Overview

When customers engage with Microsoft for Professional Services, including enterprise services, consulting, and support solutions, Microsoft may hire a supplier, sometimes referred to as subprocessor, to perform part of this work. These suppliers access support and consulting data provided to Microsoft by, or on behalf of, customers. This may include personal data or customer data that customers choose to share, whether directly or by authorizing Microsoft to obtain data from an Online Service.

Suppliers may access data only to deliver the services Microsoft has hired them to provide and are prohibited from using data for any other purpose. They are required to maintain the confidentiality of this data and are contractually obligated to meet strict data protection requirements that are equivalent to or stronger than the contractual commitments Microsoft makes to its customers. Suppliers are also required to meet EU General Data Protection Regulation (GDPR) requirements. Under GDPR, Microsoft considers these suppliers to be subprocessors and requires them to employ appropriate technical and organizational measures to protect personal data.

Microsoft requires all suppliers to join the Microsoft Supplier Security and Privacy Assurance Program (SSPA). This program is designed to standardize and strengthen the handling of data, and to ensure supplier business processes and systems are consistent with those of Microsoft.

Suppliers who regularly provide Professional Services are subject to heightened requirements. For instance, suppliers must agree to the EU Model Clauses when Microsoft contractually offers its customers the EU Model Clauses.

Supplier types and differences

Microsoft leverages a network of several different types of suppliers to effectively provide timely and cost-effective services across geographies. You may always inquire regarding the personnel performing work and request to have your case or work transferred to a different supplier or geography.

Most suppliers provide contract staff, sometimes referred to as staff augmentation or external staff, that work alongside Microsoft employees to help deliver the services. In such cases, the servers and tools used to hold and process data are Microsoft’s. Also, personnel and data are always in systems subject to Microsoft policies and supervision.

Microsoft support also operates a network of outsourcers to provide contact/call centers services. When these outsourcers store data in their systems, it is subject to equivalent levels of protection and certification as Microsoft facilities and systems. Their operations are regularly reviewed by Microsoft.

In exceptional cases, some data may be shared with our product organizations when necessary for troubleshooting or to resolve particularly complex issues. In such scenarios, Suppliers are subject to SSPA and contractual commitments but may not be subject to heightened requirements for suppliers that regularly provide Professional Services.

Microsoft commercial support subprocessor list

For Microsoft commercial support, we provide a list of the suppliers used to provide support. You may download this list.

For suppliers used to directly provide support, Microsoft will add the names of any new suppliers at least 30 days in advance of their authorization to perform services that may involve access to such data.

For data shared with product organizations, Microsoft will make commercially reasonable efforts to maintain up to date information upon changes to these suppliers.

In addition, you may request to receive notice of any updates by sending an email to Microsoft Services Supplier List Notifications at msservsuppnote@microsoft.com from the email address you would like to receive the notification emails. You must include the words “Subscribe suppliers” in the subject line.

Microsoft consulting subprocessor list

For Microsoft Consulting Services, a list of suppliers that are working on your engagement is available, as described in your contract terms.