The Microsoft SSPA initiative (formerly known as Vendor Privacy Assurance Program compliance) is designed to standardize and strengthen the handling of Microsoft customer, partner, and employee personal and confidential information by Microsoft vendors worldwide. Microsoft requires suppliers who process customer, partner or employee personal or confidential data to comply with the program.

At PS, our IT Risk team specializes in performing Independent Assessments over the Data Protection Requirements (DPR) to help suppliers demonstrate compliance with Microsoft’s SSPA program.

UPDATE: On December 17, 2018, Microsoft released Version 5 of the SSPA Program Guide. The updated Program includes revisions to the DPR requirements and the Independent Assessment process. PS is prepared to assist our clients with understanding these updates and performing Independent Assessments based on the new Program.

Our Proven Process for Independent Assessments

  1. Microsoft requests SSPA DPR self-attestation from Supplier
  2. Supplier completes and submits self-attestation to Microsoft
  3. Microsoft reviews Supplier’s self-attestation and requires an Independent Assessment
  4. PS works with Supplier to determine scoping, pricing and timing of Independent Assessment
  5. PS provides Supplier with a document request list to prepare for the Independent Assessment
  6. PS schedules Independent Assessment fieldwork dates
  7. PS performs Independent Assessment
  8. PS provides client with Independent Assessment letter
  9. Client provides Independent Assessment letter to Microsoft
  10. PS is available throughout the year for ongoing support and questions regarding SSPA compliance