Microsoft Procurement

Supplier Security & Privacy Assurance

Program Guide
Version 6
November 2019
Supplier Security and Privacy Assurance (SSPA)

Introduction
At Microsoft, we believe privacy is a fundamental right. In our mission to empower every individual and organization on
the planet to achieve more, we strive to earn and maintain the trust of our customers every day.
Strong privacy and security practices are critical to our mission, essential to customer trust, and in several jurisdictions,
required by law. The standards captured in Microsoft’s privacy and security policies reflect our values as a Company and
these extend to our suppliers (such as your company) that process Microsoft data on our behalf.
The Supplier Security and Privacy Assurance (“SSPA”) Program is Microsoft’s corporate program in place to deliver
Microsoft’s data processing instructions to our Suppliers, in the form of the Microsoft Supplier Data Protection
Requirements (“DPR”), available on microsoft.com here.

Key SSPA terms are defined in the Appendix of this document. To learn more about the program, read our Frequently
Asked Questions (FAQs) here and engage our global team by writing to [email protected].

SSPA Program Overview

SSPA is a partnership between Microsoft Procurement, Corporate External and Legal Affairs, and Corporate Security to
ensure privacy and security principles are followed by our suppliers.
The scope of SSPA covers all suppliers globally, that Process Personal Data or Microsoft Confidential Data in connection
with that supplier’s performance (e.g., provision of services, software licenses, cloud services), under the terms of its
contract with Microsoft (e.g., Purchase Order terms, master agreement) (“Perform,” “Performing” or “Performance”).
SSPA enables your company to make data processing profile selections that align to the goods and/or services you are
contracted to Perform. Your selections will trigger corresponding requirements to provide compliance assurances to
Microsoft.
All enrolled suppliers will complete a self-attestation of compliance to the DPR annually. Your data processing
profile determines whether the full DPR is issued or if a subset of requirements applies. Suppliers that process higher risk
data may also need to provide independent verification of compliance.
Important Note: Interactions with compliance activity determines a SSPA status of Green (compliant) or Red (non-
compliant). Microsoft purchasing tools validate the SSPA status is Green (for each supplier in scope for SSPA) prior to
allowing an engagement to move forward.

SSPA Process Diagram – New Supplier Enrollment

Page 2
Supplier Security and Privacy Assurance (SSPA)

SSPA Process Diagram – Annual Supplier Renewal

To help determine whether your company Processes Personal Data and/or Confidential Data, see the list of examples in
the tables below. Please note that these are mere examples and not an exhaustive list.
Note, a Microsoft business owner may ask for an enrollment outside of this list if they are concerned about the
confidential nature of the data processed.

Page 3
Supplier Security and Privacy Assurance (SSPA)

Personal Data examples

Data Type Examples include, but not limited to…
Sensitive Data Data related to children
Genetic data
Biometric data
Health data
Racial or ethnic origin
Political opinions and affiliations
Religious or philosophical beliefs
Trade union membership
A natural person's sex life or sexual orientation
Immigration status (visa; work authorization etc.)
Government Identifiers (passport; driver’s license; visa; social security
numbers; national identity numbers)
Precise user location data (within 300 meters)
Customer Content Data Documents, photos, videos, music etc.
Reviews and/or ratings entered in a product or service
Survey responses
Browsing history, interests and favorites
Inking, typing and speech utterance (voice/audio and/or chat/bot)
Credential data (passwords, password hints, username, biometric data used
for identification)
Customer data associated with a support case
Captured and Generated Imprecise location data
Data IP address
Device preferences and personalization
Service usage for websites, webpage click tracking
Social media data, social graph relationships
Activity data from connected devices such as fitness monitors
Contact data such as name, address, phone number, email address, date of
birth, dependent and emergency contacts
Fraud and risk assessment, background check
Insurance, pension, benefit detail
Candidate resumes, interview notes/feedback

Page 4
Supplier Security and Privacy Assurance (SSPA)

Data Type Examples include but not limited to…

Account Data Payment instrument data
Credit card number and expiration date
Bank routing information
Bank account number
Credit requests
Line of credit
Tax documents and identifiers
Investment data
Corporate cards
Expense data

Microsoft Confidential/Highly Confidential Data

Examples include, but not limited to… Data Class
Develop, test, or manufacture Microsoft Products or components of Microsoft Highly
Products. Confidential
Microsoft software or hardware sold commercially in any channel is considered
“Microsoft Product.”
Microsoft device pre-release marketing information Highly
Confidential
Unannounced Microsoft corporate financial data subject to SEC rules. Highly
Confidential
Microsoft product license keys on behalf of Microsoft for distribution via any Confidential
method.
Develop or test Microsoft internal Line of Business (LOB) applications. Confidential
Microsoft pre-release marketing material for Microsoft software and services such Confidential
as Office, SQL, Azure, etc.
Write, design, edit or print documentation for Microsoft services or devices (process Confidential
or procedure guides, configuration data, etc.)
A Microsoft business owner may require participation for data not included in this list.

