Article
All about your SSPA cycle’s timeline
What is your SSPA cycle?
To maintain and enforce strong privacy and security practices Microsoft applies the Supplier Security and Privacy Assurance Program (SSPA) to all their suppliers who process Personal Data and/or Microsoft Confidential Data as part of their contracted services.
Your SSPA cycle starts with your enrollment to the SSPA Program with your SSPA Enrollment Date and is followed by an annually recurring Self-Attestation of compliance to the DPR (Data Protection Requirements).
After your enrollment you will need to setup your Supplier Profile and within 90 days complete your Self-Attestation to the DPR to collect all the required data processing approvals needed for your services with Microsoft. If you submit all the required information within the given timeframe, you will have a Green (Compliant) status otherwise your status will turn Red (Non-Compliant).
As a norm, your SSPA Anniversary Date coincides with the date of your SSPA Enrollment on an annual basis. Upon the start of your next SSPA cycle, you will have 90 days to update and resubmit your Supplier Profile and Self-Attestation to collect or reconfirm all the required approvals and complete additional tasks such as an Independent Assessment, if required.
If you are not able to submit the requirements before your deadline your status will turn to Red, and you will not be able to receive new purchase orders from Microsoft until you restore your Green status.
Although the timeframe of 90 + 90 days for fulfilling the SSPA renewal criteria may appear plenty it is advisable to initiate the process early due to the possibility of an Independent Assessment (if required) consuming 4-10 weeks, depending on your readiness and the complexity of your operations.
For more information, please read our article about The Importance of your Data Processing Profile accuracy.
