Strong privacy and security practices are critical to our mission, essential to customer trust, and required by law in several jurisdictions. The standards captured in Microsoft’s privacy and security policies reflect our values as a company, and extend to suppliers who handle Microsoft data on our behalf.

Supplier Security and Privacy Assurance (SSPA) is Microsoft’s corporate program to deliver Microsoft’s data processing instructions to our suppliers in the form of the Microsoft Supplier Data Protection Requirements (DPR). SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data and/or Microsoft Confidential Data, they will partner with their business sponsor to enroll in the SSPA program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.

The DPR includes a requirement to provide privacy and security awareness training. Companies may download this training storyboard outline to customize for their own purposes. Microsoft provides privacy awareness materials for informational purposes only. Nothing in this material is intended to reflect Microsoft’s internal policies or privacy programs, or to provide legal advice to the recipient. If the recipient uses these materials for its own internal purposes, such use should be in consultation with the recipient’s privacy compliance experts and legal counsel.

Microsoft Supplier Data Protection Requirements (DPR), SSPA Program Guide, and Preferred Assessors List

Explore the DPR to understand requirements for Personal Data and/or Microsoft Confidential Data and learn more about the SSPA Program through the Program Guide. The current DPR is available below in multiple languages, these documents are refreshed annually in November.

 

Need help? Search the FAQs for answers to common questions or contact support after you search to receive assisted support.

Top FAQs Program scope Data Protection Requirements (DPR) Microsoft Supplier Compliance Portal Independent Assessment Incident Management

|

Forgot your username or password? Go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account? for assistance.

 

Trouble signing in? If you have your username and password but the Microsoft Supplier Compliance Portal is not accepting them, try the following:

  1.  Type the username and/or password instead of copy and paste. It is common to copy the space at the end of the username and/or password which will result in a failed login.
  2. Validate you are not using credentials for another portal, such as Microsoft Payment Central (as these are two unique sets of credentials)

First-time user? Use the username and password you received from micrsoft@aravo.com to log in for the first time:

  • You must change your password on first log in

  • You will have the option to change your username after the first log in.

Note: Your username is initially autogenerated and does not default to your email address. Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login.

 

If you haven't received your username or password via email try the following:

  1. Check your junk mail folders for emails from microsoft@aravo.com. Look for one email with your username and one with your password.
  2. If you don’t have the emails on hand, go to the Microsoft Supplier Compliance Portal login page and select “Need help accessing your account?”

Note: The Microsoft Accounts Payable contact for your company is set as the default administrator of the Microsoft Supplier Compliance Portal account. The administrator can add additional users. You can also request that the administrator be changed as needed.

Upon initial enrollment, a supplier data processing profile is required by SSPA to set appropriate compliance activity. It allows suppliers to decide which engagements they want to be eligible to Perform. Pay careful attention to the selections and consider the compliance activity that must be completed to achieve the approval. For more details visit the SSPA Data Processing Profile section of the SSPA Program Guide located on SSPA on Microsoft.com/procurement.

 

Updating an existing profile: After initial enrollment, suppliers are able to update their data processing profile at any time during the year if there are no open tasks.

 

Important:

  • When a change is made, the corresponding activity will be issued and must be completed before the approval is secured. If the newly issued tasks are not completed within the 90-day time period allowed, the SSPA status will turn to Red (non-compliant) and the account will be at risk of being deactivated from the Microsoft Accounts Payable systems.
  • If you start a profile update before the annual renewal but decide not to make any changes, the system will still execute the corresponding requirements which will need to be completed again.

Steps to update an existing profile prior to your anniversary/renewal date:

  1. Log into the Microsoft Supplier Compliance Portal

  2. Select the SSPA Data Processing Profile Actions button

  3. Review your current SSPA Data Processing Profile and determine if an update is required

    IMPORTANT: Once the profile update is started, all activity must be completed for the new profile to take effect. If tasks remain outstanding for longer than 90 days, your SSPA Status will turn Red (non-compliant)

  4. To proceed, scroll to the bottom, choose the acknowledgement box and then select Submit to acknowledge you have reviewed your profile and wish to make a change.

