Successfully Navigating a Microsoft SSPA and DPR Assessment


What is the SSPA and DPR Assessment?

Microsoft, as one of the largest employers in the greater Seattle area, has not only played a pivotal role in the tech industry but has also fostered a vast network of local vendors and suppliers. These partners are essential to Microsoft's operations, but they must adhere to strict compliance standards. These standards are encapsulated within the Microsoft Supplier Security and Privacy Assurance (SSPA) Program, specifically outlined in the Microsoft Supplier Data Protection Requirements (DPR).

At EXP, we have extensive experience assisting clients in meeting these requirements.

With a total of 50 stringent criteria, some of which might seem perplexing to non-technical individuals, companies must demonstrate compliance with each one to maintain their vendor status, making this a critical concern for all involved.

Microsoft's Supplier Security and Privacy Assurance Program

Microsoft's corporate framework for conveying data processing instructions is the Supplier Security and Privacy Assurance (SSPA) program, transmitted through the Microsoft Supplier Data Protection Requirements (DPR). To collaborate with Microsoft, vendors must actively engage with the SSPA program, which necessitates the submission of annual compliance reports.

SSPA and DPR Compliance Focus

The SSPA and DPR compliance requirements focus primarily on two things: 

 1.  Protection of Personal Data 

Microsoft wants suppliers to take great care with Microsoft users personal data if they collect it. Among other things, they are primarily concerned with: 

  • Contractual coverage for personal data collection 
  • “Required to perform” data collection only 
  • Consent management 
  • Privacy policy notification 
  • Data retention and destruction 
  • Data anonymization 
  • Data subject rights (right to be forgotten, formal complaint process, etc.) 
  • Breach notification 

2.  Cybersecurity 

Microsoft underscores the importance of clearly defining responsibility for cybersecurity and data protection among suppliers. The DPR also mandates the provision of privacy and security awareness training. At EXP, we are here to assist your company in fulfilling these requirements and implementing cybersecurity best practices. 


How do I Comply with Microsoft SSPA and DPR?

The encouraging news is that Microsoft's cybersecurity requirements align seamlessly with the recommendations from the National Institute of Standards and Technology (NIST), which we at EXP have been advocating to Microsoft vendors in the Seattle area for the past three years. These recommendations encompass: 

  • A formalized cybersecurity program 
  • Conducting annual risk assessments and change control procedures
  • On-going “evergreen” security plan 
  • Mandatory security awareness training 
  • Written security policy 
  • Written cybersecurity incident response plan 
  • Annually tested disaster recovery and business continuity plans 
  • Firewall with intrusion prevention 
  • Vulnerability scanning 
  • Data encryption at rest and in transit 
  • Asset management 
  • Next-generation anti-virus (EDR) and anti-malware 
  • Data classification and data loss prevention 
  • Rights management 
  • Patch management 
  • Multi-factor authentication 
  • Mobile device management 

Fortunately, most of the tools necessary to meet these requirements are readily available within Office 365. Our team can assist suppliers in identifying the appropriate subscriptions and addressing any compliance gaps you may encounter. For a relevant case study illustrating our approach, please refer to, "Agency Vendor Compliance."

For more information, email

Related Posts