Microsoft works with thousands of suppliers every year. Many of them, including tech companies based in the greater Seattle area, provide services to the tech giant. Could your start-up be next? If providing your services would mean collecting, hosting, or processing the data of Microsoft’s employees, customers, or partners, you need to consider the requirements of the Microsoft Supplier Security and Privacy Assurance Program (SSPA).
All organizations who are, or want to be, vendors to Microsoft, have to meet the SSPA requirements. The relative business impact each organization’s services could have on Microsoft places the vendors into three tiers, each with a unique set of requirements.
Low Business Impact
This level of vendors, as proscribed by Microsoft, are those that handles data with no personal information, or otherwise have a low business impact.
Low Business Impact vendors are required to complete the Microsoft Personal Information (MPI) Inventory annually.
Moderate Business Impact
Excluding the high-impact data points detailed below, this information is classified as Moderate Business Impact:
- Information that can be used to contact an individual (like name, address, email, fax or phone number)
- Information about an individual:
- Ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Physical or mental health
- Sexual orientation
- Commission or alleged commission of offenses and court proceedings
In addition to the MPI requirements, these vendors must self-certify (or provide a letter of attestation) that they are compliant with the Microsoft Vendor Data Protection Requirements (DPR) once a year.
High Business Impact
Microsoft associates the following types of data with High Business Impact:
- Government-provisioned identification credentials (such as passport, social security, or driver’s license numbers)
- Financial transaction authorization data (such as credit card numbers and expiration dates)
- Financial profiles (such as consumer credit reports or personal income statements)
- Medical profiles (such as medical record numbers or biometric identifiers)
These vendors also have to satisfy the MPI requirements. However, to satisfy the DPR reporting requirements, these vendors cannot self-certify and must engage an approved third-party accountant to provide an attestation.
Companies that fall into high or medium business impact areas can also choose to undergo a SOC 2 examination. A SOC 2 report satisfies Microsoft’s requirements – and if you work with clients besides Microsoft, you will probably need to use it again and again.
If you need assistance with SSPA or SOC reporting requirements, reach out to Peterson Sullivan’s IT Risk Services team. As a Seattle-based accounting firm familiar with businesses who are on the Microsoft supply chain, we can help you determine and follow compliance and reporting you need to bring your business to the next level.