Already a Microsoft supplier? Go to SupplierWeb!

SSPA: Supplier Security & Privacy Assurance Program

Sets privacy and security requirements for Microsoft suppliers and drives compliance to these requirements.

What is the Supplier Security and Privacy Assurance (SSPA) Program?

The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft's data processing instructions, through the Microsoft Supplier Data Protection Requirements (DPR), to suppliers working with Personal Data and/or Microsoft Confidential Data.

SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data and/or Microsoft Confidential Data, they will partner with their business sponsor to enroll in the SSPA Program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.

When is a supplier in scope for SSPA?

The scope of the Supplier Security and Privacy Assurance Program covers all suppliers globally that process Personal Data or Microsoft Confidential Data in connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services), under the terms of its contract with Microsoft (e.g., Purchase Order terms, Master agreement) (“Perform”, “Performing” or “Performance”).

For definitions and examples of Personal Data and/or Microsoft Confidential Data, visit the Definitions section of the Supplier Data Protection Requirements (DPR), located below on this page. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.

SSPA Program Guide, Supplier Data Protection Requirements (DPR), and Preferred Assessors List

Learn more about the SSPA Program through the Program Guide and explore the DPR to understand requirements for Personal Data and/or Microsoft Confidential Data. The current versions are available below in multiple languages, these documents are refreshed annually in November. We will be reducing the language support to 6 languages: English, French, Simplified Chinese, Japanese, Korean, and Spanish. Suppliers may use their own in-country translation service or utilize online translation tools.

Need help? Search the FAQs for answers to common questions, or if you can’t find what you’re looking for, contact support to receive assistance.

SSPA Preferred Assessors List (English only)

FAQs

Microsoft Supplier Compliance Portal Program scope Data Protection Requirements (DPR) Independent Assessment Subprocessor Incident Management

Use the username and password you received from microsoft@aravo.com to log in for the first time:

You must change your password on the first log in
You will have the option to change your username after the first log in

Note: Your username is initially autogenerated and does not default to your email address. Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login.

Go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account? for assistance.

Trouble signing in? If you have your username and password but the Microsoft Supplier Compliance Portal is not accepting them, try the following:

Type the username and/or password instead of copy and paste. It is common to copy the space at the end of the username and/or password which will result in a failed login.
Validate you are not using credentials for another portal, such as Microsoft Payment Central (as these are two unique sets of credentials)

If you haven't received your username or password via email try the following:

Check your junk mail folders for emails from microsoft@aravo.com. Look for one email with your username and one with your password.
If you don’t have the emails on hand, go to the Microsoft Supplier Compliance Portal login page and select “Need help accessing your account?”

Note: The Microsoft Accounts Payable contact for your company is set as the default administrator of the Microsoft Supplier Compliance Portal account. The administrator can add additional users. You can also request that the administrator be changed as needed.

If you have five failed login attempts using incorrect credentials your login account is locked for five minutes. After five minutes your login account is automatically unlocked, and you can log in with correct credentials.

Note: If your login account does not automatically unlock after ten minutes, send an email to SSPAHelp@microsoft.com for assistance.

The Microsoft Accounts Payable contact is set as the default administrator of the Microsoft Supplier Compliance Portal account upon SSPA enrollment. The administrator can add additional users or request that the administrator be changed by following the directions below.

Login to the Microsoft Supplier Compliance Portal
From the defaulted Home tab, select Administration under your username dropdown menu in the top right navigation
Select the Add New button
Fill out all required fields marked with an asterisk (*)
Important: Make sure to check the Login Access box in order for the new user to receive an email with login credentials**
Under the Supplier Contact Types section, associate the new user to one of the listed contact types
Note: You can assign the new user as an Administrator to enable them to create new users, edit credentials, or lock their account. To do so, use any of the check boxes on the right-hand side.
Select Save. The new user will receive an email with login credentials and a temporary password which will need to be reset upon login.

TIPS:

If the new user has not received their username or password via email, try the following:

Check your junk mail folders for emails from microsoft@aravo.com. Look for one email with your username and one with your password.
If you don’t have the emails on hand, go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account?

Access to the tool can be set to expire after a certain number of days.

The current users listed against the account can be viewed by selecting the Support Contacts button under the Contact Information on the Home tab in the Microsoft Supplier Compliance Portal.

