Skip to main content

Microsoft Supplier Security & Privacy Assurance (SSPA) Program v11 Overview

Updated this week

What is the SSPA Program?

The Microsoft Supplier Security & Privacy Assurance (SSPA) Program ensures that suppliers meet Microsoft’s high standards for privacy, security, and responsible AI. It’s a partnership between Procurement, Legal, Security, and the Office of Responsible AI.

Key Goals

The program has three primary goals that extend Microsoft’s commitment to privacy and security to its global supplier base.

  • Extend Microsoft’s data protection standards to suppliers

  • Provide a consistent baseline through the Supplier Data Protection Requirements (DPR)

  • Prepare suppliers to address risks from emerging technologies like AI.

Microsoft considers privacy a fundamental human right, and the SSPA program ensures that suppliers handling Microsoft data operate in alignment with these values and applicable legal requirements.

The Two Pillars of Compliance

The SSPA framework rests on two interconnected components. Together, they determine what suppliers must do to remain eligible for Microsoft work.

1. Data Processing Profile (DPP)

The DPP is your supplier-controlled profile where you declare how you process Microsoft data. These selections drive your compliance requirements.

  • Supplier-controlled profile in the Microsoft Supplier Compliance Portal

  • Suppliers declare:

    • Types of data they process

    • Where the data will be processed

    • Technologies used for processing

  • DPP selections determine the specific compliance requirements for each supplier

2. Data Protection Requirements (DPR)

The DPR defines Microsoft’s rules for safeguarding Personal Data and Confidential Data. All suppliers must attest to compliance annually.

  • Detailed rules for handling Microsoft Personal Data and Confidential Data

  • All suppliers must complete an annual self-attestation

  • DPP selections determine whether the full DPR applies or only a subset

  • Shared responsibility:

    • Microsoft sets the standard via the DPR

    • Suppliers must accurately declare their activities in the DPP

Important: Incorrect selections may prevent eligibility for engagements or trigger non-compliance.

SSPA Compliance Lifecycle

Compliance follows a structured lifecycle. Each step builds on the previous one to confirm suppliers meet Microsoft’s requirements.

Step 1: Start (Enroll / Renew) & Set DPP

Begin by enrolling or renewing your participation and configuring your DPP. This step defines the scope of your compliance obligations.

  • Configure or update your DPP in the Supplier Compliance Portal

  • Select approvals that match your scope of work, such as Scope, Location, Role, AI Systems

Step 2: Complete Assigned Tasks

Once your DPP is set, the portal generates compliance tasks tailored to your selections.

  • Portal issues compliance tasks based on DPP selections

  • Tasks range from DPR self-attestation to providing evidence like PCI certification, ISO 27001, or an Independent Assessment

  • Standard tasks must be completed within 90 days, Independent Assessments may also allow a 90-day extension

Step 3: Review Submissions

After you submit evidence and attestations, Microsoft’s SSPA team validates your submissions to confirm accuracy and completeness.

  • SSPA team validates all submissions within approximately 10 business days

Step 4: Achieve SSPA Status

Once approved, your compliance status is set, which determines your eligibility for Microsoft work.

  • Green (Compliant): Eligible for new engagements, mandatory for in-scope work

  • Red (Non-Compliant): Hard block on new orders, account may be deactivated if unresolved

  • Compliance is continuous; maintain evidence and processes year-round, not just at renewal time

Configuring Your Data Processing Profile (DPP)

Your DPP drives your compliance obligations. Configuring it accurately is essential for meeting Microsoft’s requirements.

Step 1: Define Scope

Identify the type of Microsoft data you will handle. This sets the baseline requirements for your organization.

  • Confidential Data: Only Microsoft Confidential Data such as internal technical docs or pre-release marketing

  • Personal & Confidential Data: Includes Personal Data such as sensitive health info, identifiers, customer content, and Confidential Data

Step 2: Specify Location & Role

Declare where processing occurs and what role your organization plays in handling Microsoft data.