Page 5
Supplier Security and Privacy Assurance (SSPA)

SSPA Data Processing Profile

Microsoft suppliers have full control over their SSPA data processing profile.
This allows suppliers to decide which engagements they want to be eligible to Perform. Pay careful attention to the
selections and consider the compliance activity that must be completed to achieve the approval.
Business owners will only be able to create engagements with companies where the data processing activity matches the
approval the supplier obtained.
Suppliers will be able to update their data processing profile at any time during the year if there are no open tasks.
When a change is made, the corresponding activity will be issued and must be completed before the approval is secured.
The existing, completed approvals will apply until newly issued requirements are completed.
If the newly executed tasks are not completed within the 90 day time period allowed, the SSPA Status will turn to RED and
the account is at risk of being deactivated from Microsoft Accounts Payable systems.
Warning: If you start a profile update before the annual renewal, but decide not to make any changes, the system will still
execute the corresponding requirements which will need to be completed again.

There are 6 Data Processing Profile approvals suppliers can secure as part of enrollment in SSPA:
Data Processing APPROVALS SELECTIONS

1 Data processing scope Confidential

Personal, Confidential
2 Data processing location At Microsoft or Customer
At Supplier
3 Data processing role Controller (independent or joint controllers)
Processor (processor or sub-processor)
4 Payment Card processing Yes
NA
5 Software as a Service (SaaS) Yes
NA
6 Use of Subcontractors Yes
NA

SSPA has identified criteria to identify suppliers processing higher risk engagements. There are also combinations that
may elevate or reduce compliance requirements. The combinations are captured below and this is what you can expect to
execute from the Supplier Compliance Portal on completing your profile. You can always validate how your scenario fits
into this framework by requesting a SSPA team review.

Page 6
Supplier Security and Privacy Assurance (SSPA)

Action: Find your profile and review the assurance requirements and applicable independent assurance options.
Important: If you are adding Software as a Service, Subcontractors, Website Hosting, or Payment Cards additional
assurance is required.
PROFILE ASSURANCE INDEPENDENT ASSURANCE
REQUIREMENTS OPTIONS
A Scope: Personal, Confidential Self-attestation of
Processing Location: At Microsoft or Customer compliance to the DPR
Processing Role: Processor or Controller
Data Class: Confidential or Highly Confidential
Payment Cards: NA
Software as a Service: NA
Use of Subcontractors: NA
Website Hosting: NA
B Scope: Confidential Self-attestation of
Processing Location: At Supplier compliance to the DPR
Data Class: Confidential
Payment Cards: NA
Software as a Service: NA
Use of Subcontractors: NA
Website Hosting: NA
C Scope: Confidential Self-attestation of Independent Assurance options:
Processing Location: At Supplier compliance to the DPR
- Complete an Independent
Data Class: Highly Confidential and
Assessment against the DPR
Payment Cards: NA Independent assurance
- Submit ISO 27001
of compliance
Software as a Service: NA - Submit SOC 2 with security
Use of Subcontractors: NA
Website Hosting: NA
D Scope: Personal, Confidential Self-attestation of Independent Assurance options:
Processing Location: At Supplier compliance to the DPR
and - Complete Independent
Processing Role: Processor
Assessment against the DPR
Data Class: Highly Confidential Independent assurance
Submit ISO 27701 and ISO 27001
of compliance
Payment Cards: NA
Software as a Service: NA
Use of Subcontractors: NA
Website Hosting: NA
E Scope: Personal, Confidential Self-attestation of
Processing Location: At Supplier compliance to the DPR
Processing Role: Processor
Data Class: Confidential
Payment Cards: NA
Software as a Service: NA
Use of Subcontractors: NA
Website Hosting: NA

Page 7
Supplier Security and Privacy Assurance (SSPA)

