an extension:
- Log into the account in the Microsoft Supplier Compliance Portal
- Forgot your username or password to the MSCP? Select Need help accessing your account? for assistance
- Open the Independent Assessment task on the dashboard
- Answer yes to the question: Do you need to request an extension?
- Select the Add a new Extension button that appears
- Enter the requested date and justification into the Reason for Request field
- Select OK to add the request
- Select Next
- Then select Save and Send Updates
Once the above steps are completed a request will be sent to the SSPA Service Desk for review. The task will not appear on the home page during review.
Note: These requests are reviewed on a case-by-case basis and must be completed per account number.
For step-by-step assistance using the Microsoft Supplier Compliance Portal (MSCP), select Quick Reference Guide from the Welcome screen.
Resources
Privacy Fundamentals 101 training
We need data to innovate. Customers will only give us their data if they trust us. That’s why we have to get privacy and security right.
Privacy at Microsoft
It’s our mission to empower every person and every organization on the planet to achieve more. We are doing this by building an intelligent cloud, reinventing productivity and business processes and making computing more personal. In all of this, we will maintain the timeless value of privacy and preserve the ability for you to control your data.
Microsoft Trust Center
The future is in the Trusted Cloud. We built our Trusted Cloud on four foundational principles: security, privacy, compliance, and transparency.
Microsoft Privacy Statement
Your privacy is important to us. This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.