.png?fit=max&auto=format&n=tsMQJyneJ1xquFUo&q=85&s=4d401cc03b547d99b6f75a6bd170c334){kind=spacer}
Meet Microsoft’s Supplier Security and Privacy Assurance requirements.The Microsoft Supplier Security and Privacy Assurance (SSPA) program sets data protection requirements for suppliers that process Microsoft personal and confidential data. Suppliers must comply with the Microsoft Data Protection Requirements (DPR) and may need an independent assessment.
SSPA compliance is required for vendors and suppliers in Microsoft’s supply chain that handle Microsoft personal or confidential data.
Who needs Microsoft SSPA?
Microsoft suppliers
Any vendor processing Microsoft personal or confidential data as part of a supplier relationship.
Subprocessors
Organizations that process Microsoft data on behalf of a Microsoft supplier.
Key components
Data Protection Requirements
Microsoft’s detailed DPR covering privacy and security obligations.
Data Processing Profile
Defines the type of data processing the supplier performs.
Independent assessment
Higher-risk suppliers require a third-party attestation of compliance.
Annual attestation
Suppliers reconfirm compliance through the SSPA program each year.
How DSALTA helps with Microsoft SSPA
Activate Microsoft SSPA
Select Microsoft SSPA from the Frameworks page. DSALTA maps the DPR to controls.
Frequently asked questions
Who must comply with SSPA?
Who must comply with SSPA?
Suppliers processing Microsoft personal or confidential data, as determined by their Data Processing Profile.
Do I always need an independent assessor?
Do I always need an independent assessor?
Not always. Lower-risk processing may qualify for self-attestation, while higher-risk profiles require independent assessment.