Upon initial enrollment, a supplier data processing profile is required by SSPA to set appropriate compliance activity. It allows suppliers to decide which engagements they want to be eligible to Perform. Pay careful attention to the selections and consider the compliance activity that must be completed to achieve the approval. For more details visit the SSPA Data Processing Profile section of the SSPA Program Guide located above on this page.

Updating an existing profile: After initial enrollment, suppliers are able to update their data processing profile at any time during the year if there are no open tasks.

Important:

When a change is made, the corresponding activity will be issued and must be completed before the approval is secured. If the newly issued tasks are not completed within the 90-day time period allowed, the SSPA status will turn to Red (non-compliant) and the account will be at risk of being deactivated from the Microsoft Accounts Payable systems.
If you start a profile update before the annual renewal but decide not to make any changes, the system will still execute the corresponding requirements which will need to be completed again.

Steps to update an existing profile prior to your anniversary/renewal date:

Log into the Microsoft Supplier Compliance Portal
Select the SSPA Data Processing Profile Actions button
Review your current SSPA Data Processing Profile and determine if an update is required
IMPORTANT: Once the profile update is started, all activity must be completed for the new profile to take effect. If tasks remain outstanding for longer than 90 days, your SSPA Status will turn Red (non-compliant)
To proceed, scroll to the bottom, choose the acknowledgement box and then select Submit to acknowledge you have reviewed your profile and wish to make a change.
The Supplier Profile page will display, scroll down to the Profile Details section
Complete all required fields, and select Next
On the Review & Submit page, select Save & Send Updates to complete your profile update
Return to your dashboard on the homepage to review and complete newly added SSPA tasks

SSPA communications are sent from two communications email addresses listed below. To avoid missing SSPA related communications, make the above trusted email addresses and/or check your junk mail folders.

microsoft@aravo.com: These are communications sent from the Microsoft Supplier Compliance Portal
sspahelp@microsoft.com: These are assisted support communications sent from the SSPA Service Desk

If your account is SSPA Red (non-compliant), visit the Microsoft Supplier Compliance Portal to view and complete outstanding tasks.

Need assistance with outstanding tasks? Review the SSPA Program Guide located above or check out our other FAQs tabs.

If you still need assistance after reviewing our resources, contact SSPA. Include:

Your supplier account number
Company name
Details about specific issues you need help with

The scope of the SSPA program covers all suppliers globally that process Personal Data and/or Microsoft Confidential Data.

For definitions and examples of Personal Data and/or Microsoft Confidential Data, visit the Definitions sections of the Data Protection Requirement (DPR) located above. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.

The SSPA Program can help with determining whether engagements with supplier companies requires SSPA management. Business owners can also seek guidance from division risk experts (Privacy) and the SSPA team.

If the supplier is processing Personal Data and/or Microsoft Confidential Data under the terms of their contract, the Microsoft business owner(s) will start the process to enroll a supplier in the SSPA program.

Yes, every enrolled SSPA supplier account number must be compliant to SSPA when processing Personal Data and/or Microsoft Confidential Data. Each account is managed at the supplier account number level. Hence, the SSPA Program can’t apply compliance across multiple accounts.

If you believe your company has redundant supplier account numbers, please work with Microsoft business owner to determine if those accounts can’t be closed out. Once the determination has been made, please reach out to Microsoft Accounts Payable using the Payment Central tool to close the redundant accounts.

SSPA uses the supplier account number to establish a data processing profile that reflects the activity taking place against the account. To stay SSPA compliant, companies must complete compliance activities including filling out your supplier profile and self-attesting to the Data Protection Requirements (DPR) at least annually.

Suppliers will be able to update their data processing profile at any time during the year if there are no open tasks. When a change is made, the corresponding activity will be issued and must be completed before the approval is secured.

Important: If you start a data processing profile update before the annual renewal, but decide not to make any changes, the system will still execute the corresponding requirements which will need to be completed again.

For more details on the SSPA Process Steps, review the SSPA Annual Process Steps Diagram in the SSPA Program Guide, which is located above.

The Data Protection Requirements (DPR) outline SSPA program privacy and security requirements each supplier must meet to be compliant.

Supplier companies are expected to respond to all applicable requirements presented. Your data processing profile determines whether the full DPR is issued or if a subset of requirements applies. For more details, see the opening paragraph of the Data Protection Requirements.

Download the Data Protection Requirements (DPR) above.