F Scope: Personal, Confidential Self-attestation of

Processing Location: At Supplier compliance to the DPR
Processing Role: Controller
Data Class: Highly Confidential or Confidential
Payment Cards: NA
Software as a Service: NA
Use of Subcontractors: NA
Website Hosting: NA
Impact of adding Software as a Service, Subcontractors, Website Hosting
G Scope: Personal, Confidential Self-attestation of Independent Assurance options:
Processing Location: At Supplier compliance to the DPR
Processing Role: Processor and - Complete Independent
Independent assurance Assessment against the DPR
Data Class: Highly Confidential or Confidential
of compliance - Submit ISO 27701 and ISO 27001

Subcontractors: YES or
SaaS: YES or
Website Hosting: YES
H Scope: Personal, Confidential Self-attestation of
Processing Location: At Supplier compliance to the DPR
Processing Role: Controller
Data Class: Highly Confidential or Confidential

Subcontractors: YES or
SaaS: YES or
Website Hosting: YES
Additional assurance for Payment Cards and SaaS
I Any of the profiles above and Payment Cards Above requirements that Submit PCI DSS Certification
apply and Payment Card
Industry assurance
J Any of the profiles above and SaaS Above requirements that Datacenter security assurance:
apply and submit the - Submit ISO 27001
datacenter security
- Submit SOC 2 with security
assurance
- Successful pen test (last 12 months)

Notes:
SSPA can execute an independent assessment manually if circumstances beyond these triggers warrant the additional due
diligence. This could be a request from division privacy or security; validation of data incident remediation; requirement
for automated data subject rights execution.
If the Personal Data being Processed by the Supplier across all engagements is equal to, or less than, 500 Personal Data
records in a given year, the SSPA team may remove the independent assessment request upon review.

Page 8
Supplier Security and Privacy Assurance (SSPA)

Approval Considerations
Processing Location - at Microsoft or Customer
This approval is appropriate when all work is performed within the Microsoft network environment where staff use
@microsoft.com credentials. Equally, services where all work is performed within Microsoft’s customer environment can
attest to the reduced set of requirements associated to this approval level.
Do not select this option under these circumstances:
• Your company manages a Microsoft designated offshore facility (OF).
• Your company provides resources to Microsoft and they work on and off the Microsoft network at times.
Working off-network is considered at Supplier, for processing location.
Processing Location - at Supplier
If the conditions above do not apply, select this option.
Data Processing Scope - Confidential
Select this approval to be eligible to process Confidential Data listed in this guide or to provide assurance to Microsoft
business owners they can trust your company with any Microsoft Confidential Data.
If you select this approval you will not be eligible for Personal Data processing engagements.
Data Processing Scope - Personal, Confidential
Select this approval to be eligible to process Personal and Confidential data.
Data Processing Role - Controller (covers Independent and joint controllers)
Select this approval if all services provided to Microsoft meet the Controller data processing role definition (see appendix).
If you select this approval you will not be eligible for Personal Data processing with the ‘processor’ role designation.
Data Processing Role - Processor (covers processors and sub-processors)
This is the most common processing role when suppliers process data on behalf of Microsoft. Please review definitions in
the appendix.
Payment Card Processing
Suppliers that process credit card or other payment cards on behalf of Microsoft must be compliant to Payment Card
Industry (PCI) requirements. This approval allows Microsoft to demonstrate our company complies with the PCI standards
when we use suppliers to fulfill this service for us.
This approval allows a supplier to engage in payment card processing engagements.
Software as a Service
Services that meet the definition of a SaaS will need to secure this approval which is to provide the datacenter security
certification. See the SaaS section below.
Use of subcontractors
Suppliers that use subcontractors to fulfill services will need to secure this approval which will execute additional
requirements to address the risk of using subcontractors.

Page 9
Supplier Security and Privacy Assurance (SSPA)

Self-Attestation to the DPR

All suppliers enrolled in SSPA must complete a self-attestation of compliance to the DPR within 90 days of receiving the
request. This request will be provided on an annual basis, but may be more frequent if the data processing profile is
updated mid-year. Supplier accounts will change to a SSPA Status of RED (non-compliant) if the 90-day period is
exceeded. New in-scope purchase orders cannot process until the SSPA Status turns to Green (compliant).
Newly enrolled suppliers must complete requirements, per approval selections, to secure a SSPA Status of Green
(compliant) before engagements can begin.
As noted, the data processing profile determines whether the full DPR is issued, or if only a subset applies. These
approvals can be changed throughout the year, but each time a change is made, associated requirements must be
completed for the change to take effect.
Important: The SSPA team is not authorized to provide extensions for this task.
Authorized representatives that will complete the self-attestation, should ensure they have sufficient information from
subject matter experts to reply to each requirement with confidence. In addition, by adding their name to a SSPA form
they are certifying that they have read and understand the DPR. Suppliers can always add other contacts to the online tool
to assist with completing the requirements.
The Authorized Representative (see definition), is to
1. determine which requirements apply,
2. post a response to each applicable requirement, and
3. sign and submit the attestation in the Microsoft Supplier Compliance Portal.

