Microsoft Procurement

Supplier Security & Privacy Assurance (SSPA)

Program Guide
Version 7
November 2020
Introduction
At Microsoft, we believe privacy is a fundamental right. In our mission to empower every individual
and organization on the planet to achieve more, we strive to earn and maintain the trust of our
customers every day.
Strong privacy and security practices are critical to our mission, essential to customer trust, and in
several jurisdictions, required by law. The standards captured in Microsoft’s privacy and security
policies reflect our values as a company and these extend to our suppliers (such as your company)
that Process Microsoft data on our behalf.
The Supplier Security and Privacy Assurance (“SSPA”) Program is Microsoft’s corporate program in
place to deliver Microsoft’s baseline data processing instructions to our suppliers, in the form of the
Microsoft Supplier Data Protection Requirements (“DPR”), available on SSPA on
Microsoft.com/Procurement. Note that suppliers may have to meet additional organizational level
requirements that are decided and communicated outside of SSPA by the Microsoft group
responsible for the engagement with supplier.
Key SSPA terms are defined in the DPR. To learn more about the program, read our Frequently Asked
Questions (FAQs) and engage our global team by writing to [email protected].

SSPA Program Overview

SSPA is a partnership between Microsoft Procurement, Corporate External and Legal Affairs, and
Corporate Security to ensure privacy and security principles are followed by our suppliers.
The scope of SSPA covers all suppliers globally that Process Personal Data or Microsoft Confidential
Data in connection with that supplier’s performance (e.g., provision of services, software licenses,
cloud services), under the terms of its contract with Microsoft (e.g., Purchase Order terms, master
agreement) (“Perform,” “Performing” or “Performance”).
SSPA enables the supplier to make data processing profile selections that align to the goods and/or
services you are contracted to Perform. These selections trigger corresponding requirements to
provide compliance assurances to Microsoft.
All enrolled suppliers will complete a self-attestation of compliance to the DPR annually. Your
data processing profile determines whether the full DPR is issued or if a subset of requirements
applies. Suppliers that process data that Microsoft considers higher risk may also need to meet
additional requirements, such as providing independent verification of compliance.

Page 2 Microsoft Confidential | v.7

Important: Compliance activities determine an SSPA status of Green (compliant) or Red (non-
compliant). Microsoft purchasing tools validate the SSPA status is Green (for each supplier in scope
for SSPA) prior to allowing an engagement to move forward.

SSPA Process Diagram – New Supplier Enrollment

SSPA Process Diagram – Annual Supplier Renewal

SSPA Scope
To help determine whether you (the supplier) Processes Personal Data and/or Microsoft Confidential
Data, see the list of examples in the tables below. Please note that these are examples and not an
exhaustive list.
Note: a Microsoft business owner may ask for an enrollment outside of this list considering the
confidential nature of the data processed.
Page 3 Microsoft Confidential | v.7
Personal Data by Data Type
Examples include but are not limited to:
Sensitive Data
Data related to children
Genetic data, Biometric data, or Health data
Racial or ethnic origin
Political, Religious, or philosophical beliefs, opinions, and affiliations
Trade union membership
A natural person's sex life or sexual orientation
Immigration status (visa; work authorization etc.)
Government Identifiers (passport; driver’s license; visa; social security numbers; national identity
numbers)
Precise user location data (within 300 meters)
Customer Content Data
Documents, photos, videos, music, etc.
Reviews and/or ratings entered in a product or service
Survey responses
Browsing history, interests, and favorites
Inking, typing and speech utterance (voice/audio and/or chat/bot)
Credential data (passwords, password hints, username, biometric data used for identification)
Customer data associated with a support case

Page 4 Microsoft Confidential | v.7

 Captured and Generated Data
Imprecise location data
IP address
Device preferences and personalization
Service usage for websites, webpage click tracking
Social media data, social graph relationships
Activity data from connected devices such as fitness monitors
Contact data such as name, address, phone number, email address, date of birth, dependent and
emergency contacts
Fraud and risk assessment, background check
Insurance, pension, benefit detail
Candidate resumes, interview notes/feedback
Account Data
Payment instrument data
Credit card number and expiration date
Bank routing information
Bank account number
Credit requests or line of credit
Tax documents and identifiers
Investment or expense data
Corporate cards
End-user Pseudonymized Information (EUPI)
(Identifiers created by Microsoft to identify users of Microsoft products and services)

