Understanding Microsoft’s SSPA Applicability and DPR

It is highly likely that if you play in the Information Technology space you either use or may provide services to Microsoft. Alternatively, if you have an opportunity to become a Supplier to Microsoft Corporation then you will need to establish a Security and Data Privacy baseline.

Scope – Data involved

Microsoft’s in-house developed Supplier Security and Privacy Assurance (SSPA) program is an annual requirement once you become an active Microsoft supplier. The scope of the SSPA covers all suppliers globally that process Personal Data and/or Microsoft Confidential Data in connection with any active Master Service Agreement (MSA), Statement of Work (SOW) or Purchase Order (PO).

Data types across Microsoft are extensive and the program has been developed to accommodate all data use cases, whilst taking into account global regulations, companies across all industry types, and suppliers of all various sizes from small startups to multi-conglomerates. No mean feat.


Whether you are well into your Governance, Risk and Compliance (GRC) journey or maturing enough that clients are asking for some level of assurance, the SSPA program can be leveraged to establish a strong baseline. The key to any supplier compliance program is defining what information is needed and being collected. Microsoft’s SSPA requires you to establish your “Applicability” and then have it independently assessed against their Data Protection Requirements (DPR).  Connor is well versed in the nuances of determining whether a DPR requirement will apply to your service and can get you setup correctly.

Data Protection Requirements

The DPR is made up of 10 categories that follow a Data Governance lifecycle model. It is very similar to the Gramm-Leach-Bliley Act (GLB Act or GLBA) and has elements of the EU:GDPR requirements but most importantly has Microsoft MSA contractual terms and conditions woven in.

At a high level the principles are:

  • Microsoft Data can only be used in accordance with or as intended via an active and approved MSA
  • Microsoft employees or Microsoft affiliates must be notified of data sharing between financial institutions and third parties and must have the ability to opt in/out of private information sharing
  • Data Subject Rights must be established and actionable in a timely manner
  • Microsoft Data must be secured against unauthorized access
  • User activity must be tracked, including any attempts to access protected records
  • Suppliers must have an incident response plan and both Security and Data Privacy training

You can see the 10 Categories listed in the diagram below.

Additionally, Microsoft categorizes your organization via an SSPA Data Processing Profile which is self-managed via the Aravo Supplier Portal. Navigating this portal can be challenging but it is important to track your status; Active Green (compliant) vs Suspended Red (non-compliant) and to comply with tasks that are issued with a 90-day compliance deadline.

Partner with Experts for Your SSPA Independent Assessment          

If you just received your notification from Microsoft that a self-assessment or independent assessment is due or if you need assistance with known gaps or remediation, Connor’s Global team of GRC experts can partner with you.  Our team provides deep expertise in Microsoft’s SSPA program, from the determination of “Applicability”, assistance in deciphering their Data Protection Requirements, to access to our extensive library of core policy and procedure documents which you can leverage and adapt to your organization.

At Connor, our mission is to help our customers remove the barriers to innovation. With our expert support, you can bolster your organization’s Security and Data Privacy baseline, meet compliance requirements with Microsoft’s SSPA program, and ensure you remain in good standing with your customers. To learn more about our Microsoft SSPA services and approach, visit our website here.

If you would like to speak with our experts, please contact us at Anthony@connor-consulting.com or SSPA@Connor-consulting.com.