Microsoft is an American multinational technology corporation that partners with more than 58,000 different suppliers to help meet their customers' needs. Many of these third-party companies process confidential and personal data on behalf of the corporation. 

Since data privacy and security is mission-critical for modern businesses to earn customer trust and comply with a range of laws and regulations, Microsoft established its own set of standards for suppliers that handle confidential and/or personal data called Supplier Security and Privacy Assurance (SSPA). All suppliers that are part of Microsoft’s information supply chain must comply with SSPA requirements to do business with Microsoft or any of its subsidiaries.

Below we’ll provide an overview of Microsoft SSPA and how Secureframe can help suppliers comply with SSPA and related compliance frameworks like ISO 27001 and PCI DSS to enhance their security and compliance posture.

What is Microsoft SSPA?

Microsoft SSPA refers to the Supplier Security and Privacy Assurance (SSPA) Program. This program sets privacy and security requirements for Microsoft suppliers working with Microsoft Personal Data and/or Confidential Data. These requirements are known as the Microsoft Supplier Data Protection Requirements (DPR).

Suppliers must implement the applicable security and privacy controls in the DPR before beginning contracted work with Microsoft. All enrolled suppliers must then self-attest to compliance with the DPR annually.

Who does Microsoft SSPA apply to?

Microsoft SSPA applies to all suppliers globally that process Microsoft Confidential Data and/or Personal Data under the terms of their contract with Microsoft.

What is Microsoft Confidential Data? 

Microsoft Confidential Data is any information which can result in significant reputational or financial loss for Microsoft if its confidentiality or integrity is compromised. This may include:

• Information concerning or related to Microsoft hardware and software products
• Unannounced Microsoft corporate financial data subject to SEC rules
• Information concerning or related to internal line-of-business applications
• Pre-release marketing materials
• Product license keys
• Technical documentations related to Microsoft products and services

What is Microsoft Personal Data? 

Microsoft Personal Data is any personal data (ie. information related to a data subject) that is processed by or on behalf of Microsoft. This type of data falls under five main categories:

• Sensitive data like data related to children and genetic, biometric, or health data
• Captured and generated data like IP address and employee background check
• Account data like credit card number and expiration date
• Online customer data like billing or other account data and survey/event registration/training
• Protected health information 

Microsoft Supplier Data Protection Requirements (DPR)

There are a total of 50 Data Protection Requirements. These are organized into the following 10 sections or categories:

• Management
• Notice
• Choice and Consent
• Collection
• Retention
• Data Subjects
• Subcontractors
• Quality
• Monitoring and Enforcement
• Security

Suppliers must submit evidence of compliance for each requirement that applies to them. For example, some Microsoft suppliers are required to apply appropriate sanctions against employees who fail to comply with the supplier’s privacy and security policies. In order to prove compliance to this requirement, suppliers must provide documentation of privacy and security policies that describe sanctions for non-compliance.

Which DPR requirements apply depends on the data processing categories the supplier was approved for as part of their enrollment in SSPA. We’ll discuss that in more depth when we take a closer look at the SSPA compliance process below.

Microsoft SSPA compliance process

Find a step-by-step breakdown of the Microsoft SSPA compliance process below.

Step 1: Enroll in the SSPA program.

As a Microsoft supplier that processes Microsoft Confidential Data and/or Personal Data, you can enroll in the SSPA program during the onboarding process. 

Step 2: Set up SSPA Data Processing Profile.

Next, you must set up a Data Processing Profile and select which data processing categories you want to be approved for in order to provide your goods and/or services to Microsoft. These categories are:

• Data processing scope: Will you process Microsoft Confidential Data only or Microsoft Confidential Data and Personal Data?
• Data processing location: Will you process data within the Microsoft network environment where staff use @microsoft.com access credentials or within the environment of a Microsoft customer?
• Data processing role: Will you act as a data controller or a data processor? Or have you secured pre-approval from Microsoft’s internal privacy teams as a subprocessor?
• Payment card processing: Will you process data to support credit card or other payment card processing on behalf of Microsoft?
• Software as a service: Will you act as a SaaS supplier?
• Use of subcontractors: Will you use subcontractors?

Your data processing profile determines whether you must comply with the full DPR or a subset of requirements.

When setting up your profile, you should also select the following profile options if they apply.

• Website hosting: Will you host websites on behalf of Microsoft?
• Healthcare: Will you process Protected Health Information?

These selections may impact how you attest to your compliance to the DPR.

Step 3: Implement security and privacy controls.

DPR requirements are scoped based on the data processing categories above. You must complete all applicable requirements in order to be approved for the data processing categories you’ve selected.

So once you’ve set up their profile, you must implement the necessary security and privacy controls and document evidence of those controls.

Using a compliance automation platform can significantly simplify this step, saving you valuable time and resources. Secureframe, for example, lays out the DPR requirements that apply to you and what controls you need to implement to meet those requirements. Secureframe also runs automated tests to detect controls that are adhering to the framework requirements as well as nonconformities that require remediation to comply with DPR. It also has a Microsoft Data Protection Requirements Policy template that can help you meet policy and procedure requirements in the DPR and save valuable time and resources. 

Step 4: Complete a self-attestation of compliance to the DPR annually. 

Next, you must complete a self-attestation of compliance to the DPR at least annually. This must be completed within 90 days of receiving the request.