Applicability
Suppliers are expected to respond to all applicable DPR requirements issued per the data processing profile. It is expected
that, within the issued requirements, a few may not apply to the goods or services a company provides to Microsoft. These
can be marked as ‘does not apply’ with a detailed comment for SSPA reviewers to validate.
DPR submissions are reviewed by the SSPA team for any selections of ‘does not apply’, ‘local legal conflict’ or ‘contractual
conflict’ against issued requirements. Reviewers check engagement activity associated with a supplier account to validate
the selection of ‘does not apply’. The SSPA team may ask for clarification of one or more selections. Local legal and
contract conflicts are only accepted if the supporting references are provided and the conflict is clear.

Independent Assessment Requirement

Please see the Data Processing Profile section to see the data processing approvals that execute this requirement.
Suppliers have the option to change approvals by updating their Data Processing Profile.
To secure the approvals that require independent verification of compliance, suppliers will need to select an independent
assessor to validate compliance against the DPR. The assessor is to prepare an advisory letter to provide compliance
assurances to Microsoft. This letter must be unqualified, all non-compliant issues must be resolved and remediated before
the confirmation letter is submitted to the Supplier Compliance Portal for SSPA team review. Assessors can use the sample
letter added to the appendix of this guide.

Page 10
Supplier Security and Privacy Assurance (SSPA)

Guidance on how to approach this requirement:

1. The engagement must be performed by an assessor with sufficient technical training and subject knowledge to
adequately assess compliance.
2. Assessors must be affiliated with the International Federation of Accountants (IFAC) or the American Institute of
Certified Public Accountants (AICPA), or must possess certifications from other relevant privacy and security
organizations, such as the International Association of Privacy Professionals (IAPP) or the Information Systems
Audit and Control Association (ISACA).
3. The assessor must use the most current DPR which includes the Evidence Required to support each requirement.
Suppliers will need to provide their approved DPR attestation responses to the assessor.
4. In the case of a newly enrolled supplier, the assessor will test the design of the process controls. In all other cases,
the assessor will test the effectiveness of the controls.
5. The scope of the assessment engagement is limited to the Personal Data or Microsoft Confidential Data in
connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services) under the
terms of its contract with Microsoft (e.g., Purchase Order terms, master agreement) (“Perform,” “Performing” or
“Performance”).
6. The scope of the engagement is limited to all in-scope data processing activity executed against the supplier
account number which received the request. If your company elects to assess a number of supplier accounts at one
time, the letter of attestation must include the list of supplier accounts included in the assessment.
7. The letter submitted to SSPA must not include any statements where the company cannot meet the Data
Protection Requirements as written. These issues must be corrected before the letter is submitted.
SSPA has made a list of preferred assessors available. These companies are familiar with conducting SSPA assessments.
Suppliers are expected to pay for this assessment; the costs will vary depending on the scale and scope of the data
processing.

PCI DSS Certification Requirement

The Payment Card Industry Data Security Standard (PCI DSS) is a framework for developing a robust payment card data
security process that includes prevention, detection and appropriate reaction to security incidents. The framework was
developed by the PCI Security Standards Council, a self-regulatory industry organization. The purpose of the PCI DSS
requirements is to identify technology and process vulnerabilities that pose risks to the security of cardholder data that is
Processed.
Microsoft is required to comply with these standards. If a supplier handles payment card information on Microsoft’s behalf
we require evidence of adherence to these standards. Consult the PCI Security standards council to understand the
requirements set by the PCI organization.
Depending on the volume of transactions processed a company will either be required to have an independent assessor
certify compliance or can complete a self-assessment. The forms are located here.
Payment card brands set the thresholds for assessment type, typically;
• Level 1: Provide a 3rd Party Assessor PCI DSS certificate
• Level 2 or 3: Provide a PCI DSS Self-Assessment Questionnaire (SAQ) signed by a company officer.
The SSPA program accepts both types of assessments. Submit the certification that applies and meets PCI requirements.