Once the Supplier Profile as been completed, the Authorized Representative* can log onto the Microsoft Supplier Compliance Portal and follow these steps to complete the DPR self-attestation:

From the Home tab, select the DPR Attestation hyperlink
The Data Protection Requirement Attestation page will be displayed
After carefully reading the page, select Next
You will need to select a response to each of the presented requirements. An asterisk (*) indicates a Required Field
Select a response from the dropdown menu to each DPR requirement until you complete the remainder of the DPR. For additional information regarding comments that may be required, review the first page of the DPR
- If you select that your company is providing Software as a Service (SaaS) services or that you are processing payment cards on behalf of Microsoft, you will be asked to upload the relevant certifications
- If you select any responses other than Compliant, you will be presented with a "Responses for Further Review" page to review your comments and selections
After completing all the DPR sections and uploading the relevant certifications, if applicable, the "Authorized Representative Attestation" page will be displayed. You will need to input the Name, Title, and Email of the authorized representative who completed the attestation
After adding the authorized representative information, select Next
The Review & Submit page will be displayed, review the information you provided
Select Save & Send Updates to complete the DPR

For step-by-step assistance using the Microsoft Supplier Compliance Portal (MSCP), select Quick Reference Guide from the MSCP Welcome screen.

* An authorized representative is a person within the company that has the appropriate level of authority to sign on behalf of the company and has the requisite knowledge on the subject of privacy and security or has consulted with a subject matter expert prior to providing all responses. In addition, an authorized representative must read and fully understand Microsoft’s Data Protection Requirements.

The request to attest to the Data Protection Requirements (DPR) will be sent from Microsoft@aravo.com.

Avoid missing SSPA related communications, make Microsoft@aravo.com a trusted email address and/or check your junk mail folders.

The payment card industry (PCI) has established standards for companies to follow where credit cards are processed. Suppliers are to comply with these standards when securing this certification. SSPA does not offer advice on how to meet PCI standards.

We ask that you submit the certification that applies and meets PCI requirements. For more details on the purpose of the Payment Card Industry Data Security Standard (PCI DSS) requirement, visit the PCI DSS Certification Requirement section of the SSPA Program Guide located above.

Your company is in scope for the Software as a Service (SaaS) requirement if your company delivers software based on common code used in a one-to-many model on a pay-for-use basis or as a subscription based on use metrics. This is commonly known as Software as a Service (SaaS).

Suppliers that provide Software-as-a-Service to Microsoft and have a functional obligation in their contract to have an ISO27001 certification must provide a valid ISO 27001 certification with functional coverage of the software service managed by the supplier. Please note, SSPA is not expecting the third-party datacenter certification as in the past – we expect the ISO 27001 certification of the software service(s) provided to Microsoft and noted in your contract with Microsoft

The submission must be a file upload, we can’t accept internet links to online documents.

For additional information on the SaaS requirement, visit the SaaS Requirement section of the SSPA Program Guide which can be downloaded above.

Suppliers that process higher risk data may also need to provide independent verification of compliance to the Data Protection Requirements (DPR).

The scope of the assessment engagement is limited to Personal Data and/or Microsoft Confidential Data Processed (e.g., collected, used, retained, or disclosed) as part of the performance per the terms of the supplier’s purchase order, contract, or statement of work with Microsoft.

The scope of the engagement is limited to those business segments and/or geographic locations that Process Personal Data and/or Microsoft Confidential Data. The letter of attestation must include the list of locations included in the assessment.

For more details, visit the Independent Assessment Requirement section of the SSPA Program Guide which can be downloaded above.

Your SSPA data processing profile includes selections considered higher risk to Microsoft. Please review the SSPA Program Guide (located above) which indicates the compliance requirements of different profile combinations so that your company makes an informed decision when setting the profile.

To satisfy the Independent Assessment requirement, select an independent assessor to assess your company’s compliance against the Data Protection Requirements (DPR). The assessor must provide an unqualified letter of attestation to the SSPA. For more details on how to approach this requirement, visit the Independent Assessment Requirement section of the SSPA Program Guide located above.

Yes, if they met our industry requirement. SSPA will accept industry certifications where they provide coverage for the standards contained in the DPR.

Your assessor per that meets the following:

Assessors must be affiliated with the International Federation of Accountants (IFAC); or
The American Institute of Certified Public Accountants (AICPA), or must possess certifications from other relevant privacy and security organizations, such as the International Association of Privacy Professionals (IAPP) or the Information Systems Audit and Control Association (ISACA).