Globally Unique Identifier (GUID)

Passport User ID or Unique Identifier (PUID)
Hashed End-User Identifiable Information (EUII)
Session IDs
Device IDs
Diagnostic data
Log data

Page 5 Microsoft Confidential | v.7

Microsoft Confidential Data by Data Class
Examples include but not limited to:
Highly Confidential
Information concerning or related to the development, testing, or manufacturing of Microsoft
Products or components of Microsoft Products
Microsoft software, online services, services or hardware sold commercially in any channel is
considered “Microsoft Product”
Microsoft device pre-release marketing information
Unannounced Microsoft corporate financial data subject to SEC rules
Confidential
Microsoft product license keys on behalf of Microsoft for distribution via any method
Information concerning or related to the development or testing of Microsoft internal Line of
Business (LOB) applications
Microsoft pre-release marketing materials for Microsoft software and services such as Office, SQL,
Azure, etc.
Written, design, electronic, or print documentation for any Microsoft services or products, such as
devices (process or procedure guides, configuration data, etc.)
Important: A Microsoft business owner may require participation for data not included in this list.

Data Processing Profile

Microsoft suppliers have full control over their SSPA data processing profile.
This allows suppliers to decide which engagements they want to be eligible to Perform. Pay careful
attention to the selections and consider the compliance activity that must be completed to achieve
the approval. See the “Assurance Requirements” Section below and Appendix A.
Microsoft business groups will only be able to create engagements with suppliers where the data
processing activity matches the approvals the supplier obtained.
Suppliers will be able to update their data processing profile at any time during the year if there are
no open tasks. When a change is made, the corresponding activity will be issued and must be
completed before the approvals are secured. The existing, completed approvals will apply until newly
issued requirements are completed.
If the newly executed tasks are not completed within the 90-day time frame allowed, the SSPA status
will turn to RED and the account is at risk of being deactivated from Microsoft Accounts Payable
systems.

Page 6 Microsoft Confidential | v.7

Warning: If you start a profile update before the annual renewal, but decide not to make any
changes, the system will still execute the corresponding requirements which will need to be
completed again.

Data Processing Approvals

Data Processing Scope
1 ▪ Confidential
▪ Personal, Confidential
Data Processing Location
2 ▪ At Microsoft or Customer
▪ At Supplier
Data Processing Role
3 ▪ Controller (Independent or Joint Controller)
▪ Processor (Processor or Sub-processor)
Payment Card Processing
4 ▪ Yes
▪ Not Applicable
Software as a Service
5 ▪ Yes
▪ Not Applicable
Use of Subcontractors
6 ▪ Yes
▪ Not Applicable

Approval Considerations
Data Processing Scope
Confidential
Select this approval if the supplier’s Performance will involve Processing of only Microsoft Confidential
Data. Please review definitions in the DPR.
If you select this approval you will not be eligible for Personal Data processing engagements.
Personal, Confidential
Select this approval if the supplier’s Performance will involve Processing of Personal Data and
Microsoft Confidential Data. Please review definitions in the DPR.

Page 7 Microsoft Confidential | v.7

___________________

Processing Location
At Microsoft or Customer
Select this approval if supplier’s Performance involves supplier’s Processing of data within the
Microsoft network environment where staff use @microsoft.com access credentials or within the
environment of a Microsoft’s customer.
Do not select this option under these circumstances:
• Supplier manages a Microsoft designated offshore facility (OF).
• Supplier provides resources to Microsoft and they work on and off the Microsoft
network at times. The processing location for working off-network is considered “at
supplier.”

