Understand Microsoft 365 additional subprocessor requirements


While the Microsoft SSPA program provides a comprehensive program for the governance and management of our supplier base, individual business units, such as Microsoft 365, may maintain additional requirements for their suppliers. Microsoft 365 maintains a set of requirements for subprocessors in addition to the ones required through the SSPA program. Microsoft 365 makes commitments to provide notice to customers when new subprocessors are approved and enforces additional checks when contracting with new suppliers. Additional Microsoft 365 supplier requirements are designed to supplement SSPA requirements and align with regulatory requirements and contractual obligations.

Notice requirement

Per the Products and Services Data Protection Addendum (DPA), Microsoft makes additional commitments regarding notice periods for the addition of any subprocessor. Notice timeframes depend on the type of data the subprocessor will process on behalf of Microsoft.

To summarize what is stated in the DPA, Microsoft commits to providing notice to our customers at least six months in advance of any new subprocessor who will process Customer Data. For any other Personal Data, Microsoft will provide at least 30 - days of notice.

Additional procurement checks for new suppliers

Because of our commitments to limit the number of subprocessors with access to Customer and Personal Data, and to provide notice to customers above and beyond SSPA requirements, we have introduced additional supplier checks when purchasing suppliers who need access to Enterprise Personal Data. Until a subprocessor has been approved by our internal Trust and Privacy teams, a supplier will not be granted access to Customer or Personal Data. Additional requirements include:

  • Additional contracting requirements
  • Additional auditing requirements
  • Appropriate notice to our customers

Learn more