Microsoft's SSPA and DPR Explained


Microsoft's SSPA and DPR Explained

You may well have landed here as a result of receiving a notification from Microsoft that you are ‘in the Supplier Security and Privacy Assurance (SSPA) Programme!

What does it mean to be in the SSPA Programme and what do you have to do to ‘pass’ and get your invoices paid!?

Microsoft’s own programme guide sums it up; “Strong privacy and security practices are critical to our mission, essential to customer trust, and in several jurisdictions required by law. The standards captured in Microsoft’s privacy and security policies reflect our values as a Company and these extend to our suppliers that process Microsoft data on our behalf.”

Notice the blend of ‘strong privacy and security practices’. If you’re familiar with the GDPR requirements of Article 28, you will recognise some of the key driving forces. The supplier shall;

  • take all measures required pursuant to Article 32 (security of processing),
  • implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject

SSPA helps Microsoft comply with its GDPR obligations, but then extends those controls beyond the processing of just personal data and includes the processing and protection of its commercially confidential data too.

To ensure their supply chain maintains robust privacy and security practices, Microsoft builds SSPA compliance into the supply contract; they are part of the purchase order or contract. If you are required to be part of the programme and fail to maintain a ‘green’ compliant status, your invoices will not be paid.

Will I be asked to ‘join’ the programme?

If you handle/process personal data on behalf of Microsoft, then you can expect to be enrolled in the programme. The current SSPA Guide provides examples of personal data, something all EU based controllers and processors should already be familiar with. It’s a comprehensive list and includes items some organisations may have missed! e.g. Imprecise location data, speech utterance (voice/audio and or chatbot), webpage click tracking etc.

If you process Confidential or Highly Confidential data on behalf of Microsoft, then you can also expect to be enrolled in the programme. Examples of highly confidential data include device pre-release marketing information and information relating to development, testing or manufacture of Microsoft products.

The Data Protection Requirements (DPRs), or how do I ‘pass’

SSPA is built on fifty-six data protection requirements (DPRs) against which your organisation will be assessed. Dependant on what Microsoft data you process, you may not be required to comply with all fifty-six.

The DPRs are split into 10 Sections A through J, each with a varying number of requirements.











Choice and Consent









Data Subjects



Disclosure to Third Parties






Monitoring and Enforcement






Greater emphasis is placed on different Sections, which is reflected in the number of requirements each Section has. Security, Data Subjects and Disclosure to third parties accounts for over 60% of the assessment.

Figure 1: Number of individual requirements in each Section


All SSPA enrolled suppliers are required to submit an attestation of compliance to the DPRs within 90 days of receiving the request. Many will be permitted to complete a self-attestation.

What’s a self-attestation? A formal statement that you make that something is true. Or in the case of SSPA self-attestation, a formal statement that operations at a defined location of your business have been assessed against the relevant DPRs and are compliant.

If you’re thinking a self-audit doesn’t sound that robust, you’re thinking the same as Microsoft.  If you process their highly confidential data or are considered high risk, you may be asked to undertake a third-party assessment, where an independent organisation will assess your compliance.

A supplier will be selected to conduct an independent audit if any of the following six attributes are true;

  1. Data class = Highly Confidential
  2. Microsoft Procurement managed supplier
  3. Automated data subject rights obligation
  4. Cloud service (e.g., software as a service or “SaaS”)
  5. Website hosting services
  6. Use of subcontractors to Process Microsoft Personal/Confidential Data.

Industry Certification

We already have ISO27001, will that suffice?

Maybe. If you are enrolled in SSPA because you process ONLY Microsoft confidential data and no personal data, then ISO27001 or SOC 2 type 2 report will suffice. If you process confidential data AND personal data, then you will have to be assessed against all relevant DPRs. An appropriate  security certification will remove all Section J requirements.



If and when GDPR certifications are ‘awarded’, these will be added to the list of acceptable means of compliance.

We can help

iCompli is a Microsoft SSPA Auditor; our auditors have been independently assessed against industry recognised standards e.g. IAPP CIPP/E and will undertake third party assessments to help you meet your performance and contract requirements with Microsoft and provide your Independent SSPA Attestation.

Fixed price programmes to help you;

  • Assess your organisational controls
  • Complete a DPR gap analysis
  • Deliver an audit report against the relevant core Sections
  • Provide advice on remedial actions, and
  • Complete your letter of attestation

For smaller organisations we can help fast-track compliance by providing template solutions which will help generate the required policy and control documentation identified in the DPRs e.g. GDPR fair processing information and consent statement, incident and breach response plans, IT device asset inventories etc.

Contact us at +44(0)203 291 3415, and we’ll keep your Microsoft account running smoothly.