Understanding Microsoft SSPA Attestation
Microsoft’s Supplier Security and Privacy Assurance Program (SSPA), formerly known as the Vendor Privacy Assurance Program, is an initiative designed to standardize and strengthen how Microsoft’s customer, partner, and employee information is handled by Microsoft vendors worldwide.
Compliance and Attestation
Organizations that are or want to become a Microsoft vendor must meet the requirements within the SSPA. This program requires that any vendor that collects, stores, or processes customer, partner, or employee information meet the reporting requirements.
All vendors must complete the annual Microsoft Personal Information (MPI) Inventory. Vendors are assigned an anniversary date where they will receive an email from Microsoft containing a hyperlink to the MPI Inventory. Depending on the type of data handled, per the inventory, the Microsoft SSPA Attestation reporting guidelines group vendors into three categories: high business impact, moderate business impact, and low business impact.
Low Business Impact
Low business impact organizations must complete the MPI Inventory within 30 days. Upon submission of the inventory, a data classification is assigned to the vendor.
Vendors handling data classified as having no personal information or low business impact require no further action. An anniversary date will be assigned based on the date of completion of the MPI Inventory, which will set the annual compliance cycle.
Moderate Business Impact
Moderate business impact data includes personally identifiable information (PII) that is not highly sensitive, such as (but not limited to):
- Email address
- Phone number
- IP address
- Racial information
- Ethnic information
- Political information
- Religious beliefs
- Sexual orientation
- Trade union membership
- Physical or mental health
After completing the MPI Inventory, all moderate business impact organizations must adhere to the Microsoft Vendor Data Protection Requirements (DPR) and are required to certify compliance to the DPR with a self-certification within 90 days of submission of the MPI Inventory during their second compliance cycle, and annually from that point on.
An anniversary date will be assigned based on the date of submission of the self-certification, which will set the annual compliance cycle.
High Business Impact
High business impact data includes the following, but is not limited to:
- Authentication/authorization credentials, such as private cryptographic keys
- Highly-sensitive PII, such as:
- Financial transaction authorization data, such as credit card numbers
- Financial profiles, such as consumer credit reports
- Medical profiles, such as biometric identifiers
All high business impact organizations must also adhere to the DPR. Businesses that are considered high business impact must submit a letter of attestation from an approved third-party within 90 days of the submission of the annual MPI Inventory.
An approved third-party must be:
- A member in good standing with the American Institute of Certified Public Accountants (AICPA) or the International Federation of Accountants (IFAC)
- Qualified to conduct a Generally Accepted Privacy Principles (GAPP) assessment
Organizations that are high business impact must submit a letter of attestation after their third compliance cycle, and for all subsequent cycles. An anniversary date will be assigned based on the date of submission of the letter of attestation, which will set the annual compliance cycle.
Secure Your Summit
As a preferred assessor and approved third-party attestation body, A-LIGN has been vetted by Microsoft Procurement to perform a Supplier Security and Privacy Assurance (SSPA) assessment and empower your organization to meet SSPA requirements and conduct business with Microsoft.
If your high-impact organization requires a letter of attestation, our professionals can help you achieve compliance by assessing your organization’s controls, identifying gaps against SSPA requirements and completing your letter of attestation.