This self-attestation should be completed by the designated person or group responsible for ensuring compliance to the DPR, or Authorized Representative. It involves the following steps:

• Determining which requirements apply. DPR requirements are issued per the supplier’s Data Processing Profile. It is expected that a few of the issued requirements may not apply to the goods or services the supplier provides to Microsoft. So the first step of the self-attestation process is to identify which do and do not apply. 
• Posting a response to each applicable requirement. Suppliers are expected to respond to all applicable DPR requirements based on sufficient information from subject matter experts. 
• Marking any requirements as “does not apply.” If there are any issued requirements that do not apply to the goods or services the supplier provides to Microsoft, then these can be marked as “does not apply.” A detailed comment must be included for SSPA reviewers to validate.
• Marking any requirements as “local legal conflict” or “contractual conflict.” If there are any issued requirements that conflict with a provision in their contract or any legal or statutory requirements, then these can be marked accordingly. A detailed comment explaining the conflict and supporting references must be provided for SSPA reviewers to validate.
• Sign and submit. The Authorized Representative must sign and submit the attestation in the Microsoft Supplier Compliance Portal.

Step 5: Submit Independent Assurance of compliance if applicable. 

Certain data processing profiles and approvals trigger an additional assurance requirement. The following suppliers are required to submit a self-attestation of compliance and independent verification of compliance:

• Suppliers that process Microsoft Confidential Data that is classified as highly confidential outside of the Microsoft network environment
• Suppliers designated as Data Processors that process Microsoft Confidential and Personal Data that is classified as highly confidential outside of the Microsoft network environment
• Suppliers designated as Subprocessors by Microsoft
• SaaS suppliers and web hosting suppliers acting on behalf of Microsoft
• Suppliers using subcontractors that will process Microsoft Confidential Data and/or Personal Data
• Suppliers processing Protected Health Information

Typically, the independent assurance requirement is met by having an independent assessor validate compliance against the DPR and prepare an advisory letter to provide compliance assurances to Microsoft. This letter must be unqualified — meaning, all non-compliant issues must be resolved and remediated before the letter is submitted to the Microsoft Supplier Compliance Portal for SSPA team review.

However, certain data processing profiles and approvals have multiple independent assurance options. For example, suppliers that process Microsoft Confidential Data that is classified as highly confidential outside of the Microsoft network environment can either complete an independent assessment against the DPR or submit a valid ISO 27001 certification. Additionally, SaaS suppliers and web hosting suppliers acting on behalf of Microsoft and suppliers using subcontractors may submit ISO 27001 and ISO 27701 certification and suppliers processing Protected Health Information may submit a HITRUST report as alternatives to an independent assessment. 

Step 6: Submit PCI DSS and/or ISO 27001 certifications if applicable.

If you handle payment card information on Microsoft’s behalf, then you must submit PCI DSS certification in addition to any other assurance requirements that apply to your data processing profile.

If you are a SaaS supplier, then your Microsoft Cloud Services Agreement may require you to provide ISO 27001 certification in addition to any other assurance requirements that apply to your data processing profile. This certification must apply to the software service(s) noted in your contract.

Step 7: SSPA review

Self-attestations of compliance are reviewed by the SSPA team for any selections of “does not apply”, “local legal conflict”, or “contractual conflict.” The SSPA team also reviews confirmation letters of compliance by independent assessors, PCI DSS certification, and ISO 27001 certification, if the supplier’s Data Processing Profile triggers these assurance requirements.

Step 8: SSPA status is Green

Once you’ve completed the issued requirements and the SSPA review, your SSPA status will turn Green (compliant). That means Microsoft buyers are now able to engage with you in the data processing categories in which you’ve been approved. 

Step 9: Complete your compliance tasks annually.

To maintain your Green status, you must renew compliance tasks annually for continuous compliance with SSPA.

Compliance checklist for Microsoft Suppliers

To help you evaluate your company’s compliance with Microsoft's DPR, download the compliance checklist below. 

How Secureframe helps Microsoft suppliers achieve compliance 

Whether you are a supplier for Microsoft already or hope to be one in the future, Secureframe can help you automate compliance with Microsoft SSPA and other frameworks that apply to your data processing activities, including ISO 27001, ISO 27701, and PCI DSS. Our AI-powered compliance platform reduces the time you spend on compliance tasks with automated evidence collection, real-time monitoring, and risk management so you can save time and reduce risk while growing your business. 

We have over 200 integrations so you can seamlessly sync your existing Microsoft tools, including Microsoft Azure, Office 365, Azure DevOps, Microsoft Intune, and Azure Active Directory. Once you connect your Microsoft tools to the Secureframe platform, it will automatically collect compliance evidence via our built-in integration tests for Microsoft tools. Each integration test is mapped to compliance framework controls and requirements. 

Our real-time, continuous monitoring evaluates your compliance posture by automatically gathering evidence and detecting nonconformities and misconfigurations across Microsoft Azure, Azure DevOps, Microsoft Intune, Azure Defender, and more. When misconfigurations are detected, you can use Comply AI for Remediation to quickly remediate them using infrastructure as code (IaC) for Azure Resource Manager (ARM), Command Line Interface (CLI), or Terraform. Seamlessly copy, paste, and deploy the code fixes in your Azure environment to fix the failing control and improve your compliance posture. 

We also empower customers to identify, assess, and manage risks in a number of ways. For example, you can automatically perform user access reviews and manage personnel by syncing your Microsoft tools like Office 365 and Azure Active Directory to the Secureframe platform. You can also ensure least privilege access, identify and remove departed personnel with access, and automatically onboard personnel to get started with their compliance tasks including training, policy review and acceptance, and background checks. 

Finally, it’s just as important that you manage risk from your third-party suppliers and vendors, as Microsoft does to their suppliers through SSPA. Our Vendor Risk Management tool enables you to manage and monitor your vendor relationships and their associated risk. Ensure your suppliers and third-party vendors are meeting your security and compliance expectations through vendor questionnaires, recurring reviews, and more.