Compliance Standards Library

Microsoft Supplier Security & Privacy Assurance Program (SSPA)

  • Updated

Data compliance and protection are paramount to modern business, and Microsoft has created specific requirements for its suppliers. Microsoft SSPA is a mandatory compliance program for Microsoft suppliers working with Personal Data and Microsoft Confidential Data. SSPA drives compliance to these requirements through an annual compliance cycle; for new Microsoft suppliers, work can start once this is complete. 

Who should be SSPA compliant? 

  • Any organization that wants to process PII or confidential data as a supplier to Microsoft

  • Assures customers that your company has the processes in place to protect their data 

Why should my company be SSPA compliant?

  • This standard is required for Microsoft suppliers working with Personal Data and Microsoft Confidential Data.

What is the timeline for ISO 27018 compliance?

  • Approximately 40-80 hours of preparation
  • There are 50 controls for this specific attestation

What can Vanta automate?

  • Vanta provides pre-built tests and document requests 

Does this attestation require a formal audit? 

  • Yes. The controls must be implemented and then formally audited by an accredited firm. Due to the overlapping GDPR and ISO compliance rules, some companies often combine these audits. Microsoft may accept ISO 27001 certification as a substitute for SSPA certification.