Note: Each supplier is responsible for paying the assessment cost.

Download a copy of the SSPA Program Guide, DPR, and Preferred Assessors List above.

The document submitted by the supplier to the SSPA program must take the form of an unqualified letter of attestation.

The assessor must use the most current Data Protection Requirements (DPR) which includes the Evidence Required to support each requirement. You will need to provide your approved DPR attestation to the assessor.

In the case of a newly enrolled supplier, the assessor will test the design of the controls.

Download a copy of the SSPA Program Guide, DPR, and Preferred Assessors List above.

Letters of attestation can be rejected for a variety of reasons. The most common reason is when information or scope within the assessment is incomplete. If your letter was rejected, log onto the Microsoft Supplier Compliance Portal, review the audit documentation to address the specific comments from the SSPA team to resolve.

For step-by-step assistance using the Microsoft Supplier Compliance Portal, select Quick Reference Guide from the Welcome screen.

The system will not display the option to upload documentation while an extension is being requested.

To view the option to upload and submit your documentation, follow these steps:

Open the Independent Assessment task on the dashboard
Change the radio button to the question Do you need to request an extension? from “Yes” to “No”. Then you can view the option to upload your documentations and submit for review.

For step-by-step assistance using the Microsoft Supplier Compliance Portal (MSCP), select Quick Reference Guide from the Welcome screen.

Independent Assessments (and all other compliance actions) must be completed within 90 days of the anniversary date.

Suppliers can request a one-time 90-day extension for the Independent Assessment via the Microsoft Supplier Compliance Portal (MSCP).

Supplier steps to request an extension:

Log into the account in the Microsoft Supplier Compliance Portal
- Forgot your username or password to the MSCP? Select Need help accessing your account? for assistance
Open the Independent Assessment task on the dashboard
Answer yes to the question: Do you need to request an extension?
Select the Add a new Extension button that appears
Enter the requested date and justification into the Reason for Request field
Select OK to add the request
Select Next
Then select Save and Send Updates

Once the above steps are completed a request will be sent to the SSPA Service Desk for review. The task will not appear on the home page during review.

Note: These requests are reviewed on a case-by-case basis and must be completed per account number.

For step-by-step assistance using the Microsoft Supplier Compliance Portal (MSCP), select Quick Reference Guide from the Welcome screen.

Suppliers are a Data Subprocessor when Microsoft is the Data Processor, and the Customer is the Data Controller.

Subprocessors who process restricted and highly protected end-user personal data will need additional compliance requirements like the Independent Assessment (a third-party validation of their DPR). This occurs most often within or supporting Microsoft Enterprise or Commercial products and services or within large organizations like education.

Engagements with 3rd party suppliers for any of the Microsoft products or services with access to the protected end-user data are covered under the Microsoft Online Services, Commercial Support and Microsoft Industry Solutions, Microsoft FastTrack, PlayFab, or Minecraft EDU.

If a privacy or security incident occurs, suppliers must inform Microsoft as detailed in the Data Protection Requirements (DPR).

The incident can be reported by emailing Supplier Incident Report (suppir@microsoft.com).

Resources

Privacy Fundamentals 101 training

We need data to innovate. Customers will only give us their data if they trust us. That’s why we have to get privacy and security right.

Download the training storyboard outline

Privacy at Microsoft

It’s our mission to empower every person and every organization on the planet to achieve more. We are doing this by building an intelligent cloud, reinventing productivity and business processes and making computing more personal. In all of this, we will maintain the timeless value of privacy and preserve the ability for you to control your data.

Learn more

Microsoft Trust Center

The future is in the Trusted Cloud. We built our Trusted Cloud on four foundational principles: security, privacy, compliance, and transparency.

Learn more

Microsoft Privacy Statement

Your privacy is important to us. This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.

Learn more

SSPA: Supplier Security & Privacy Assurance Program

About SSPA

What is the Supplier Security and Privacy Assurance (SSPA) Program?

When is a supplier in scope for SSPA?

SSPA Program Guide, Supplier Data Protection Requirements (DPR), and Preferred Assessors List

Resources

Privacy Fundamentals 101 training

Privacy at Microsoft

Microsoft Trust Center

Microsoft Privacy Statement