Guide to

Supplier Privacy & Assurance Standards (SSPA)

What Is Supplier Privacy & Assurance Standards (SSPA)?

Microsoft believes that security and privacy are critical to its mission and requires their suppliers who handle confidential data to meet a strict set of standards. If you’re doing business with Microsoft and processing Personal Data or Microsoft Confidential Data in the performance of your service, you will need to enroll in Microsoft’s Supplier Privacy & Assurance Standards (SSPA) program. As a supplier, you will need to understand a set of Data Protection Requirements (DPR), attest to the DPR, and gain independent assurance by completing an assessment against the DPR.

Microsoft’s DPR sets out the following requirements in ten domains.

Management:
  • Each applicable agreement between Microsoft and the supplier contains privacy and security data protection language with respect to Microsoft Confidential and Personal Data.
  • Assign responsibility and accountability for compliance with the DPR to a designated person or group within the company.
  • Establish, maintain, and perform annual privacy and security training for employees that will have access to Personal Data processed by supplier in connection with Performance or Microsoft Confidential Data.
  • Process Microsoft Personal Data only in accordance with Microsoft’s documented instructions.
Notice:
  • The supplier must use the Microsoft Privacy Statement when collecting Personal Data on Microsoft’s behalf, and the privacy notice must be obvious and available to Data Subjects to help them decide whether to submit their Personal Data to the supplier.
  • When collecting Microsoft Personal Data via a live or recorded voice call, supplier must be prepared to discuss the applicable data collection, handling, use, and retention practices with Data Subjects
Choice and Consent:
  • Where supplier relies upon consent as its legal basis for Processing data, the supplier must obtain and record a Data Subject’s consent for all of its Processing activities prior to collecting that Data Subject’s Personal Data
  • Provide Data Subjects with transparent notice and choice regarding the use of cookies
Collection:
  • Monitor the collection of Microsoft Personal and/or Confidential Data to ensure that the only data collected is that required to Perform.
  • If the supplier collects Personal Data from third parties on behalf of Microsoft, the supplier must validate that the third-party data protection policies and practices are consistent with the supplier’s contract with Microsoft and the DPR.
  • Document the necessity of collecting Microsoft Personal Data in a contract BEFORE collecting Microsoft Personal Data through the installation or utilization of executable software on a Data Subject’s device.
  • Document the necessity of collecting Sensitive Microsoft Personal Data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation) in a contract BEFORE collecting that data
Retention:
  • Ensure that Microsoft Personal and Confidential Data is retained for no longer than necessary to Perform unless continued retention of the Microsoft Personal and/or Confidential Data is required by Law.
  • Ensure that, at Microsoft’s sole discretion, Microsoft Personal and Confidential Data in the supplier’s possession or under its control is returned to Microsoft or destroyed upon completion of Performance or upon Microsoft’s request.
Data Subjects:
  • Microsoft dictates a set of requirements each supplier must fulfill when a Data Subject seeks to exercise their rights under the Law in respect of their Microsoft Personal Data.
Disclosure to Third Parties:
  • This section outlines a set of requirements suppliers must fulfill if the supplier intends to use a subcontractor to Process Microsoft Personal Data or Confidential Data.
Quality:
  • The supplier must maintain the integrity of all Microsoft Personal Data, ensuring it remains accurate, complete and relevant for the stated purposes for which it was Processed.
Monitoring and Enforcement:
  • Microsoft requires each supplier to have an incident response plan that requires Supplier to notify Microsoft without undue delay upon becoming aware of a Data Breach or security vulnerability related to the supplier’s handling of Microsoft’s Personal or Confidential Data.
  • Not issue any press release or any other public notice that relates to a Data Breach involving Microsoft Personal or Confidential Data without getting Microsoft approval, unless expressed by Law.
  • Implement a remediation plan and monitor the resolution of Data Breaches and vulnerabilities related to Microsoft Personal or Confidential Data to ensure that appropriate corrective action is taken on a timely basis.
Security:
  • The supplier must establish, implement, and maintain an information security program that includes policies and procedures, to protect and keep secure Microsoft Personal and Confidential Data in accordance with good industry practice and as required by Law.
  • The supplier’s security program must meet a certain standard set by Microsoft.

For more details on the requirements, download the DPR from Microsoft’s site.

Impacted Companies

Suppliers that process personal data or Microsoft Confidential Data

SSPA: Frequently Asked Questions

The Supplier Privacy & Assurance Standards (SSPA) program is designed to ensure that suppliers handling Microsoft customer, partner, or employee data adhere to stringent privacy and data protection requirements. The scope of SSPA includes all suppliers that process, store, or transmit personal data on behalf of Microsoft. This encompasses a wide range of activities, from data processing and storage to data analytics and IT services. The program’s scope extends globally, applying to all suppliers regardless of their geographic location, ensuring consistent data protection standards across Microsoft’s global supply chain.

SSPA requirements are a comprehensive set of controls and practices that suppliers must follow to protect the privacy and security of personal data. These requirements include:

  • Data Protection Requirements (DPR): Suppliers must comply with Microsoft’s specific data protection requirements, which align with global privacy laws and regulations.
  • Compliance with relevant laws: Suppliers must adhere to all applicable privacy and data protection laws, such as GDPR, CCPA, and other regional regulations.
  • Security controls: Suppliers must implement robust security measures, including encryption, access controls, and regular security assessments, to protect data from unauthorized access and breaches.
  • Data handling practices: Proper data handling, storage, and disposal practices must be followed to ensure the integrity and confidentiality of personal data.
  • Incident management: Suppliers must have an incident response plan in place to promptly address and report any data breaches or security incidents.

