This is the Trace Id: 2631ef1431da9127a8ff6818fcc6aa60
Small conference meeting in an office.

SSPA: Supplier Security & Privacy Assurance Program

Sets privacy and security requirements for Microsoft suppliers and drives compliance to these requirements.

About SSPA

What is the Supplier Security and Privacy Assurance (SSPA) Program?

The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft's data processing instructions, through the Microsoft Supplier Data Protection Requirements (DPR), to suppliers working with Personal Data, Microsoft Confidential Data, and AI Systems.

SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data, Microsoft Confidential Data, and/or use AI Systems they will partner with their business sponsor to enroll in the SSPA Program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.

When is a supplier in scope for SSPA?

The scope of the Supplier Security and Privacy Assurance Program covers all suppliers globally, that process Personal Data, Microsoft Confidential Data and/or use AI Systems in connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services), under the terms of its contract with Microsoft (e.g., Purchase Order terms, Master agreement).

For definitions and examples of Personal Data, Microsoft Confidential Data, and/or AI Systems visit the Definitions section of the Supplier Data Protection Requirements (DPR), located below on this page. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.

SSPA Program Guide, Supplier Data Protection Requirements (DPR), Independent Assessment Sample Report, and Preferred Assessors List

Learn more about the SSPA Program through the FY25 Program Guide and explore the DPR to understand the current requirements for Personal Data and/or Microsoft Confidential Data. Versions are available in multiple languages: English, French, Simplified Chinese, Japanese, Korean, and Spanish. Suppliers may use their own in-country translation service or utilize online translation tools for other languages.

Need help? Review the SSPA Program Guide and DPR. If you can’t find what you’re looking for, @SSPAHelp for assistance.

Resources

Illustration of a pencil and papers.

Privacy Fundamentals 101 training

We need data to innovate. Customers will only give us their data if they trust us. That’s why we have to get privacy and security right.
Download the training storyboard outline
Illustration of a lock and the cloud.

Privacy at Microsoft

It’s our mission to empower every person and every organization on the planet to achieve more. We are doing this by building an intelligent cloud, reinventing productivity and business processes and making computing more personal. In all of this, we will maintain the timeless value of privacy and preserve the ability for you to control your data.
Learn more
Illustration of a cloud and shield.

Microsoft Trust Center

The future is in the Trusted Cloud. We built our Trusted Cloud on four foundational principles: security, privacy, compliance, and transparency.
Learn more
Illustration of shield and padlock.

Microsoft Privacy Statement

Your privacy is important to us. This privacy statement explains the personal data Microsoft processes, how Microsoft processes it, and for what purposes.
Learn more

Follow Microsoft