This is the Trace Id: ddc1cdd567fad76598be48868aa37900
Small conference meeting in an office.

SSPA: Supplier Security & Privacy Assurance Program

Sets privacy and security requirements for Microsoft suppliers and drives compliance to these requirements.

About SSPA

What is the Supplier Security and Privacy Assurance (SSPA) Program?

The Supplier Security and Privacy Assurance (SSPA) Program delivers Microsoft's data processing instructions, through the Microsoft Supplier Data Protection Requirements (DPR), to suppliers working with Personal Data, Microsoft Confidential Data, and AI Systems.

SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data, Microsoft Confidential Data, and/or use AI Systems they will partner with their business sponsor to enroll in the SSPA Program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.

When is a supplier in scope for SSPA?

The scope of the Supplier Security and Privacy Assurance Program covers all suppliers globally, that process Personal Data, Microsoft Confidential Data and/or use AI Systems in connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services), under the terms of its contract with Microsoft (e.g., Purchase Order terms, Master agreement).

For definitions and examples of Personal Data, Microsoft Confidential Data, and/or AI Systems visit the Definitions section of the Supplier Data Protection Requirements (DPR), located below on this page. These examples are intended to serve as a guide. Use both the definitions and examples to determine what data is in-scope for SSPA management.


SSPA Program Guide, Supplier Data Protection Requirements (DPR), Independent Assessment Sample Report, and Preferred Assessors List

Learn more about the SSPA Program through the FY25 Program Guide and explore the DPR to understand the current requirements for Personal Data and/or Microsoft Confidential Data. Versions are available in multiple languages: English, French, Simplified Chinese, Japanese, Korean, and Spanish. Suppliers may use their own in-country translation service or utilize online translation tools for other languages.

Need help? Review the SSPA Program Guide and DPR. If you can’t find what you’re looking for, @SSPAHelp for assistance.

Resources

Follow Microsoft