  5. The Supplier Profile page will display. Scroll down to the Profile Details section

  6. Complete all required fields, and select Next

  7. On the Review & Submit page, select Save & Send Updates to complete your profile update

  8. Return to your dashboard on the homepage to review and complete newly added SSPA tasks

The scope of the SSPA program covers all suppliers globally that process Personal Data and/or Microsoft Confidential Data. For definitions and examples of Personal Data and/or Microsoft Confidential Data, visit the Definitions and SSPA Program Overview & Scope sections of the SSPA Program Guide located on SSPA on Microsoft.com/procurement. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.

 

Microsoft business owner(s) will determine whether engagements with supplier companies require SSPA management. Business owners often seek out guidance from division risk experts and the SSPA team.

 

If the supplier is processing Personal Data and/or Microsoft Confidential Data under the terms of their contract, the Microsoft business owner(s) will start the process to enroll a supplier in the SSPA program.

If your account is SSPA Red (non-compliant), visit the Microsoft Supplier Compliance Portal to view and complete outstanding tasks.

 

Forgot your username or password? Go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account? for assistance.

 

Need assistance with outstanding tasks? Review the Data Protection Requirements section of the SSPA Program Guide located on SSPA on Microsoft.com/procurement.

 

If you still need assistance after reviewing our resources, contact SSPA. Include your supplier account number, company name, and details about specific issues you need help with.

The Authorized Representative is to log onto the Microsoft Supplier Compliance Portal and follow these steps to complete the DPR self-attestation:

  1. From the “Home” tab, select the DPR Attestation hyperlink.
  2. The “Data Protection Requirement Attestation” page will be displayed.
  3. After carefully reading the page, select Next.
  4. You will need to select a response to each of the presented requirements. An asterisk (*) indicates a Required Field.
  5. Select a response from the dropdown menu to each DPR requirement until you complete the remainder of the DPR. For additional information regarding comments that may be required, review the first page of the DPR.
    1. If you selected that your company is providing Software as a Service (SaaS) services, or that you are processing payment cards on behalf of Microsoft, you will be asked to upload the relevant certifications.
    2. If you selected any responses other than Compliant, you will be presented with a "Responses for Further Review" page to review your comments and selections.
  6. After completing all the DPR sections and uploading the relevant certifications, if applicable, the "Authorized Representative Attestation" page will be displayed. You will need to input the Name, Title, and Email of the authorized representative who completed the attestation.
  7. After adding the authorized representative information, select Next.
  8. The “Review & Submit” page will be displayed. Review the information you provided.
  9. Select Save & Send Updates to complete the DPR.

For step-by-step assistance using the Microsoft Supplier Compliance Portal (MSCP), select Quick Reference Guide from the MSCP Welcome screen.

 

Forgot your username or password? Go to the Microsoft Supplier Compliance Portal login page and select Need help accessing your account? for assistance.

Note: Type username and/or password rather than copy/paste to avoid copying a space at the end which will result in a failed login.


About the Microsoft Supplier Compliance Portal

The Microsoft Supplier Compliance Portal helps suppliers in managing their compliance commitments to Microsoft. Through the portal, suppliers are able to:

  • Forgot your username or password? Go to the Microsoft Supplier Compliance Portal login page and select “Need help accessing your account?” for assistance.
  • View supplier SSPA status
  • Review upcoming due dates by clicking into a task 
  • Complete outstanding supplier actions, examples include:
    • Updating the supplier profile
    • Attesting to the DPR
    • Uploading an Independent Assessment
  • Individual users can update contact information
  • Admins can manage supplier passwords & contacts
  • View submitted supplier compliance information 
  • Report an incident involving handling of Microsoft personal or confidential data

Communications notice

Authentic emails from the Microsoft Supplier Compliance Portal will show Microsoft Supplier Compliance (Microsoft@aravo.com) as the sender.

First time using the Microsoft Supplier Compliance Portal?

A supplier beginning the SSPA enrollment process will receive three emails welcoming them to the program:

Email 1:

SSPA enrollment email with a link to the Microsoft Supplier Compliance Portal

Email 2:

Assignment of a username

Email 3:

Assignment of a temporary password to be changed on the first log in