SSPA: Supplier Security & Privacy Assurance Program
Sets privacy and security requirements for Microsoft suppliers and drives compliance to these requirements.
What is the Supplier Security and Privacy Assurance (SSPA) Program?
The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft's data processing instructions, through the Microsoft Supplier Data Protection Requirements (DPR), to suppliers working with Personal Data and/or Microsoft Confidential Data.
SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data and/or Microsoft Confidential Data, they will partner with their business sponsor to enroll in the SSPA Program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.
When is a supplier in scope for SSPA?
The scope of the Supplier Security and Privacy Assurance Program covers all suppliers globally that process Personal Data or Microsoft Confidential Data in connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services), under the terms of its contract with Microsoft (e.g., Purchase Order terms, Master agreement) (“Perform”, “Performing” or “Performance”).
For definitions and examples of Personal Data and/or Microsoft Confidential Data, visit the Definitions section of the Supplier Data Protection Requirements (DPR), located below on this page. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.
FAQs
The scope of the SSPA program covers all suppliers globally that process Personal Data and/or Microsoft Confidential Data.
For definitions and examples of Personal Data and/or Microsoft Confidential Data, visit the Definitions sections of the Data Protection Requirement (DPR) located above. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.
The SSPA Program can help with determining whether engagements with supplier companies requires SSPA management. Business owners can also seek guidance from division risk experts (Privacy) and the SSPA team.
If the supplier is processing Personal Data and/or Microsoft Confidential Data under the terms of their contract, the Microsoft business owner(s) will start the process to enroll a supplier in the SSPA program.
Yes, every enrolled SSPA supplier account number must be compliant to SSPA when processing Personal Data and/or Microsoft Confidential Data. Each account is managed at the supplier account number level. Hence, the SSPA Program can’t apply compliance across multiple accounts.
If you believe your company has redundant supplier account numbers, please work with Microsoft business owner to determine if those accounts can’t be closed out. Once the determination has been made, please reach out to Microsoft Accounts Payable using the Payment Central tool to close the redundant accounts.
SSPA uses the supplier account number to establish a data processing profile that reflects the activity taking place against the account. To stay SSPA compliant, companies must complete compliance activities including filling out your supplier profile and self-attesting to the Data Protection Requirements (DPR) at least annually.
Suppliers will be able to update their data processing profile at any time during the year if there are no open tasks. When a change is made, the corresponding activity will be issued and must be completed before the approval is secured.
Important: If you start a data processing profile update before the annual renewal, but decide not to make any changes, the system will still execute the corresponding requirements which will need to be completed again.
For more details on the SSPA Process Steps, review the SSPA Annual Process Steps Diagram in the SSPA Program Guide, which is located above.
Resources
Privacy Fundamentals 101 training
We need data to innovate. Customers will only give us their data if they trust us. That’s why we have to get privacy and security right.
Privacy at Microsoft
It’s our mission to empower every person and every organization on the planet to achieve more. We are doing this by building an intelligent cloud, reinventing productivity and business processes and making computing more personal. In all of this, we will maintain the timeless value of privacy and preserve the ability for you to control your data.
Microsoft Trust Center
The future is in the Trusted Cloud. We built our Trusted Cloud on four foundational principles: security, privacy, compliance, and transparency.
Microsoft Privacy Statement
Your privacy is important to us. This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.