Introduction to Microsoft 365 subprocessor management


Microsoft partners with other companies to support our Online Services and deliver innovative solutions that meet our customers' needs. We refer to third-party companies who support Microsoft Online Services as suppliers, or subprocessors depending on the work they provide. Microsoft's security policies include supplier oversight to protect customers' Personal Data and Microsoft Confidential Data from unauthorized access, modification, or destruction.

Supplier security and privacy at Microsoft is governed by our Supplier Security and Privacy Assurance (SSPA) program, an enterprise-wide program designed to deliver baseline data processing instructions to all suppliers who partner with Microsoft who may process Personal or Customer Data to deliver the services Microsoft has retained them to provide. The SSPA program standardizes supplier requirements and ensures all subprocessors meet or exceed our Data Protection Requirements (DPR), a framework of security and privacy controls designed to protect the data they process. SSPA program requirements are enforced through a rigorous onboarding process to verify that all applicable requirements for new suppliers have been met prior to starting their contracted work. Suppliers must provide additional verification of compliance with the DPR on an annual basis. When suppliers no longer require access to data, strict offboarding processes protect customer data from unauthorized disclosure or loss.

In addition to the SSPA program, individual Microsoft buesiness units implement additional requirements to limit the number of authorized subprocessors. Together with the SSPA program, Microsoft Online Services mitigate the risks typically associated with subprocessing by requiring strong security and privacy controls while also minimizing single points of failure caused by relying too heavily on any one supplier.

Learn more