Case StudyProject

Agency Vendor Compliance

Bread N Butter Microsoft SDPR


Bread & Butter is a Seattle based brand development company focused on creative strategy, development and activation. They have many corporate clients, one of which is Redmond based Microsoft. Microsoft recently issued a set of Supplier Data Protection Requirements (SDPR) also know as the Supplier Security and Privacy Assurance (SSPA) which are aligned with European GDPR compliance and NIST Cyber Security recommendations. EXP was engaged to provide Cyber Security and compliance services to meet these requirements.  The scope of work included:

  • Performing an initial risk assessment which would then become annual
  • Developing and implementing a security plan of action to close any gaps identified above
  • Formalizing the security program to be a continuous improvement program


After performing the initial risk assessment, EXP set about implementing the resulting security plan of action with clearly defined milestones. As the client was a Mac shop, this required a somewhat unique approach. EXP was able to implement several critical measures including the following:

  • IT Cyber Security Policy
  • Personal Data handling procedures
  • Cyber Security Incident Response Plan
  • Business Continuity and Data Recovery Plan
  • Annual Cyber Security Training
  • Multi-factor Authentication for email and all Personal Data repositories
  • Encryption on all devices

Client Feedback

“We are grateful to the EXP team for working with us on this project. We are fully committed to protecting client personal data and this program is evidence of that ”
Jessica Michaels, Bread & Butter Funder & CEO