Microsoft’s SSPA DPR Self-Assessment – Consult First.

NOTE: This blog post is part-2 of a series on understanding Microsoft’s SSPA and how to adhere to its applicability and data protection requirements. Click here for part-1 of the series, “Understanding Microsoft’s SSPA Applicability and DPR”.

One of the first steps in your Microsoft Supplier Security and Privacy Assurance (SSPA) journey is to correctly submit your Data Protection Requirements (DPR) “SSPA Applicability” self-assessment. This sets the stage for the requirements and the level of testing you will go through via an independent auditor. It is very important to get “SSPA Applicability” right, for a smooth, efficient audit.  Getting it wrong can lead to hours of re-work and unnecessary back and forth with your Microsoft buyer and vendor management team at or


It is essential to align your “SSPA Applicability” profile with the service you are providing to Microsoft.   Specifically, applicability relates to the type or types of data being processed, transmitted or exchanged.

Note the data types listed above are examples and not an exhaustive list.

Then taking into account the various mediums the data is being collected, processed, possibly shared with third-party subcontractors, and most importantly, the “intended” use of the data as described in your Microsoft contract, can make the self-assessment daunting.  Additionally, Microsoft sets its own back office profile of your organization based on the language of any active Master Service Agreement (MSA), Statement of Work (SOW) or Purchase Order (PO). We have seen some instances where the back-office understanding, per the SOW, diverges from the actual data handling of the Microsoft supplier.   Alignment early in the SSPA process is key to save effort, time and cost.

Apply Vs Does Not Apply

Another mistake is over or under prescribing your Applicability against the DPR. We often see Suppliers incorrectly complete their DPR self-assessments which immediately sets their organization off on the wrong foot. Some Suppliers want to promote themselves as being “Compliant” in an effort to please Microsoft.  They submit as “Compliant” across all DPR questions which then means that all of the DPR criterial will apply to them, which may not be the case. This then creates a high-risk supplier profile on the Microsoft side. To get this profile changed can eat up precious time and resources.  To further complicate things, if a Supplier responds to any DPR question as “Does Not Apply”, it is important to provide a concise comment as to why. Also, to under prescribe, may flag your organization to MSFT which potentially will cause re-work of your SSPA assessment.

Consult First with Connor

There are many ways to send a Self-Assessment down a long, windy road, but with guidance from the experts at Connor, the organization can get on the right, and efficient, path.  We are happy to walk you through the DPR self-assessment at whatever stage of submission you are in. We have experts in e-commerce platforms, client registration applications, webpages and the use of third-party subcontractors. Let us guide you in establishing your applicability correctly for a smooth and more efficient process

At Connor, our mission is to help our customers remove the barriers to innovation. With our expert support, you can bolster your organization’s Security and Data Privacy baseline, meet compliance requirements with Microsoft’s SSPA program, and ensure you remain in good standing with your customers. To learn more about our Microsoft services and approach, visit our website here.

If you would like to speak with our experts, please contact us at or