SSPA: Supplier Security & Privacy Assurance Program

Use the username and password you received from microsoft@aravo.com to log in for the first time:

• You must change your password on the first log in
• You will have the option to change your username after the first log in

Note: Your username is initially autogenerated and does not default to your email address. Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login.

Go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account? for assistance.

Trouble signing in? If you have your username and password but the Microsoft Supplier Compliance Portal is not accepting them, try the following:

1. Type the username and/or password instead of copy and paste. It is common to copy the space at the end of the username and/or password which will result in a failed login.
2. Validate you are not using credentials for another portal, such as Microsoft Payment Central (as these are two unique sets of credentials)

If you haven't received your username or password via email try the following:

1. Check your junk mail folders for emails from microsoft@aravo.com. Look for one email with your username and one with your password.
2. If you don’t have the emails on hand, go to the Microsoft Supplier Compliance Portal login page and select “Need help accessing your account?”

Note: The Microsoft Accounts Payable contact for your company is set as the default administrator of the Microsoft Supplier Compliance Portal account. The administrator can add additional users. You can also request that the administrator be changed as needed.

If you have five failed login attempts using incorrect credentials your login account is locked for five minutes. After five minutes your login account is automatically unlocked, and you can log in with correct credentials.

Note: If your login account does not automatically unlock after ten minutes, send an email to SSPAHelp@microsoft.com for assistance.

The Microsoft Accounts Payable contact is set as the default administrator of the Microsoft Supplier Compliance Portal account upon SSPA enrollment. The administrator can add additional users or request that the administrator be changed by following the directions below.

1. Login to the Microsoft Supplier Compliance Portal
2. From the defaulted Home tab, select Administration under your username dropdown menu in the top right navigation
3. Select the Add New button
4. Fill out all required fields marked with an asterisk (*)
   Important: Make sure to check the Login Access box in order for the new user to receive an email with login credentials**
5. Under the Supplier Contact Types section, associate the new user to one of the listed contact types 
   Note: You can assign the new user as an Administrator to enable them to create new users, edit credentials, or lock their account. To do so, use any of the check boxes on the right-hand side.
6. Select Save. The new user will receive an email with login credentials and a temporary password which will need to be reset upon login.

TIPS:

If the new user has not received their username or password via email, try the following:

1. Check your junk mail folders for emails from microsoft@aravo.com. Look for one email with your username and one with your password.
2. If you don’t have the emails on hand, go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account?

Access to the tool can be set to expire after a certain number of days.

The current users listed against the account can be viewed by selecting the Support Contacts button under the Contact Information on the Home tab in the Microsoft Supplier Compliance Portal.

Upon initial enrollment, a supplier data processing profile is required by SSPA to set appropriate compliance activity. It allows suppliers to decide which engagements they want to be eligible to Perform. Pay careful attention to the selections and consider the compliance activity that must be completed to achieve the approval. For more details visit the SSPA Data Processing Profile section of the SSPA Program Guide located above on this page.

Updating an existing profile: After initial enrollment, suppliers are able to update their data processing profile at any time during the year if there are no open tasks.

Important:

• When a change is made, the corresponding activity will be issued and must be completed before the approval is secured. If the newly issued tasks are not completed within the 90-day time period allowed, the SSPA status will turn to Red (non-compliant) and the account will be at risk of being deactivated from the Microsoft Accounts Payable systems.
• If you start a profile update before the annual renewal but decide not to make any changes, the system will still execute the corresponding requirements which will need to be completed again.

Steps to update an existing profile prior to your anniversary/renewal date:

1. Log into the Microsoft Supplier Compliance Portal 
2. Select the SSPA Data Processing Profile Actions button
3. Review your current SSPA Data Processing Profile and determine if an update is required 
   IMPORTANT: Once the profile update is started, all activity must be completed for the new profile to take effect. If tasks remain outstanding for longer than 90 days, your SSPA Status will turn Red (non-compliant)
4. To proceed, scroll to the bottom, choose the acknowledgement box and then select Submit to acknowledge you have reviewed your profile and wish to make a change.
5. The Supplier Profile page will display, scroll down to the Profile Details section
6. Complete all required fields, and select Next
7. On the Review & Submit page, select Save & Send Updates to complete your profile update
8. Return to your dashboard on the homepage to review and complete newly added SSPA tasks

SSPA communications are sent from two communications email addresses listed below. To avoid missing SSPA related communications, make the above trusted email addresses and/or check your junk mail folders.

1. microsoft@aravo.com: These are communications sent from the Microsoft Supplier Compliance Portal
2. sspahelp@microsoft.com: These are assisted support communications sent from the SSPA Service Desk

If your account is SSPA Red (non-compliant), visit the Microsoft Supplier Compliance Portal to view and complete outstanding tasks.

Need assistance with outstanding tasks? Review the SSPA Program Guide located above or check out our other FAQs tabs.

If you still need assistance after reviewing our resources, contact SSPA. Include:

1. Your supplier account number
2. Company name
3. Details about specific issues you need help with

The scope of the SSPA program covers all suppliers globally that process Personal Data and/or Microsoft Confidential Data.

For definitions and examples of Personal Data and/or Microsoft Confidential Data, visit the Definitions sections of the Data Protection Requirement (DPR) located above. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.

The SSPA Program can help with determining whether engagements with supplier companies requires SSPA management. Business owners can also seek guidance from division risk experts (Privacy) and the SSPA team.