Page 11
Supplier Security and Privacy Assurance (SSPA)

SaaS Requirement
Microsoft describes ‘Software as a Service’ (SaaS) as follows:
Delivery of software based on common code, used in a one-to-many model, on a pay-for-use basis or as a subscription
based on use metrics.
Supplier services that fit this description should select the SaaS approval. SaaS suppliers will be asked to identify the
datacenter used to host the service and provide the datacenter security certification. A valid penetration test conducted
within 12 months against the SaaS datacenter can also be submitted. The test should clearly indicate any findings. Critical
or High Findings must include planned actions.
The submission must be a file upload, we can’t accept internet links to online documents.

Use of Subcontractors
Whenever Microsoft data is shared with subcontracting companies the risk of a data incident increases. Microsoft
considers use of subcontractors a high-risk factor.
The DPR requires your company to notify Microsoft when you use third parties to process in-scope data. This can be done
through SSPA.

Data Processing Incidents

Should a privacy or security data incident occur, suppliers must inform Microsoft as detailed in the DPR.
Email [email protected] to report a data incident.

Page 12
Supplier Security and Privacy Assurance (SSPA)

Appendix

Definitions
Key terminology in the DPR
“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with
others determines the purposes and means of the Processing of Personal Data; where the purposes and means of
Processing are determined by the European Union (“EU”) or Member State Laws, the controller (or the criteria for
nominating the controller) may be designated by those Laws.
“Data Subject Right” means a Data Subject’s right to access, delete, edit, export, restrict, or object to Processing of the
Microsoft Personal Data of that Data Subject if required by Law.
“Law” means all applicable laws, rules, statutes, decrees, decisions, orders, regulations judgments, codes, enactments,
resolutions and requirements of any government authority (federal, state, local, or international) having jurisdiction.
“Microsoft Confidential Data” is any information which, if compromised through confidentiality or integrity means, can
result in significant reputational or financial loss for Microsoft. This includes, Microsoft hardware and software products,
internal line-of-business applications, pre-release marketing materials, product license keys, and technical documentations
related to Microsoft products and services.
“Microsoft Personal Data” means any Personal Data Processed by or on behalf of Microsoft.
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) and any
other information that constitutes “personal data” or “personal information” under Law; an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.
“Process” means any operation or set of operations which is performed on any Microsoft Personal Data or Confidential
Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction. “Processing” and “Processed” will have corresponding meanings.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on
behalf of the Controller.
“Authorized Representative“ is a person that has the appropriate level of authority to sign on behalf of the company.
This person would have the requisite privacy and security knowledge or have consulted a subject matter expert prior to
submitting their response to an SSPA Program action. In addition, by adding their name to a SSPA form they are certifying
that they have read and understand the DPR.

Page 13
Supplier Security and Privacy Assurance (SSPA)

Sample Independent Assessment Letter

On completion of an independent assessment, the assessor can prepare an unqualified letter of attestation based on the
sample outline below. This is intended as a guide.

<Assessor company letterhead>

Date
Supplier Name
Supplier Address
Location assessed (append if multiple locations).
We have examined the design of _______ (the “Company”) controls as of _______<assessment date>, over Microsoft
Personal Data and/or Microsoft Confidential Data as defined in and in connection with the applicable sections and
requirements of the Microsoft Supplier Data Protection Requirements (DPR), version __, to provide reasonable assurance
that the controls were designed in conformity with the DPR and that the design of these controls complies with the DPR.
The Company’s management is responsible for the adequate design of these controls and compliance with the DPR. Our
responsibility is to express an opinion on the design of these controls and the Company’s compliance based on our
examination.
Our examination included (1) obtaining an understanding of the design of the Company’s controls over the privacy and
security of Microsoft Personal Data and Microsoft Confidential Data; and (2) performing such other procedures as we
considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion.
Because of inherent limitations, controls may not prevent, detect or correct errors or fraud which may occur. Also,
projections of any evaluation of adequate design to future periods are subject to the risk that controls may become
inadequate because of change in conditions, or that the degree of compliance with the policies and procedures may
deteriorate.
In our opinion, as of ______ <date> the Company in all material respects has adequately designed controls over the
Microsoft Personal Data and/or Microsoft Confidential Data in its possession to provide reasonable assurance that this
data is managed in conformity with the DPR.
This report is intended solely for the information and use of the Company and Microsoft and is not intended to be and
should not be used by anyone other than these specified parties.

Signature of Assessor
Assessor Name and Title

Page 14