ISpectra Technologies
Vendor Risk · Attestation

What is Microsoft SSPA?

Microsoft’s Supplier Security and Privacy Assurance program — annual data-protection attestation for suppliers handling Microsoft data.

Definition

Microsoft SSPA (Supplier Security and Privacy Assurance) is a program that governs how Microsoft’s suppliers handle Microsoft personal and confidential data. Suppliers in scope must comply with the Microsoft Data Protection Requirements (DPR) and attest to their compliance — typically annually, often supported by an independent assessment for higher-risk data.

SSPA is mandatory for suppliers processing in-scope data as a condition of doing business with Microsoft.

Key elements

1

Data Protection Requirements

The control set (DPR) suppliers must meet.

2

Scope determination

Based on data type (personal / confidential) and processing.

3

Self-attestation

Annual confirmation of DPR compliance.

4

Independent assessment

Required for higher-risk personal-data processing.

5

Ongoing obligations

Maintain controls and re-attest each cycle.

Who needs to comply?

Any supplier that processes Microsoft personal or confidential data and is enrolled in SSPA must attest to the DPR to keep working with Microsoft.

How ISpectra helps

ISpectra maps your controls to the Microsoft DPR, closes gaps, and prepares your SSPA self-attestation (and independent assessment where required) so you remain an approved Microsoft supplier.

Talk to an advisor