Supplier Security and Privacy Assurance (SSPA) program

Important

The information presented in this article is on behalf of the Supplier Security and Privacy Assurance (SSPA) team. The most up to date information is available here. If there is a conflict between the information presented in this article and the SSPA page, the SSPA page will supersede the information in this article.

Microsoft believes that privacy is a fundamental right. In the mission to empower every individual and organization on the planet to achieve more, Microsoft strives to earn and maintain the trust of their customers.

Strong privacy and security practices are critical to this mission, essential to trust, and in several jurisdictions required by law. The standards captured in Microsoft’s privacy and security policies reflect our values as a company and extend to suppliers that process Personal and Confidential Data on our behalf.

The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft’s baseline data processing instructions to suppliers in the form of the Microsoft Supplier Data Protection Requirements (DPR).

Note

Suppliers may have to meet additional organizational level requirements that are decided and communicated outside of SSPA by the Microsoft group responsible for the engagement with the supplier.

SSPA program overview

SSPA is a partnership between Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to ensure privacy and security principles are followed by suppliers. The scope of SSPA covers all suppliers globally that process Personal Data and/or Microsoft Confidential Data.

SSPA enables the supplier to make Data Processing Profile selections that align with the goods and/or services suppliers are contracted to perform. These selections trigger corresponding requirements to provide compliance assurances.

All enrolled suppliers must complete an annual self-attestation of DPR compliance. A supplier’s Data Processing Profile determines whether the full DPR is issued or if a subset of requirements applies. Suppliers that process data that Microsoft considers higher risk may also need to meet additional requirements, such as providing independent verification of compliance. Suppliers that are on a published Microsoft subprocessor list will also be asked to provide independent verification of compliance.

Important

Compliance activities determine an SSPA status of Green (compliant) or Red (noncompliant). Microsoft purchasing tools validate the SSPA status is Green (for each supplier in scope for SSPA) prior to allowing an engagement to move forward.

SSPA scope

To help determine whether the supplier processes Personal Data and/or Microsoft Confidential Data, see the list of examples in the following tables. These are examples and not an exhaustive list.

Personal data by data type

Examples include but are not limited to:

Data Type	Examples
Sensitive data	Data related to children Genetic data, biometric data, or health data Racial or ethnic origin Political, religious, or philosophical beliefs, opinions, and affiliations Trade union membership A natural person's sex life or sexual orientation Immigration status (visa, work authorization, etc.) Government identifiers (passport, driver’s license, visa, social security numbers, national identity numbers) Precise user location data (within 300 meters) Personal bank account numbers Credit card number and expiration date
Customer content data	Documents, photos, videos, music, etc. Browsing history, interests, and favorites linking, typing, and speech utterance (voice/audio and/or chat/bot)
Captured and generated data	Imprecise location data IP address Device preferences and personalization service usage for websites, webpage click tracking Contact data such as name, address, phone number, email address, date of birth, dependent, and emergency contacts Fraud and risk assessment, background check Metadata and telemetry
Account data	Payment instrument data Credit card number and expiration date Bank routing information Bank account number Credit requests or line of credit Tax documents and identifiers Investment or expense data
End-user Pseudonymized Information (EUPI) Identifiers created by Microsoft to identify users of Microsoft products and services	Globally Unique Identifier (GUID) Unique Identifier (PUID) Hashed End-User Identifiable Information (EUII) Session IDs Device IDs Diagnostic data log data
Online customer data	Microsoft online enterprise customer (Azure tenant, M365 tenant) Microsoft enterprise customer (on-premises customer) Account data (billing data, e-commerce) Survey/event registration/training

Microsoft confidential data by data class

Examples include but are not limited to:

Data Class	Examples
Highly Confidential	Information concerning or related to the development, testing, or manufacturing of Microsoft products or components of Microsoft products. Microsoft software, online services, or hardware sold commercially in any channel are considered “Microsoft Product” Microsoft device pre-release marketing information Unannounced Microsoft corporate financial data subject to SEC rules
Confidential	Microsoft product license keys on behalf of Microsoft for distribution via any method Information concerning or related to the development or testing of Microsoft internal Line of Business (LOB) applications Microsoft pre-release marketing materials for Microsoft software and services such as Office, SQL, Azure, etc. Written, design, electronic, or print documentation for any Microsoft services or products, such as devices (process or procedure guides, configuration data, etc.)

Data Processing Profile

Microsoft suppliers have control over their SSPA Data Processing Profile, allowing suppliers to decide which engagements they want to be eligible to perform.

Microsoft business groups are only able to create engagements with suppliers where the data processing activity matches the approvals the supplier has obtained.

Suppliers are able to update their Data Processing Profile at any time during the year if there are no open tasks. When a change is made, the corresponding activity is issued and must be completed before the approvals are secured. The existing, completed approvals apply until newly issued requirements are completed.

If the newly executed tasks are not completed within the 90-day time frame allowed, the SSPA status is updated to Red (non-compliant), and the account is deactivated from Microsoft Accounts Payable systems.

Data processing scope considerations

• Confidential: If the supplier only processes Microsoft Confidential Data, their profile will show a Confidential flag. The supplier will not be able to process any Personal Data.

• Personal, Confidential: If the supplier processes Personal Data, their profile will indicate the Personal, Confidential flag.

• Processing Location At Microsoft or Customer: If the supplier will only process data within Microsoft systems, using Microsoft credentials and are subject to Microsoft security and privacy policies, this option will be selected on the supplier’s profile.

• At Supplier: If the condition “At Microsoft or Customer” (as described previously) does not apply, this is the option that will be reflected in the supplier’s profile.

Data processing role considerations

• Controller: (covers independent and joint controllers) If the supplier is both a controller and a processor (for different engagements), the supplier will select “Processor”.

• Processor When the supplier processes data on behalf of Microsoft.

• Subprocessor: A subprocessor is a third party that Microsoft engages to perform, where their performance includes processing of Microsoft Personal Data for which Microsoft is a Processor. Suppliers cannot self-identify as a subprocessor at Microsoft because it requires pre-approval by internal Privacy teams. Suppliers can only be a subprocessor when Microsoft is the Data Processor and the supplier processes qualifying Enterprise Personal Datatypes. Subprocessors will have additional contract and compliance requirements, including a Data Protection Addendum and an Independent Assessment, and additional certification requirements.

• Payment Card Processing: If any part of the data processed by a supplier includes data to support credit card or other payment card processing on behalf of Microsoft. This approval allows a supplier to engage in payment card processing engagements.

• Software: Microsoft Procurement directs buyers through an intake process for all software purchases, this includes various checks including SSPA triage to decide if the supplier providing the software is in-scope for SSPA management. If SSPA is required, suppliers may also need to identify that the ‘Software as a Service’ (SaaS) profile choice applies. For SSPA enrolled suppliers, this can be done when completing the Data Processing Profile in the Microsoft Supplier Compliance Portal. For SSPA compliance purposes, view SaaS broadly to also include platform as a service (PaaS), and infrastructure as a service (IaaS).

• Software as a Service (SaaS): SaaS allows users to connect to and use cloud-based applications over the Internet. Microsoft defines SaaS as software based on common code used in a one-to-many model on a pay-for-use basis or as a subscription based on use metrics. The cloud service provider develops and maintains cloud-based software, provides automatic software updates, and makes software available to its customers via the internet on a one-to-many, pay-as-you-go basis. This method of software delivery and licensing allows software to be accessed online via a subscription rather than bought and installed on each individual computer.

Note

Most SaaS suppliers will need to add the Subcontractor approval in the Microsoft Supplier Compliance Portal if the Personal Data or Microsoft Confidential data is hosted on a 3rd party platform.

• Use of Subcontractors: This flag is required if the supplier uses subcontractors to perform any part of the contracted work. This also includes Freelancers.

Assurance requirements

The approvals selected in the supplier’s Data Processing Profile assists SSPA in assessing the risk level across the supplier’s engagement(s). SSPA compliance requirements differ based on the Data Processing Profile and associated approvals.

There are also combinations that may elevate or reduce compliance requirements. The combinations are captured in the Requirements based on profile approvals section.

If the supplier’s profile includes Software as a Service (SaaS), subcontractors, website hosting, or payment cards, additional assurances are required.

Self-attestation to the DPR

All suppliers enrolled in SSPA must complete a self-attestation of compliance to the DPR within 90 days of receiving the request. This request must be provided on an annual basis but may be more frequent if the Data Processing Profile is updated mid-year. Supplier accounts will change to an SSPA status of Red (non-compliant) if the 90-day period is exceeded. New in-scope purchase orders cannot process until the SSPA status turns to Green (compliant).

Newly enrolled suppliers must complete issued requirements to secure a SSPA status of Green (compliant) before engagements can begin.

Applicability

Suppliers are expected to respond to all applicable DPR requirements issued per the Data Processing Profile. It is expected that, within the issued requirements, a few may not apply to the goods or services the supplier provides to Microsoft. These can be marked as ‘does not apply’ with a detailed comment for SSPA reviewers to validate.

DPR submissions are reviewed by the SSPA team for any selections of ‘does not apply’, ‘local legal conflict’, or ‘contractual conflict’ against issued requirements.

Independent assessment requirement

Please see the Requirements by approvals section to see the data processing approvals that trigger this requirement.

Suppliers have the option to change approvals by updating their Data Processing Profile. However, if the supplier has a Data Processing Role of “Subprocessor”, the supplier cannot change this approval and will be required to have an independent assessment conducted annually.

The Requirements based on profile approvals section includes acceptable certification alternatives if you elect not to use an independent assessor to verify compliance to the DPR (when applicable, such as for SaaS suppliers, website hosting suppliers or suppliers with Subcontractors). The ISO 27701 (privacy) and ISO 27001 (security) are relied on as providing close mapping to the DPR.

If a supplier is a healthcare provider in the United States or covered entity, Microsoft will accept a HITRUST report for privacy and security coverage.

SSPA may execute an independent assessment manually if circumstances beyond standard triggers warrant additional due diligence. Examples include a request from division privacy or security; validation of data incident remediation; or requirement for automated data subject rights execution.

PCI DSS certification requirement

The Payment Card Industry Data Security Standard (PCI DSS) is a framework for developing robust payment card data security that includes prevention, detection, and appropriate reaction to security incidents. The framework was developed by the PCI Security Standards Council, a self-regulatory industry organization. The purpose of the PCI DSS requirements is to identify technology and process vulnerabilities that pose risks to the security of cardholder data that is processed.

Microsoft is required to comply with these standards. If a supplier handles payment card information on Microsoft’s behalf, we require evidence of adherence to these standards.

Depending on the volume of transactions processed, a supplier will either be required to have a Qualified Security Assessor certify compliance or can complete a self-assessment questionnaire form.

Payment card brands set the thresholds for assessment type, typically:

• Level 1: Provide a Third Party Assessor PCI AOC certificate

• Level 2 or 3: Provide a PCI DSS Self-Assessment Questionnaire (SAQ) signed by the supplier’s officer.

Software as a Service requirement

Suppliers that met the SaaS definition included on the Data Processing Profile may be required to provide a valid ISO 27001 certification.

Use of subcontractors

Microsoft considers the use of subcontractors a high-risk factor. Suppliers using subcontractors who will process Personal and or Microsoft Confidential Data must disclose those subcontractors. Additionally, the supplier should also disclose the countries where that personal data will be processed by each subcontractor.

Requirements based on profile approvals

#	Profile	Assurance Requirements	Independent Assurance Options
1	Scope: Personal, Confidential Processing Location: At Microsoft or Customer Processing Role: Processor or Controller Data Class: Confidential or Highly Confidential Payment Cards: Not Applicable SaaS: Not Applicable Use of Subcontractors: Not Applicable Website Hosting: Not Applicable	Self-attestation of compliance to the DPR
2	Scope: Confidential Processing Location: At Supplier Role: N/A Data Class: Confidential Payment Cards: Not Applicable SaaS: Not Applicable Use of Subcontractors: Not Applicable Website Hosting: Not Applicable	Self-attestation of compliance to the DPR
3	Scope: Confidential Processing Processing Location: At Supplier Role: Processor Data Class: Highly Confidential Payment Cards: Not Applicable SaaS: Not Applicable Use of Subcontractors: Not Applicable Website Hosting: Not Applicable	Self-attestation of compliance to the DPR and Independent Assurance of compliance	Independent Assurance options: 1. Complete an Independent Assessment against the DPR 2. Submit ISO 27001
4	Scope: Personal, Confidential Processing Location: At Supplier Processing Role: Processor Data Class: Highly Confidential Payment Cards: Not Applicable SaaS: Not Applicable Use of Subcontractors: Not Applicable Website Hosting: Not Applicable	Self-attestation of compliance to the DPR and Independent Assurance of compliance	Independent Assurance options: 1. Complete an Independent Assessment against the DPR 2. Independent Assessment against sections A-I of the DPR and ISO 27001 3. Submit ISO 27701 and ISO 27001
5	Scope: Personal, Confidential Processing Location: At Supplier Role: Processor Data Class: Confidential Payment Cards: Not Applicable SaaS: Not Applicable Use of Subcontractors: Not Applicable Website Hosting: Not Applicable	Self-attestation of compliance to the DPR
6	Scope: Personal, Confidential Processing Location: At Supplier Role: Controller Data Class: Confidential or Highly Confidential Payment Cards: Not Applicable SaaS: Not Applicable Use of Subcontractors: Not Applicable Website Hosting: Not Applicable	Self-attestation of compliance to the DPR
7	Scope: Personal, Confidential Processing Location: Any Role: Subprocessor (This role is determined by Microsoft – profile will read “Subprocessor Approval: Yes”) Data Class: Confidential or Highly Confidential Payment Cards: Not Applicable SaaS: Not Applicable Use of Subcontractors: Not Applicable Website Hosting: Not Applicable	Self-attestation of compliance to the DPR and Independent Assurance of compliance	Independent Assurance options: 1. Complete an Independent Assessment against the DPR 2. Independent Assessment against sections A-I of the DPR and ISO 27001 3. Submit ISO 27701 and ISO 27001