If the supplier is processing Personal Data and/or Microsoft Confidential Data under the terms of their contract, the Microsoft business owner(s) will start the process to enroll a supplier in the SSPA program.

Yes, every enrolled SSPA supplier account number must be compliant to SSPA when processing Personal Data and/or Microsoft Confidential Data. Each account is managed at the supplier account number level. Hence, the SSPA Program can’t apply compliance across multiple accounts.

If you believe your company has redundant supplier account numbers, please work with Microsoft business owner to determine if those accounts can’t be closed out. Once the determination has been made, please reach out to Microsoft Accounts Payable using the Payment Central tool to close the redundant accounts.

SSPA uses the supplier account number to establish a data processing profile that reflects the activity taking place against the account. To stay SSPA compliant, companies must complete compliance activities including filling out your supplier profile and self-attesting to the Data Protection Requirements (DPR) at least annually.

Suppliers will be able to update their data processing profile at any time during the year if there are no open tasks. When a change is made, the corresponding activity will be issued and must be completed before the approval is secured.

Important: If you start a data processing profile update before the annual renewal, but decide not to make any changes, the system will still execute the corresponding requirements which will need to be completed again.

For more details on the SSPA Process Steps, review the SSPA Annual Process Steps Diagram in the SSPA Program Guide, which is located above.

The Data Protection Requirements (DPR) outline SSPA program privacy and security requirements each supplier must meet to be compliant.

Supplier companies are expected to respond to all applicable requirements presented. Your data processing profile determines whether the full DPR is issued or if a subset of requirements applies. For more details, see the opening paragraph of the Data Protection Requirements.

Download the Data Protection Requirements (DPR) above.

Once the Supplier Profile as been completed, the Authorized Representative* can log onto the Microsoft Supplier Compliance Portal and follow these steps to complete the DPR self-attestation:

1. From the Home tab, select the DPR Attestation hyperlink
2. The Data Protection Requirement Attestation page will be displayed
3. After carefully reading the page, select Next
4. You will need to select a response to each of the presented requirements. An asterisk (*) indicates a Required Field
5. Select a response from the dropdown menu to each DPR requirement until you complete the remainder of the DPR. For additional information regarding comments that may be required, review the first page of the DPR
   • If you select that your company is providing Software as a Service (SaaS) services or that you are processing payment cards on behalf of Microsoft, you will be asked to upload the relevant certifications
   • If you select any responses other than Compliant, you will be presented with a "Responses for Further Review" page to review your comments and selections
6. After completing all the DPR sections and uploading the relevant certifications, if applicable, the "Authorized Representative Attestation" page will be displayed. You will need to input the Name, Title, and Email of the authorized representative who completed the attestation
7. After adding the authorized representative information, select Next
8. The Review & Submit page will be displayed, review the information you provided
9. Select Save & Send Updates to complete the DPR

For step-by-step assistance using the Microsoft Supplier Compliance Portal (MSCP), select Quick Reference Guide from the MSCP Welcome screen.

* An authorized representative is a person within the company that has the appropriate level of authority to sign on behalf of the company and has the requisite knowledge on the subject of privacy and security or has consulted with a subject matter expert prior to providing all responses. In addition, an authorized representative must read and fully understand Microsoft’s Data Protection Requirements.

The request to attest to the Data Protection Requirements (DPR) will be sent from Microsoft@aravo.com.

Avoid missing SSPA related communications, make Microsoft@aravo.com a trusted email address and/or check your junk mail folders.

The payment card industry (PCI) has established standards for companies to follow where credit cards are processed. Suppliers are to comply with these standards when securing this certification. SSPA does not offer advice on how to meet PCI standards.

We ask that you submit the certification that applies and meets PCI requirements. For more details on the purpose of the Payment Card Industry Data Security Standard (PCI DSS) requirement, visit the PCI DSS Certification Requirement section of the SSPA Program Guide located above.

Your company is in scope for the Software as a Service (SaaS) requirement if your company delivers software based on common code used in a one-to-many model on a pay-for-use basis or as a subscription based on use metrics. This is commonly known as Software as a Service (SaaS).

Suppliers that provide Software-as-a-Service to Microsoft and have a functional obligation in their contract to have an ISO27001 certification must provide a valid ISO 27001 certification with functional coverage of the software service managed by the supplier. Please note, SSPA is not expecting the third-party datacenter certification as in the past – we expect the ISO 27001 certification of the software service(s) provided to Microsoft and noted in your contract with Microsoft

The submission must be a file upload, we can’t accept internet links to online documents.

For additional information on the SaaS requirement, visit the SaaS Requirement section of the SSPA Program Guide which can be downloaded above.

Suppliers are a Data Subprocessor when Microsoft is the Data Processor, and the Customer is the Data Controller.

Subprocessors who process restricted and highly protected end-user personal data will need additional compliance requirements like the Independent Assessment (a third-party validation of their DPR). This occurs most often within or supporting Microsoft Enterprise or Commercial products and services or within large organizations like education.

Engagements with 3rd party suppliers for any of the Microsoft products or services with access to the protected end-user data are covered under the Microsoft Online Services, Commercial Support and Microsoft Industry Solutions, Microsoft FastTrack, PlayFab, or Minecraft EDU.

If a privacy or security incident occurs, suppliers must inform Microsoft as detailed in the Data Protection Requirements (DPR).

The incident can be reported by emailing Supplier Incident Report (suppir@microsoft.com).