Understand subprocessor onboarding and monitoring

Completed

When Microsoft 365 initiates a support contract with a subprocessor, specific workflows and processes ensure subprocessors meet requirements before beginning contracted work. New subprocessors must complete a series of verifications to validate that their information systems meet the requirements applicable to the types of data they will process as part of contracted work. Alternatively, contracted work assigned to existing subprocessors who have already met requirements allows Microsoft to limit the number of subprocessors who process Customer or Personal Data.

Adding a new subprocessor

Adding a new subprocessor requires a series of rigorous verifications to ensure the subprocessor meets Microsoft standards before they can begin contracted work. These verification steps include but are not limited to:

  • A business verification check: A review by the business to determine why the use of this supplier is needed instead of a supplier who is already approved. Once business approval has been granted, the additional verifications below must be performed.
  • Privacy and compliance check: Validate that the subprocessor has already been disclosed for the appropriate amount of time and that all contracts and certification requirements have been met.
  • Anti-corruption checks: Check against global relationship management systems and news for suppliers who may be engaged in corruption activities.
  • Corruption risk score: This is a score that is assigned based on the anti-corruption check. The score indicates the risk level of the supplier being involved in corruption activities.
  • A do-not-engage check: Internal Microsoft check against suppliers who have been deemed inappropriate for use.
  • Trade sanctions screening: A review of watch sites, government records, and media searches to determine if trade sanctions apply to the supplier.

In addition, business unit approval is required as a final check after all scores and checks have been returned and accounted for.

a workflow detailing SSPA enrollment process explained in below narrative.

Subprocessor enrollment begins with an email request to a prospective subprocessor with instructions to create a profile in the Microsoft Supplier Compliance Portal (MSCP). Subprocessors use the portal to choose the data processing activities they wish to be approved for. These data processing activities include:

  • Processing of personal data and/or Microsoft confidential data
  • Processing data on the supplier's network
  • Data processing role (controller, processor, co-controller, etc.)
  • Payment card processing
  • Provision of Software as a Service (SaaS)
  • Use of subcontractors
  • Subprocessor designation

Once a subprocessor has completed their profile, they will be given either the full set or a subset of requirements from the DPR to complete within 90 days. Depending on the approvals selected by the subprocessor in their profile, Independent Assurance may be necessary in addition to verify compliance with the DPR controls assigned.

Once a subprocessor has passed all applicable checks, their SSPA status is subject to final review. Reviewers verify all relevant checks and decide which types of data processing should be approved. After the profile has been approved, subprocessors receive the requisite data processing approvals.

In addition to compliance with the DPR, Microsoft requires subprocessors to maintain the following certifications:

  • ISO/IEC 27001 Certification for all subprocessors, including the ISO/IEC 27002 Code of Best Practices.
  • ISO/IEC 27018 Certification for subprocessors storing customer data in a cloud service.
  • EU-US Privacy Shield and Swiss-U.S. Privacy Shield Certifications for subprocessors processing personal data from the European Union or Switzerland in the United States of America (to the extent allowed based on program requirements).
  • Payment Card Industry (PCI) Certification for subprocessors who process or store credit card data. These subprocessors must be audited annually as a Level 1 Supplier by a Qualified Security Assessor certified in the current version of PCI.
  • ISO/IEC 27701 Requirements for all subprocessors.

Learn more