Microsoft Supplier Security and Privacy Assurance (SSPA)

Microsoft supplier security and privacy assurance ensures data confidentiality and supply chain security for Microsoft service suppliers or vendors who manage Microsoft internal and credential information. SSPA program ensures that contractual policies and privacy principles are efficiently adhered by the suppliers.

Vendors willing to work with Microsoft should comply with SSPA program. Only if they have completed their SSPA program can apply for their business services with Microsoft else they cannot. Supplier Security and Privacy Assurance provides customers’ trust for their data safety measures and this trust factor enhance business channels. Microsoft ensures that vendors follow provided security guidelines appropriately and always stay updated to new changes in DPR. 

Important Elements of SSPA

Supplier Security and Privacy Assurance (SSPA) Program is a teamwork between Microsoft procurement, corporate external, legal affairs, and corporate security to ensure privacy and security guidelines are properly followed by suppliers.

DPR (Data Protection Requirements)

The Microsoft Supplier Security and Privacy Assurance provides data processing instructions through the Microsoft Supplier’s Data Protection Requirements (DPR) to Microsoft suppliers who are managing Microsoft confidential data, personal information, and AI systems.

DPR is a core component of SSPA program and its compliance is mandatory to start or continue working with Microsoft. If a supplier fails to meet the 90 days window period of DPR, they might get deactivated or discontinued from the Microsoft account.

Data Protection Requirements are the requirements that specific members of the contract must fulfill such as privacy controls and security controls like data loss prevention, vulnerability management, and access management. This compliance is customizable according to the risk categories of Low, Medium, and High business impact.

DPP (Data Processing Profile)

The DPP is a supplier-controlled profile within the Microsoft Supplier Compliance Portal, where vendors mention how they handle Microsoft data. It also proclaims the types of data processing, the location, and the technology is being used. The suppliers are assigned with a precised operational tasks and compliance requirements, based on these selections.

Self-Attestation & Independent Assessment

The suppliers must compliant through Independent Assessment or Self-Attestation according to their service selections.

High-risk suppliers those processing sensitive data are required to complete an independent audit validated by a qualified assessor.

All other suppliers must done with their Self-Assessment compliance within 90 days with the DPR.

Compliance Category: Suppliers are assigned business tasks according to their risk level that is divided as Low, Medium, and High impact.

Low Impact: Vendors handling no personal information require no further action and need to maintain annual compliance cycle.

Medium Impact: Medium business impact organizations must adhere to the Microsoft DPR along with a self-certification within 90 days.

High Impact: All high business impact vendors must also adhere to the DPR. They should submit an independent assessment report approved by an authorized auditor within 90 days of MIP inventory submission.

SSPA Compliance Lifecycle Steps:

DPP Enrollment: Suppliers register in Microsoft’s portal according to their task and compliance.

Self-Attestation with DPR: Suppliers those are handling Microsoft confidential data, must go through a self-attestation validate from an approved assessor.

Independent Assessment: All suppliers should complete their independent assessment within given 90 days timeline.

Status Update: The SSPA team needs to submit their reports and update their status accordingly.

    Green Status: Refers to fully compliant and eligible for new contracts.

    Red Status: Refers to non-compliant and deactivation.