At Supplier
If the condition “At Microsoft or Customer” (as described above) does not apply, select this option.
____________________

Data Processing Role

Controller (covers independent and joint controllers)
Select this approval if all aspects of Performance by supplier meet the Controller data processing role
definition (see DPR).
If you select this approval you will not be eligible for Personal Data processing with the ‘Processor’
role designation. If supplier is both a Processor and a Controller to Microsoft, do not select
‘Controller’ and rather, select Processor.
Processor (covers processors and sub-processors)
This is the most common processing role when suppliers process data on behalf of Microsoft. Please
review definitions of Processor and Sub-Processor in the DPR.
____________________

Payment Card Processing

Select this approval if any part of the data Processed by supplier includes data to support credit card
or other payment card processing on behalf of Microsoft.
This approval allows a supplier to engage in payment card processing engagements.
____________________

Page 8 Microsoft Confidential | v.7

Software as a Service (SaaS)
Select this approval if suppliers’ Performance involves provision of a service to Microsoft using
Internet-based technology covering access and use of server, storage networking and data centers.
The supplier Processes the data outside of Microsoft’s premise or environment. Examples of Cloud
Services include software as a service (or “SaaS”), platform as a service (or “PaaS”), and infrastructure
as a service (or “IaaS”).

Microsoft defines “SaaS” as a delivery of software functions via an Internet based mechanism, based
on common code, used in a one-to-many model, on a pay-for-use basis or as a subscription based on
use metrics.

Use of Subcontractors
Select this approval if supplier uses Subcontractors to Perform. Please review definitions in the DPR.

Assurance Requirements
Requirements based on Profile Approvals
The approvals selected by the supplier in their data processing profile assists SSPA in assessing the
risk level of Microsoft’s engagement(s) with the supplier from a data processing perspective.
Suppliers’ SSPA compliance requirements differ based on the supplier approvals in the supplier
profiles. This section explains the different SSPA requirements.
There are also combinations that may elevate or reduce compliance requirements. The combinations
are captured in Appendix A and this is what you can expect to execute from the Supplier Compliance
Portal upon completing your profile. You can always validate how your scenario fits into this
framework by requesting an SSPA team review.
Action: Find your approval profile in Appendix A and review the corresponding assurance
requirements and Independent Assurance options, if applicable.
Important: If you are selecting in your profile Software as a Service (SaaS), Subcontractors, website
hosting, or payment cards additional assurance is required.

Self-Attestation to the DPR

All suppliers enrolled in SSPA must complete a self-attestation of compliance to the DPR within 90
days of receiving the request. This request will be provided on an annual basis but may be more
frequent if the data processing profile is updated mid-year. Supplier accounts will change to an SSPA
status of RED (non-compliant) if the 90-day period is exceeded. New in-scope purchase orders cannot
process until the SSPA status turns to Green (compliant).

Page 9 Microsoft Confidential | v.7

Newly enrolled suppliers must complete requirements, per approval selections, to secure a SSPA
status of Green (compliant) before engagements can begin.
As noted, the data processing profile determines whether the full DPR is issued, or if only a subset
applies. These approvals can be changed throughout the year, but each time a change is made,
associated requirements must be completed for the change to take effect.
Important: The SSPA team is not authorized to provide extensions for this task.
Authorized representatives that will complete the self-attestation should ensure they have sufficient
information from subject matter experts to reply to each requirement with confidence. In addition, by
adding their name to a SSPA form they are certifying that they have read and understand the DPR.
Suppliers can always add other contacts to the online tool to assist with completing the requirements.
The Authorized Representative (see definition), is to:
1. Determine which requirements apply.
2. Post a response to each applicable requirement.
3. Sign and submit the attestation in the Microsoft Supplier Compliance Portal.

Applicability
Suppliers are expected to respond to all applicable DPR requirements issued per the data processing
profile. It is expected that, within the issued requirements, a few may not apply to the goods or
services the supplier provides to Microsoft. These can be marked as ‘does not apply’ with a detailed
comment for SSPA reviewers to validate.
DPR submissions are reviewed by the SSPA team for any selections of ‘does not apply’, ‘local legal
conflict’ or ‘contractual conflict’ against issued requirements. Reviewers check engagement activity
associated with a supplier account to validate the selection of ‘does not apply’. The SSPA team may
ask for clarification of one or more selections. Local legal and contract conflicts are only accepted if
the supporting references are provided and the conflict is clear.

Independent Assessment Requirement

Please see the Requirements by Approvals section in Appendix A to see the data processing approvals
that trigger this requirement.
Suppliers have the option to change approvals by updating their Data Processing Profile.
To secure the approvals that require independent verification of compliance, suppliers will need to
select an independent assessor to validate compliance against the DPR. The assessor is to prepare an
advisory letter to provide compliance assurances to Microsoft. This letter must be unqualified, and all
non-compliant issues must be resolved and remediated before the confirmation letter is submitted to
the Microsoft Supplier Compliance Portal for SSPA team review. Assessors can contact us for an
approved advisory letter template by emailing [email protected].

