A Guide to Microsoft’s Supplier Security Privacy Assurance (SSPA) Program

A guide to the Microsoft SSPA

Today’s information age mandates organizations take appropriate action to ensure effective security and privacy practices are embedded throughout the entire organization. The effectiveness of privacy and security practices should continually be assessed to ensure they remain adequate and sufficient to support the organization’s ever-changing risk profile. It’s imperative that organizations not only assess their own privacy and security hygiene but also the hygiene of their vendors and subprocessors.

What is Microsoft’s SSPA?

The Microsoft Supplier Security and Privacy Assurance (“SSPA”) Program was created by Microsoft to establish and communicate Microsoft’s data protection requirements (DPR) to their suppliers (i.e., vendors, subprocessors, etc.) that process personal data and/or Microsoft confidential data. Microsoft’s DPR includes 52 control activities spread across the following sections:

  • Section A: Management
  • Section B: Notice
  • Section C: Choice and Consent
  • Section D: Collection
  • Section E: Retention
  • Section F: Data Subjects
  • Section G: Subcontractors
  • Section H: Quality
  • Section I: Monitoring and Enforcement
  • Section J: Security

 

Factors that impact the SSPA

Factors That Affect the Microsoft SSPA

The SSPA requires an annual assessment (or more often as determined by Microsoft) against the DPR to ensure the supplier remains compliant. The type of assessment depends on the makeup of the supplier’s data processing profile and includes several factors (approvals)

  • Type of data processed (Scope)
  • Data processing location
  • Data processing role
  • Payment card processing
  • Software as a service
  • Use of subcontractors

Scope (Personal Data & Microsoft Confidential Data)

Microsoft’s suppliers that process personal data and/or Microsoft confidential data are subject to Microsoft’s SSPA. Microsoft has included a description of the two data types and has provided examples within their program guide. Microsoft states that the examples provided are merely examples and shouldn’t be considered exhaustive. During the SSPA review process, Microsoft may determine whether other data types processed by the subprocessor constitute personal or confidential data types.

Data Processing Location

Data processing considerations refer to where the processing of in-scope data types takes place. Consideration is not only given to geographic location, but also ownership and management of the systems used to process the data (i.e., the usage of Microsoft-managed systems and credentials, etc.).

Payment Card Processing

This approval is applicable to suppliers that support the processing of payment card transactions on behalf of Microsoft.

Software as a Service

Suppliers that provide cloud-based applications over the internet meet the Software as a Service (SaaS) approval requirements. As noted in Microsoft’s program guide, the SaaS also includes other cloud-based services such as platform as a service (PaaS), and infrastructure as a service (IaaS).

Use of Subcontractors

A supplier’s usage of subcontractors is also a determining factor in the evaluation of a supplier’s data processing profile. The usage of subcontractors is considered a high-risk factor and will need to be disclosed within the SSPA. The location of where data will be processed by subcontractors will also need to be disclosed. It should be noted that this approval requirement is typically applicable to SaaS suppliers noted above as third-party cloud infrastructure subservice providers are involved in the hosting of the SaaS platforms.

 

SSPA audits and assessments

Audits and Assessments

Once a supplier’s data processing profile has been established, the supplier will be asked by Microsoft to perform assessments based on the perceived level of risk. Audits and assessments against Microsoft’s DPR may include a combination of self-attestations, independent assessments, and evidence of recognized certifications (e.g. PCI DSS, ISO, HITRUST, etc.). The level and combination of assurance requirements differ based on the supplier’s data processing profile and associated approvals. Microsoft provides several illustrative examples in its program guide regarding what assurance requirements a supplier may be asked to provide. Two examples are noted below to demonstrate the different levels of required compliance:

Example #1

  • Profile
    • Scope: Personal, Confidential
    • Processing Location: At Microsoft or Customer
    • Processing Role: Processor or Controller
    • Data Class: Confidential or Highly Confidential
    • Payment Cards: N/A
    • SaaS: N/A
    • Use of Subcontractors: N/A
    • Website Hosting: N/A
    • Healthcare: N/A
  • Assurance Requirements
  • Self-attestation of compliance to the DPR

Example #2

  • Profile
      • Scope: Personal, Confidential
      • Processing Location: At Supplier
      • Processing Role: Processor
      • Data Class: Highly Confidential
      • Payment Cards: N/A
      • SaaS: N/A
      • Use of Subcontractors: N/A
      • Website Hosting: N/A
      • Healthcare: N/A
  • Assurance Requirements
      • Self-attestation of compliance to the DPR, and
      • Independent Assurance of compliance
  • Independent Assurance Options
    • Complete an Independent Assessment against the DPR, or
    • Independent Assessment against sections A-I of the DPR and ISO/IEC 27001:2022, or
    • Submit ISO 27701 and ISO/IEC 27001:2022

 

SSPA compliance

Independent Assurance of SSPA Compliance

When required by Microsoft, suppliers will need to select an independent assessor to validate compliance against the DPR. As noted in Microsoft’s program guide, “assessors must be affiliated with the International Federation of Accountants (IFAC) or the American Institute of Certified Public Accountants (AICPA), or must possess certifications from other relevant privacy and security organizations, such as the International Association of Privacy Professionals (IAPP) or the Information Systems Audit and Control Association (ISACA).”

Upon completion of the assessment, the independent assessor is required to provide an advisory letter to the supplier that demonstrates the supplier’s compliance with Microsoft’s DPR. The letter must be unqualified and all non-compliant issues must be resolved and remediated before the letter is submitted by the supplier to the Microsoft Supplier Compliance Portal for SSPA team review. Microsoft has prepared an advisory letter template that should be used by the independent assessor.

Conclusion

Microsoft’s development of the SSPA program demonstrates their commitment to maintaining the confidentiality and security of company and client data. Requiring suppliers to provide regular attestations against established DPR demonstrates the Company’s awareness and understanding of the privacy and security risks that exist within their supplier relationships.

From time to time, we receive inquiries regarding our abilities to perform SSPA assessments. As noted in Microsoft’s SSPA program guide, because Linford & Company LLP is affiliated with AICPA and our personnel have the required training, experience, and certifications, we are able to perform these assessments.  It’s also important to note that Microsoft requires assessment requests to be fulfilled within 90 days of receiving the request. Therefore, it’s critical that suppliers partner with an audit firm that is able to meet the Microsoft 90-day requirement. Because Linford strives to reduce overhead and remain nimble, helping clients meet a 90-day turnaround requirement is no problem at all.

If you have further questions regarding Microsoft’s SSPA program please contact us for further assistance.