What is Microsoft SSPA?
Microsoft’s Supplier Security and Privacy Assurance program — annual data-protection attestation for suppliers handling Microsoft data.
Definition
Microsoft SSPA (Supplier Security and Privacy Assurance) is a program that governs how Microsoft’s suppliers handle Microsoft personal and confidential data. Suppliers in scope must comply with the Microsoft Data Protection Requirements (DPR) and attest to their compliance — typically annually, often supported by an independent assessment for higher-risk data.
SSPA is mandatory for suppliers processing in-scope data as a condition of doing business with Microsoft.
Key elements
Data Protection Requirements
The control set (DPR) suppliers must meet.
Scope determination
Based on data type (personal / confidential) and processing.
Self-attestation
Annual confirmation of DPR compliance.
Independent assessment
Required for higher-risk personal-data processing.
Ongoing obligations
Maintain controls and re-attest each cycle.
Who needs to comply?
Any supplier that processes Microsoft personal or confidential data and is enrolled in SSPA must attest to the DPR to keep working with Microsoft.
How ISpectra helps
ISpectra maps your controls to the Microsoft DPR, closes gaps, and prepares your SSPA self-attestation (and independent assessment where required) so you remain an approved Microsoft supplier.
Talk to an advisor