Page 10 Microsoft Confidential | v.7

Appendix A includes acceptable certification alternatives if you elect not to use an independent
assessor to verify compliance to the DPR (when applicable, such as for SaaS suppliers, website hosting
suppliers or suppliers with Subcontractors). The ISO 27701 (privacy) and ISO 27001 (security) are
relied on as providing close mapping to the Data Protection Requirements (DPR).
Important: SOC 2 reports (with security coverage) will not be accepted beyond December 2021.
SSPA may execute an independent assessment manually if circumstances beyond standard triggers
warrant the additional due diligence. This could be a request from division privacy or security;
validation of data incident remediation; requirement for automated data subject rights execution.
Guidance on how to approach this requirement:
1. The engagement must be performed by an assessor with sufficient technical training and
subject knowledge to adequately assess compliance.
2. Assessors must be affiliated with the International Federation of Accountants (IFAC) or the
American Institute of Certified Public Accountants (AICPA), or must possess certifications from
other relevant privacy and security organizations, such as the International Association of
Privacy Professionals (IAPP) or the Information Systems Audit and Control Association (ISACA).
3. The assessor must use the most current DPR which includes the evidence required to support
each requirement. Suppliers will need to provide their most recently approved DPR
attestation responses to the assessor.
4. In the case of a newly enrolled supplier, the assessor will test the design of the process controls.
In all other cases, the assessor will test the effectiveness of the controls.
5. The scope of the assessment engagement is limited to the Microsoft Personal Data or Microsoft
Confidential Data in connection with that supplier’s Performance.
6. The scope of the engagement is limited to all in-scope data processing activity executed against
the supplier account number which received the request. If the supplier elects to more than one
supplier account at one time, the letter of attestation must include the list of supplier
accounts included in the assessment and associated addresses.
7. The letter submitted to SSPA must not include any statements where the supplier cannot meet
the Data Protection Requirements as written. These issues must be corrected before the letter is
submitted.
SSPA has made a list of preferred assessors available. These companies are familiar with conducting
SSPA assessments. Suppliers are expected to pay for this assessment; the costs will vary depending on
the scale and scope of the data processing.

Page 11 Microsoft Confidential | v.7

PCI DSS Certification Requirement
The Payment Card Industry Data Security Standard (PCI DSS) is a framework for developing robust
payment card data security that includes prevention, detection, and appropriate reaction to security
incidents. The framework was developed by the PCI Security Standards Council, a self-regulatory
industry organization. The purpose of the PCI DSS requirements is to identify technology and process
vulnerabilities that pose risks to the security of cardholder data that is processed.
Microsoft is required to comply with these standards. If a supplier handles payment card information
on Microsoft’s behalf, we require evidence of adherence to these standards. Consult the PCI Security
standards council to understand the requirements set by the PCI organization.
Depending on the volume of transactions processed a supplier will either be required to have a
Qualified Security Assessor certify compliance or can complete a self-assessment form.
Payment card brands set the thresholds for assessment type, typically:
• Level 1: Provide a 3rd Party Assessor PCI DSS certificate
• Level 2 or 3: Provide a PCI DSS Self-Assessment Questionnaire (SAQ) signed by the supplier’s
officer.
The SSPA program accepts both types of assessments. Submit the certification that applies and meets
PCI requirements.

SaaS Requirement
Suppliers that provide Software-as-a-Service to Microsoft must provide a valid ISO 27001 certification
providing functional coverage of the software service managed by the supplier.
Please note, SSPA is not expecting the third-party datacenter certification as in the past – we expect
the ISO 27001 certification of the software service(s) provided to Microsoft and noted in your contract
with Microsoft.

Use of Subcontractors
Microsoft considers use of subcontractors a high-risk factor.
The DPR requires suppliers to notify Microsoft when suppliers use third parties to process in-scope
data. This can be done through SSPA.

