SSPA Compliance and the SSPA Independent Assessment requirement

Microsoft suppliers are required to comply with stringent Privacy and Security requirements. Suppliers who process Personal data and/or Microsoft Confidential information as part of their services for Microsoft need to enroll in the Supplier Security and Privacy Assurance (SSPA) Program.

The SSPA Program is a gateway towards Microsoft Procurement and your company will need to be in good standing with the SSPA – which is an SSPA Compliant or Green status - in order to be available for new engagements/Purchase Orders. 

If your SSPA Data Processing Profile includes selections that are considered higher risk to Microsoft, a Self-Attestation against the applicable items of Microsoft's Data Protection Requirements will be followed by an Independent Assessment requirement, too. Profile selection options that will trigger an Independent Assessment are published in the SSPA Program Guide. It is a great idea to check on this each year before you submit your Profile, so you can allocate time and sufficient resources to complete the requirements you will be posted.

Interpreting Microsoft’s Data Protection Requirements (DPR), confirming applicability and compliance might be challenging for suppliers and here's where our in depth knowledge of the SSPA Program and the DPR can save you time and efforts.

Microsoft takes compliance and deadlines very seriously, which is protective of Microsoft as well as their suppliers and customers and not the least it is crucial for Microsoft suppliers to stay Green in the SSPA to be available for business with Microsoft.

If you need confident and expert help with your Independent Assessment requirement, please see our contacts below and contact at cesspa@deloittece.com.