A GUIDE TO UNDERSTANDING

MICROSOFT’S SSPA APPLICABILITY

AND DPR
A Detailed Guide to Navigating
SAPs Digital Access Licensing Model

A Guide to Understanding Microsoft’s SSPA Applicability and DPR 1

TABLE OF
Understanding Microsoft’s SSPA
Applicability and DPR 2
CONTENTS Microsoft’s SSPA DPR Self-Assessment –
Consult First 4

A Guide to Understanding Microsoft’s SSPA Applicability and DPR 1

Understanding Microsoft’s SSPA Applicability and DPR

It is highly likely that if you play in the Information Technology space you either use or may provide services to Microsoft.
Alternatively, if you have an opportunity to become a Supplier to Microsoft Corporation then you will need to establish a
Security and Data Privacy baseline.

Scope – Data involved

Microsoft’s in-house developed Supplier Security and Privacy
Assurance (SSPA) program is an annual requirement once you
become an active Microsoft supplier. The scope of the SSPA covers
all suppliers globally that process Personal Data and/or Microsoft
Confidential Data in connection with any active Master Service
Agreement (MSA), Statement of Work (SOW) or Purchase Order (PO).

Data types across Microsoft are extensive and the program has
been developed to accommodate all data use cases, whilst taking
into account global regulations, companies across all industry types,
and suppliers of all various sizes from small startups to multi-
conglomerates. No mean feat

Applicability
Whether you are well into your Governance, Risk and Compliance (GRC)
journey or maturing enough that clients are asking for some level of
assurance, the SSPA program can be leveraged to establish a strong
baseline. The key to any supplier compliance program is defining what
information is needed and being collected. Microsoft’s SSPA requires you
to establish your “Applicability” and then have it independently assessed
against their Data Protection Requirements (DPR). Connor is well versed in
the nuances of determining whether a DPR requirement will apply to your
service and can get you setup correctly.

A Guide to Understanding Microsoft’s SSPA Applicability and DPR 2

 Data Protection Requirements
The DPR is made up of 10 categories that follow a Data Governance lifecycle
model. It is very similar to the Gramm-Leach-Bliley Act (GLB Act or GLBA)
and has elements of the EU:GDPR requirements but most importantly has
Microsoft MSA contractual terms and conditions woven in.

At a high level the principles are:

• Microsoft Data can only be used in accordance with or as intended via an active and approved MSA
• Microsoft employees or Microsoft affiliates must be notified of data sharing between financial institutions and third parties
and must have the ability to opt in/out of private information sharing
• Data Subject Rights must be established and actionable in a timely manner
• Microsoft Data must be secured against unauthorized access
• User activity must be tracked, including any attempts to access protected records
• Suppliers must have an incident response plan and both Security and Data Privacy training

You can see the 10 Categories listed in the diagram below.

Management Data Subjects

Disclosures to
Notice Third Parties

MSFT
Choice and
Consent Data Protection Quality
Requirements

Monitoring and
Collection Enforcement

Retention Security

Additionally, Microsoft categorizes your organization via an SSPA Data Processing Profile which is self-managed via the Aravo
Supplier Portal. Navigating this portal can be challenging but it is important to track your status; Active Green (compliant) vs
Suspended Red (non-compliant) and to comply with tasks that are issued with a 90-day compliance deadline.

A Guide to Understanding Microsoft’s SSPA Applicability and DPR 3

Microsoft’s SSPA DPR Self-Assessment – Consult First

One of the first steps in your Microsoft Supplier Security and Privacy Assurance (SSPA) journey is to correctly submit your Data
Protection Requirements (DPR) “SSPA Applicability” self-assessment. This sets the stage for the requirements and the level
of testing you will go through via an independent auditor. It is very important to get “SSPA Applicability” right, for a smooth,
efficient audit. Getting it wrong can lead to hours of re-work and unnecessary back and forth with your Microsoft buyer and
vendor management team at SSPAhelp@microsoft.com or SSPAsupport@microsoft.com.

Applicability
It is essential to align your “SSPA Applicability” profile with the service you are providing to Microsoft. Specifically, applicability
relates to the type or types of data being processed, transmitted or exchanged.

Personal Data Examples

Sensitive Customer Capture and Account

Data Content Data Generate Data Data

Microsoft Confidential/Highly Confidential Data

• Microsoft Product Data Components • Microsoft Product License Keys

• Microsoft Device Pre-Release Marketing Information • Develop or Test Microsoft Internal Line of Business

• Unannounced Microsoft Corporate Data

Note the data types listed above are examples and not an exhaustive list.

Then taking into account the various mediums the data is being collected, processed, possibly shared with third-party
subcontractors, and most importantly, the “intended” use of the data as described in your Microsoft contract, can make the
self-assessment daunting.  Additionally, Microsoft sets its own back office profile of your organization based on the
language of any active Master Service Agreement (MSA), Statement of Work (SOW) or Purchase Order (PO). We have seen
some instances where the back-office understanding, per the SOW, diverges from the actual data handling of the Microsoft
supplier.   Alignment early in the SSPA process is key to save effort, time and cost.

A Guide to Understanding Microsoft’s SSPA Applicability and DPR 4

Apply Vs Does Not Apply
Another mistake is over or under prescribing your Applicability against the DPR. We often see Suppliers incorrectly complete
their DPR self-assessments which immediately sets their organization off on the wrong foot. Some Suppliers want to promote
themselves as being “Compliant” in an effort to please Microsoft. They submit as “Compliant” across all DPR questions which
then means that all of the DPR criterial will apply to them, which may not be the case. This then creates a high-risk supplier
profile on the Microsoft side. To get this profile changed can eat up precious time and resources. To further complicate things, if
a Supplier responds to any DPR question as “Does Not Apply”, it is important to provide a concise comment as to why. Also, to
under prescribe, may flag your organization to MSFT which potentially will cause re-work of your SSPA assessment.

A Guide to Understanding Microsoft’s SSPA Applicability and DPR 5

Consult First with Connor

There are many ways to send a Self-Assessment down a long, windy road, but with guidance from the experts at Connor, the
organization can get on the right, and efficient, path. We are happy to walk you through the DPR self-assessment at whatever
stage of submission you are in. We have experts in e-commerce platforms, client registration applications, webpages and the
use of third-party subcontractors. Let us guide you in establishing your applicability correctly for a smooth and more efficient
process

At Connor, our mission is to help our customers remove the barriers to innovation. With our expert support, you can bolster
your organization’s Security and Data Privacy baseline, meet compliance requirements with Microsoft’s SSPA program, and
ensure you remain in good standing with your customers. To learn more about our Microsoft services and approach, visit our
website here.

If you would like to speak with our experts, please contact us at

anthony@connor-consulting.com or SSPA@connor-consulting.com

A Guide to Understanding Microsoft’s SSPA Applicability and DPR 6

Unparalleled Experience,
Inspired Outcomes.

A Guide to Understanding Microsoft’s SSPA Applicability and DPR 7