Supplier management overview

Microsoft partners with third-party companies to help meet our customers' needs. These third-party companies are referred to as suppliers. Supplier security and privacy at Microsoft is governed by our Supplier Security and Privacy Assurance (SSPA) program, an enterprise-wide set of requirements for all suppliers who partner with Microsoft to deliver our online services. While the SSPA program provides comprehensive governance and management of our supplier base, individual business units may maintain additional requirements for their suppliers.

How does Microsoft's Supplier Security and Privacy Assurance (SSPA) Program protect customer data?

SSPA is a partnership between Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to ensure suppliers adhere to Microsoft's privacy and security principles. The scope of SSPA covers all suppliers that process Personal Data or Microsoft Confidential Data. The SSPA program enrollment includes adherence to Microsoft's Data Protection Requirements (DPR). The DPR consist of security and privacy controls that suppliers must implement before beginning contracted work with Microsoft. All enrolled suppliers self-attest to compliance with the DPR annually.

DPR requirements are scoped based on six distinct data processing categories a supplier can be approved for as part of their enrollment in SSPA. These categories are used to identify the risk associated with the services a supplier provides to Microsoft. The supplier's data processing profile determines which DPR controls are considered in-scope to provide appropriate data protection. Suppliers who process data that is considered a higher risk must comply with all DPR requirements and may also need to provide independent verification of compliance. Microsoft purchasing tools validate the SSPA status of all suppliers, including compliance with applicable portions of the DPR, prior to allowing the procurement of that supplier.

What types of subprocessors provide services for Microsoft?

A 'subprocessor' is a third party that Microsoft engages whose duties include processing Microsoft Personal Data for which Microsoft is a processor. Microsoft's subprocessors fall into three distinct categories. Each must demonstrate compliance with the SSPA before they can process customer data on Microsoft's behalf.

  • Technology subprocessors that power technologies that are seamlessly integrated with Microsoft online services and in part power the Microsoft cloud functions. If a customer deploys one of these services, the subprocessors identified for that service may process, store, or otherwise access Customer Data or Personal Data while helping to provide that service. An example of a technology supplier would be Azure Databricks where Databricks powers the Azure Databricks service.
  • Ancillary subprocessors that provide services to help support, operate, and maintain online services. In such cases, the subprocessors identified may process, store, or otherwise access limited customer data or personal data while providing their ancillary services. An example of an ancillary supplier would be Scuba Analytics where the supplier uses information related to the performance of our services to provide Microsoft with aggregated insights into the overall performance of many of our cloud services.
  • Contract Staff Organizations provide contract staff who work side by side with Microsoft full-time employees to support, operate, and maintain the Microsoft Online Services. In all such cases, Customer Data or Personal Data resides only in Microsoft facilities, on Microsoft systems, and is subject to Microsoft policies and supervision.
  • Microsoft Subsidiaries and affiliates employ personnel who operate, deliver, and maintain the Online Services and while doing so may process Customer Data or Personal Data as a subprocessor. The data resides only on Microsoft systems and is subject to Microsoft policies and supervision.
  • Microsoft data center infrastructure entities provide the datacenter infrastructure on which the Microsoft Online Services run. The data within datacenters is encrypted, and no personnel within the datacenters can access it.

Technology and Ancillary thrid-parties are required to implement access controls in compliance with Microsoft's Data Protection Requirements (DPR). These requirements meet or exceed the contractual commitments Microsoft makes to its customers in the Online Service Terms (OST). Suppliers who perform contract staff work are subject to the same access controls in place for Microsoft full-time employees.

How does Microsoft onboard suppliers?

Third-party suppliers are required to sign a Microsoft Master Agreement as part of the onboarding process. This agreement governs the relationship between Microsoft and its suppliers and ensures consistent management of supplier relationships. As part of onboarding, suppliers enroll in the SSPA and must complete all applicable requirements before they can be approved for any data processing categories. Microsoft business units are only able to create engagements with suppliers when the data processing activity for the engagement matches data processing categories for which the supplier has been approved.

How does Microsoft notify customers of changes to suppliers who process their data?

Per the Microsoft Products and Services Data Protection Addendum (DPA), Microsoft makes additional commitments regarding notice periods for the addition of any subprocessor. Notice time frames depend on the type of data the subprocessor will process on behalf of Microsoft. As stated in the DPA, Microsoft commits to providing notice to customers at least six months in advance of any new subprocessor who will process Customer Data. For any other Personal Data, Microsoft will provide at least 30 days of notice. Notice is provided by the update of the Microsoft Online Services Subprocessor List.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the table below for validation of controls related to supplier management.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001/27002

Statement of Applicability
Certificate
A.15.1: Information security in supplier relationships December 3, 2021
ISO 27017

Statement of Applicability
Certificate
A.15.1: Information security in supplier relationships December 3, 2021
ISO 27018

Statement of Applicability
Certificate
A.8.1: Disclosure of subcontracted PII processing December 3, 2021
SOC 2
SOC 3
SOC2-25: Supplier risk management
C5-2: Supplier risk profile review
November 12, 2021

Office 365

External audits Section Latest report date
FedRAMP CA-3: System interconnections
IA-4: Identifier management
PS-6: Access agreements
PS-7: Third-party personnel security
SA-4: Acquisitions process
SA-9: External information system services
SA-12: Supply chain protection
July 27, 2022
ISO 27001/27002/27017

Statement of Applicability
Certification (27001/27002)
Certification (27017)
A.15.1: Information security in supplier relationships March 2022
ISO 27018

Statement of Applicability
Certificate
A.8.1: Disclosure of subcontracted PII processing March 2022
SOC 2 CA-53: Third-party monitoring September 30, 2021

Resources