The Microsoft Data Protection Requirements (DPR) are a set of guidelines that suppliers must follow to ensure the protection of personal data. The DPR includes specific provisions related to:

  • Data minimization: Suppliers must only collect and process data that is necessary for the agreed-upon services.
  • Data retention: Personal data must only be retained for as long as necessary to fulfill the purposes for which it was collected, after which it must be securely deleted or anonymized.
  • Data subject rights: Suppliers must support Microsoft in fulfilling data subject rights requests, such as access, correction, deletion, and portability of personal data.
  • Security measures: Suppliers are required to implement industry-standard security measures to protect data, including encryption, secure data transmission, and access controls.
  • Third-party subcontractors: If suppliers engage subcontractors to process data on their behalf, they must ensure that these subcontractors also comply with the DPR.

Several factors can affect SSPA compliance, including:

  • Nature of data processed: The type of personal data being processed (e.g., sensitive personal data) may require additional protections and controls.
  • Geographic location: Different regions have varying privacy laws and regulations, which may affect how SSPA requirements are implemented.
  • Supplier’s security maturity: Suppliers with mature security and privacy practices may find it easier to comply with SSPA requirements, while those with less developed programs may need to make significant changes.
  • Regulatory changes: Updates to global privacy laws and regulations can impact the SSPA requirements and necessitate adjustments to compliance practices.
  • Technological changes: Advancements in technology, such as the adoption of cloud services or AI, may introduce new risks and necessitate updates to SSPA compliance strategies.

An SSPA assessment is an evaluation conducted to determine whether a supplier is compliant with the SSPA requirements. The assessment involves a thorough review of the supplier’s privacy and security practices, including their adherence to the Microsoft Data Protection Requirements (DPR). The assessment process may include:

  • Self-assessments: Suppliers may be required to complete a self-assessment questionnaire to evaluate their compliance with SSPA standards.
  • Documentation review: Microsoft may request documentation from suppliers, such as security policies, data handling procedures, and incident response plans.
  • Onsite audits: In some cases, Microsoft may conduct onsite audits to verify compliance with SSPA requirements.
  • Remediation plans: If gaps are identified during the assessment, suppliers may need to implement remediation plans to address non-compliance issues.

SSPA compliance applies to all suppliers that process, store, or transmit personal data on behalf of Microsoft. This includes both direct suppliers who provide services directly to Microsoft and indirect suppliers who may be subcontracted by a direct supplier. SSPA compliance is mandatory for any supplier involved in handling Microsoft’s customer, partner, or employee data, regardless of the supplier’s size or location.

While a formal audit is not always required, Microsoft may choose to conduct audits of suppliers to verify compliance with SSPA requirements. These audits may be initiated based on the level of risk associated with the supplier’s data processing activities, past compliance performance, or other factors. In many cases, suppliers may be required to undergo periodic assessments or provide documentation to demonstrate ongoing compliance with SSPA standards. Formal audits are typically more rigorous and may involve onsite inspections, interviews, and detailed reviews of security practices.

SSPA compliance offers several benefits to suppliers, including:

  • Trusted partnership: By complying with SSPA, suppliers demonstrate their commitment to protecting Microsoft’s data, fostering trust and strengthening their partnership with Microsoft.
  • Regulatory alignment: SSPA compliance helps suppliers align with global privacy and data protection regulations, reducing the risk of legal penalties and fines.
  • Competitive advantage: Suppliers that meet SSPA requirements may gain a competitive edge in the marketplace, as they are recognized for their robust data protection practices.
  • Risk mitigation: Compliance with SSPA standards reduces the risk of data breaches and security incidents, protecting the supplier’s reputation and financial stability.
  • Continuous improvement: The SSPA program encourages suppliers to continuously improve their privacy and security practices, ensuring they remain up-to-date with evolving standards and threats.

While SSPA compliance is mandatory for suppliers handling Microsoft’s data, there may be acceptable alternatives or supplementary standards that can demonstrate similar levels of data protection. These may include:

  • ISO/IEC 27001 certification: Suppliers with ISO/IEC 27001 certification may be recognized for their adherence to international information security standards.
  • SOC 2® Type II report: A SOC 2® Type II report may be accepted as evidence of a supplier’s compliance with security and privacy controls.
  • Other industry certifications: Depending on the nature of the services provided, other industry-specific certifications or standards, such as GDPR compliance, may be considered.
  • Custom agreements: In some cases, Microsoft may agree to a custom set of privacy and security requirements that meet or exceed SSPA standards.

These alternatives must be evaluated and approved by Microsoft to ensure they provide equivalent protection to the SSPA requirements.

Hyperproof Makes SSPA Compliance Simple

Starter framework for meeting requirements outlined in the DPR

Quickly collect evidence to document your efforts towards SSPA compliance

Reuse evidence across multiple frameworks and controls

Ability to map a control to multiple regulatory standards. Reduce time to compliance for all regulations that matter to your business

Keep your compliance project on track with project management tools within Hyperproof

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader