Understand additional subprocessor requirements for Microsoft's business units
While the Microsoft SSPA program provides a comprehensive program for the governance and management of our supplier base, individual business units may maintain additional requirements for their suppliers. For example, Microsoft 365 makes commitments to provide notice to customers when new subprocessors are approved and enforces additional checks when contracting with new suppliers. Additional business unit requirements are designed to supplement SSPA requirements and align with regulatory requirements and contractual obligations.
Notice requirement
Per the Products and Services Data Protection Addendum (DPA), Microsoft makes additional commitments regarding notice periods for the addition of any subprocessor. Notice timeframes depend on the type of data the subprocessor will process on behalf of Microsoft.
To summarize what is stated in the DPA, Microsoft commits to providing notice to our customers at least six months in advance of any new subprocessor who will process Customer Data. For any other Personal Data, Microsoft will provide at least 30 - days of notice.
Additional procurement checks for new suppliers
Because of our commitments to limit the number of subprocessors with access to Customer and Personal Data, and to provide notice to customers above and beyond SSPA requirements, we have introduced additional supplier checks when purchasing suppliers who need access to Enterprise Personal Data. Until a subprocessor has been approved, a supplier will not be granted access to Customer or Personal Data. These include requirements such as:
- Additional contracting requirements
- Additional auditing requirements
- Appropriate notice to our customers