Supplier management overview
How does Microsoft manage risk related to suppliers?
Microsoft partners with third-party companies to help meet our customers' needs. These third-party companies are referred to as suppliers. Supplier security and privacy at Microsoft is governed by our Supplier Security and Privacy Assurance (SSPA) program, an enterprise-wide set of requirements for all suppliers who partner with Microsoft to deliver our online services. While the SSPA program provides comprehensive governance and management of our supplier base, individual business units may maintain additional requirements for their suppliers.
How does Microsoft's Supplier Security and Privacy Assurance (SSPA) Program protect customer data?
SSPA is a partnership between Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to ensure suppliers adhere to Microsoft's privacy and security principles. The scope of SSPA covers all suppliers that process Personal Data or Microsoft Confidential Data. The SSPA program enrollment includes adherence to Microsoft's Data Protection Requirements (DPR). The DPR consist of security and privacy controls that suppliers must implement before beginning contracted work with Microsoft. All enrolled suppliers self-attest to compliance with the DPR annually.
DPR requirements are scoped based on six distinct data processing categories a supplier can be approved for as part of their enrollment in SSPA. These categories are used to identify the risk associated with the services a supplier provides to Microsoft. The supplier's data processing profile determines which DPR controls are considered in-scope to provide appropriate data protection. Suppliers who process data that is considered a higher risk must comply with all DPR requirements and may also need to provide independent verification of compliance. Microsoft purchasing tools validate the SSPA status of all suppliers, including compliance with applicable portions of the DPR, prior to allowing the procurement of that supplier.
What types of subprocessors provide services for Microsoft?
A 'subprocessor' is a third party that Microsoft engages whose duties include processing Microsoft Personal Data for which Microsoft is a processor. Microsoft's subprocessors fall into three categories. Each must demonstrate compliance with the SSPA before they can process customer data on Microsoft's behalf.
- Technology subprocessors that power technologies that are seamlessly integrated with Microsoft online services and in part power the Microsoft cloud functions. If a customer deploys one of these services, the subprocessors identified for that service may process, store, or otherwise access Customer Data or Personal Data while helping to provide that service.
- Ancillary subprocessors that provide services to help support, operate, and maintain online services. In such cases, the subprocessors identified may process, store, or otherwise access Customer Data and Personal Data (consisting of pseudonymized personal identifiers) while providing their ancillary services.
- Contract Staff Organizations provide contract staff who work side by side with Microsoft full-time employees to operate, deliver, and maintain Microsoft Online Services. In all such cases, Customer Data or Personal Data resides only on Microsoft systems, and is subject to Microsoft policies and supervision.
Additionally, Microsoft data center infrastructure entities provide the datacenter infrastructure on which the Microsoft Online Services run. The data within datacenters is encrypted, and no personnel within the datacenters can access it.
Technology and Ancillary third-parties are required to implement access controls in compliance with Microsoft's Data Protection Requirements (DPR). These requirements meet or exceed the contractual commitments Microsoft makes to its customers in the Product Terms. Suppliers who perform contract staff work are subject to the same access controls in place for Microsoft full-time employees.
How does Microsoft onboard suppliers?
Third-party suppliers are required to sign a Microsoft Master Agreement as part of the onboarding process. This agreement governs the relationship between Microsoft and its suppliers and ensures consistent management of supplier relationships. As part of onboarding, suppliers enroll in the SSPA and must complete all applicable requirements before they can be approved for any data processing categories. Microsoft business units are only able to create engagements with suppliers when the data processing activity for the engagement matches data processing categories for which the supplier has been approved.
How does Microsoft notify customers of changes to suppliers who process their data?
Per the Microsoft Products and Services Data Protection Addendum (DPA), Microsoft makes additional commitments regarding notice periods for the addition of any subprocessor. Notice time frames depend on the type of data the subprocessor will process on behalf of Microsoft. As stated in the DPA, Microsoft commits to providing notice to customers at least six months in advance of any new subprocessor who will process Customer Data. For any other Personal Data, Microsoft will provide at least 30 days of notice. Notice is provided by the update of the Microsoft Online Services Subprocessor List.
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the table below for validation of controls related to supplier management.
Azure and Dynamics 365
| External audits | Section | Latest report date |
|---|---|---|
| ISO 27001/27002 Statement of Applicability Certificate |
A.15.1: Information security in supplier relationships | November 6, 2023 |
| ISO 27017 Statement of Applicability Certificate |
A.15.1: Information security in supplier relationships | November 6, 2023 |
| ISO 27018 Statement of Applicability Certificate |
A.8.1: Disclosure of subcontracted PII processing | November 6, 2023 |
| SOC 2 SOC 3 |
SOC2-25: Supplier risk management C5-2: Supplier risk profile review |
November 17, 2023 |
Microsoft 365
| External audits | Section | Latest report date |
|---|---|---|
| FedRAMP (Office 365) | CA-3: System interconnections IA-4: Identifier management PS-6: Access agreements PS-7: Third-party personnel security SA-4: Acquisitions process SA-9: External information system services SA-12: Supply chain protection |
July 31, 2023 |
| ISO 27001/27002/27017 Statement of Applicability Certification (27001/27002) Certification (27017) |
A.15.1: Information security in supplier relationships | March 2024 |
| ISO 27018 Statement of Applicability Certificate |
A.8.1: Disclosure of subcontracted PII processing | March 2024 |
| SOC 2 | CA-53: Third-party monitoring | January 23, 2024 |
Resources
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for