Page 12 Microsoft Confidential | v.7

Data Incidents
If a supplier becomes aware of a privacy or security data incident, suppliers must inform Microsoft as
detailed in the DPR. See applicable definition in Appendix B.
Email [email protected] using the following template: Report a Data Incident. Be sure to
include:
• Data Incident Date:
• Supplier Name:
• Supplier Number:
• Microsoft Contact(s) Notified:
• Associated PO, if applicable/available:
• Summary of the Data Incident:

Page 13 Microsoft Confidential | v.7

Appendix A
Requirements based on Profile Approvals
Assurance Independent
# Profile
Requirements Assurance Options
Scope: Personal, Confidential
Processing Location: At Microsoft or
Customer
Processing Role: Processor or Controller
Self-attestation of
1 Data Class: Confidential or Highly Confidential compliance to the
Payment Cards: Not Applicable DPR

SaaS: Not Applicable

Use of Subcontractors: Not Applicable
Website Hosting: Not Applicable
Scope: Confidential
Processing Location: At Supplier
Processing Role: Processor
Data Class: Confidential Self-attestation of
2 compliance to the
Payment Cards: Not Applicable DPR
SaaS: Not Applicable
Use of Subcontractors: Not Applicable
Website Hosting: Not Applicable
Scope: Confidential Independent
Assurance options:
Processing Location: At Supplier
1. Complete an
Processing Role: Processor Self-attestation of Independent
Data Class: Highly Confidential compliance to the Assessment
DPR against the DPR,
Payment Cards: Not Applicable
3 and or
SaaS: Not Applicable
2. Submit ISO 27001,
Independent
Use of Subcontractors: Not Applicable or
Assurance of
Website Hosting: Not Applicable 3. Submit SOC 2 with
compliance
Security Trust
Criteria (this
option retires in
December 2021)

Page 14 Microsoft Confidential | v.7

 Assurance Independent
# Profile
Requirements Assurance Options
Scope: Personal, Confidential
Independent
Processing Location: At Supplier Self-attestation of Assurance options:
Processing Role: Processor compliance to the
DPR 1. Complete an
Data Class: Highly Confidential Independent
4 and
Payment Cards: Not Applicable Assessment
Independent against the DPR,
SaaS: Not Applicable Assurance of or
Use of Subcontractors: Not Applicable compliance 2. Submit ISO 27701
and ISO 27001
Website Hosting: Not Applicable
Scope: Personal, Confidential
Processing Location: At Supplier
Processing Role: Processor
Data Class: Confidential Self-attestation of
5 compliance to the
Payment Cards: Not Applicable DPR
SaaS: Not Applicable
Use of Subcontractors: Not Applicable
Website Hosting: Not Applicable
Scope: Personal, Confidential
Processing Location: At Supplier
Processing Role: Controller
Data Class: Highly Confidential or Confidential Self-attestation of
6 compliance to the
Payment Cards: Not Applicable DPR
SaaS: Not Applicable
Use of Subcontractors: Not Applicable
Website Hosting: Not Applicable

Page 15 Microsoft Confidential | v.7

 Assurance Independent
# Profile
Requirements Assurance Options
Impact of adding SaaS, Subcontractors, Website Hosting
Scope: Personal, Confidential
Self-attestation of Independent
Processing Location: At Supplier compliance to the Assurance options:
Processing Role: Processor DPR
1. Complete
Data Class: Highly Confidential or Confidential and Independent
7
Payment Cards: Not Applicable Independent Assessment
Assurance of against the DPR,
Subcontractors: YES or or
compliance
SaaS: YES or 2. Submit ISO 27701
and ISO 27001
Website Hosting: YES
Scope: Personal, Confidential
Processing Location: At Supplier
Processing Role: Controller Self-attestation of
Data Class: Highly Confidential or Confidential compliance to the
8 DPR
Payment Cards: Not Applicable
Subcontractors: YES or
SaaS: YES or
Website Hosting: YES

Page 16 Microsoft Confidential | v.7

 Profile Assurance Independent Assurance Options
#
Requirements
Additional assurance for Payment Cards and SaaS
Any of the profiles above and Above requirements
Payment Cards that apply and
9 Submit PCI DSS Certification
Payment Card
Industry assurance
Any of the profiles above and Above requirements
Software as a Service (SaaS) that apply and
Submit an ISO 27001
submit your
certification with functional
contractually
10 coverage of the service(s)
required ISO 27001
certification provided.
covering the
functional services.

Page 17 Microsoft Confidential | v.7