Supplier Privacy & Assurance Standards (SSPA)
Microsoft believes that security and privacy are critical to its mission and requires their suppliers who handle confidential data to meet a strict set of standards. If you’re doing business with Microsoft and processing Personal Data or Microsoft Confidential Data in the performance of your service, you will need to enroll in Microsoft’s Supplier Privacy & Assurance Standards (SSPA) program. As a supplier, you will need to understand a set of Data Protection Requirements (DPR), attest to the DPR, and gain independent assurance by completing an assessment against the DPR.
Microsoft’s DPR sets out the following requirements in ten domains.
- Each applicable agreement between Microsoft and the supplier contains privacy and security data protection language with respect to Microsoft Confidential and Personal Data.
- Assign responsibility and accountability for compliance with the DPR to a designated person or group within the company.
- Establish, maintain, and perform annual privacy and security training for employees that will have access to Personal Data processed by supplier in connection with Performance or Microsoft Confidential Data.
- Process Microsoft Personal Data only in accordance with Microsoft's documented instructions.
- The supplier must use the Microsoft Privacy Statement when collecting Personal Data on Microsoft’s behalf, and the privacy notice must be obvious and available to Data Subjects to help them decide whether to submit their Personal Data to the supplier.
- When collecting Microsoft Personal Data via a live or recorded voice call, supplier must be prepared to discuss the applicable data collection, handling, use, and retention practices with Data Subjects
Choice and Consent:
- Where supplier relies upon consent as its legal basis for Processing data, the supplier must obtain and record a Data Subject’s consent for all of its Processing activities prior to collecting that Data Subject’s Personal Data
- Monitor the collection of Microsoft Personal and/or Confidential Data to ensure that the only data collected is that required to Perform.
- If the supplier collects Personal Data from third parties on behalf of Microsoft, the supplier must validate that the third-party data protection policies and practices are consistent with the supplier’s contract with Microsoft and the DPR.
- Document the necessity of collecting Microsoft Personal Data in a contract BEFORE collecting Microsoft Personal Data through the installation or utilization of executable software on a Data Subject’s device.
- Document the necessity of collecting Sensitive Microsoft Personal Data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation) in a contract BEFORE collecting that data
- Ensure that Microsoft Personal and Confidential Data is retained for no longer than necessary to Perform unless continued retention of the Microsoft Personal and/or Confidential Data is required by Law.
- Ensure that, at Microsoft’s sole discretion, Microsoft Personal and Confidential Data in the supplier’s possession or under its control is returned to Microsoft or destroyed upon completion of Performance or upon Microsoft’s request.
- Microsoft dictates a set of requirements each supplier must fulfill when a Data Subject seeks to exercise their rights under the Law in respect of their Microsoft Personal Data.
Disclosure to Third Parties:
- This section outlines a set of requirements suppliers must fulfill if the supplier intends to use a subcontractor to Process Microsoft Personal Data or Confidential Data.
- The supplier must maintain the integrity of all Microsoft Personal Data, ensuring it remains accurate, complete and relevant for the stated purposes for which it was Processed.
Monitoring and Enforcement:
- Microsoft requires each supplier to have an incident response plan that requires Supplier to notify Microsoft without undue delay upon becoming aware of a Data Breach or security vulnerability related to the supplier’s handling of Microsoft’s Personal or Confidential Data.
- Not issue any press release or any other public notice that relates to a Data Breach involving Microsoft Personal or Confidential Data without getting Microsoft approval, unless expressed by Law.
- Implement a remediation plan and monitor the resolution of Data Breaches and vulnerabilities related to Microsoft Personal or Confidential Data to ensure that appropriate corrective action is taken on a timely basis.
- The supplier must establish, implement, and maintain an information security program that includes policies and procedures, to protect and keep secure Microsoft Personal and Confidential Data in accordance with good industry practice and as required by Law.
- The supplier’s security program must meet a certain standard set by Microsoft.
For more details on the requirements, download the DPR from Microsoft’s site.
Hyperproof Makes SSPA Compliance Simple
Starter framework for meeting requirements outlined in the DPR
Quickly collect evidence to document your efforts towards SSPA compliance
Reuse evidence across multiple frameworks and controls
Ability to map a control to multiple regulatory standards. Reduce time to compliance for all regulations that matter to your business
Keep your compliance project on track with project management tools within Hyperproof