  • Processing Location: At Microsoft or Customer, At Supplier (higher risk, requires more controls)

  • Processing Role: Controller, Processor, or Subprocessor (designated by Microsoft for high-risk scenarios)

Step 3: High-Risk Approvals

Certain activities involve higher risk and require explicit approval before you can proceed.

  • Payment Card Processing (PCI)

  • Software as a Service (SaaS) certifications (ISO 27001)

  • Use of subcontractors

  • Website hosting

  • Healthcare (PHI / HIPAA)

  • AI Systems (Responsible AI, Section K)

Demonstrating Compliance

Suppliers must prove they meet Microsoft’s standards. This can be done through attestations, independent assessments, or recognized certifications.

1. Self-Attestation

Every supplier must complete an annual attestation confirming compliance with DPR requirements.

  • Annual attestation via the Supplier Compliance Portal

  • Authorized representative confirms compliance with all applicable DPR requirements

2. Independent Assessment

High-risk suppliers must undergo a third-party review to validate compliance.

  • Required for high-risk DPP selections such as handling Highly Confidential Data, acting as a Subprocessor, providing AI systems

  • Conducted by a qualified third-party assessor

3. Certification Alternatives

Certain globally recognized certifications can substitute for an independent assessment.

  • ISO 27701 + ISO 27001 (privacy & security)

  • SOC 2 Type 2 (security-focused)

  • HITRUST (healthcare)

  • ISO 42001 (Responsible AI for Sensitive Use)

Quick-Reference Table: DPP → Assurance → Certification

This table links DPP selections with the required assurance method and any accepted certifications that can be used as alternatives.

  • DPP Selection / Scenario: What the supplier declares in their Data Processing Profile

  • Required Assurance: Compliance tasks the supplier must complete, including self-attestation or independent assessment

  • Accepted Certification Alternatives: Globally recognized certifications that can satisfy the requirement

DPP Selection / Scenario

Required Assurance

Accepted Certification Alternatives

Processing only Microsoft Confidential Data on Microsoft’s network

Self-Attestation to the DPR

N/A

Processing Highly Confidential Data at supplier’s own facilities

Self-Attestation + Independent Assessment

ISO 27001

Processing Personal Data as a Processor at supplier’s own facilities

Self-Attestation + Independent Assessment

ISO 27001 + ISO 27701, or SOC 2 (Security)

Providing a Software as a Service (SaaS) solution

Self-Attestation + ISO 27001

ISO 27001 (specific to functional service)

Using Subcontractors to process Personal or Confidential Data

Self-Attestation + Independent Assessment

ISO 27001 + ISO 27701

Providing AI Systems (non-sensitive use)

Self-Attestation + Independent Assessment (incl. Section K)

ISO 27001 + ISO 27701 + Independent Assessment on Section K, or ISO 42001

Providing AI Systems for “Sensitive Use” cases

Self-Attestation + Independent Assessment + ISO 42001

ISO 42001 mandatory

Key Terms (Glossary)

  • AI Systems: Systems that make predictions or decisions using optimized models

  • Controller / Processor / Subprocessor: Roles defining responsibility for personal data processing

  • Data Incident: Any unauthorized disclosure, loss, or access to Microsoft data

  • Microsoft Personal Data: Any data relating to an identifiable individual

  • Microsoft Confidential Data: Non-public Microsoft information that could cause harm if disclosed

Reporting a Data Incident

  • Notify Microsoft immediately via SupplierWeb portal or [email protected]

  • Include incident date, supplier name/ID, Microsoft contacts, PO number, and a summary of the incident

Summary

The SSPA program ensures suppliers:

  • Understand and adhere to Microsoft’s security and privacy standards

  • Complete annual self-attestations and high-risk assessments

  • Maintain a Green SSPA status to remain eligible for Microsoft engagements

  • Use the Microsoft Supplier Compliance Portal to manage DPP selections, complete tasks, and maintain evidence

  • Treat compliance as an ongoing process, not a once-a-year activity

Did this answer your question?