Schellman Announces Strategic Partnership with Goldman Sachs Alternatives

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

Microsoft DPR v12: A Guide to the Latest Updates for Suppliers Blog Feature
Kathryn Young

By: Kathryn Young

Print/Save as PDF

Microsoft DPR v12: A Guide to the Latest Updates for Suppliers

Privacy Assessments

Published: Mar 17, 2026

Microsoft recently provided a pre-release of v12 of their Data Protection Requirements (DPR) for suppliers required to undergo an annual security and privacy assessment through Microsoft’s Supplier Security and Privacy Assurance (SSPA) program. Microsoft DPR v12 is scheduled to refresh March 30, 2026, and features a total of 63 requirements. Notably, this is a reduced number of controls compared to v11, which featured a total of 67 requirements.

The changes with version 12 primarily reflect a consolidation or refinement of existing requirements for AI systems within Section K. Additionally, it adds two new requirements, focused on networking security and prohibited AI system uses.

In this article, we’ll describe the SSPA program at a high-level and highlight the key changes in DPR v12, so that suppliers can be well prepared to pursue the best course of action to ensure they remain compliant with Microsoft’s requirements ahead of their next annual assessment. 

Microsoft DPR v12 Program Guide Updates 

The SSPA program guide may not be the artifact that lists the individual data protection requirements, but it is just as important for suppliers to review. Think of this resource as your Microsoft encyclopedia for security and privacy compliance, filled with relevant definitions, scoping information, process overviews, and more.  

Understanding Supplier Data Processing Profiles

Microsoft’s SSPA program all starts with the supplier’s data processing profile, which suppliers can modify at any time (upon request). How the data processing profile is set up is particularly important, because this serves as the input Microsoft uses to classify suppliers into different profile types, based on associated risk.  

Factors considered throughout the data processing profiles include, but are not limited to, the nature and scope of data processed in connection with Performance to Microsoft, the supplier’s role as a data controller, processor, or subprocessor, and the location(s) where processing takes place. 

New Profile Type and Highly Confidential Data 

In version 11 of the program guide, Microsoft established eight data processing profile types for its suppliers. With the version 12 refresh, we’ve seen the addition of a new profile type, verbiage changes to key definitions, the expanded independent assurance requirements for Section K, and sanctions for noncompliance with the DPRs that you should be aware of.

Suppliers fall into pre-defined data processing profiles when they set their profile in the Aravo Portal; either annually, or in advance of intended changes concerning the processing performed on behalf of Microsoft.  

One new change we’ve seen with v12 is that each profile type now includes consideration for processing of “highly confidential data,” which is defined by Microsoft as follows: 

Source: Microsoft – Supplier Security & Privacy Assurance Program Guide v12

Notably, Highly Confidential data can also include sensitive categories of personal data and protected health information (PHI).

The net new data processing profile is profile #4. Suppliers will fall into this profile for processing confidential and/or highly confidential data at their own location and when Performance involves Software-as-a-Service (SaaS), the use of subcontractors, or website hosting.

This profile requires annual self-attestation of compliance to the DPRs and an independent assurance of compliance; either through an independent assessment or the acceptable alternate options, such as an ISO 27001 certification, or unqualified SOC 2 Type 2 report. 

Source: Microsoft – Supplier Security & Privacy Assurance Program Guide v12

Microsoft DPR v12 Updates to Personal Data Types

Next, we want to draw your attention to some minor changes to the Personal Data Types table. The example data type of “trade union membership” was removed from the table, and other example data types, such as sensitive personal data and PHI, were moved to the Highly Confidential table instead.

It’s important to note that the data tables listed in the SSPA program guide are not an exhaustive list, so if any specific data element isn’t listed, this does not mean that it wouldn’t apply. When in doubt, refer back to the definitions.

It is important to note that v12 of the program guide has expanded the requirement of independent assurance for both AI system publishers and deployers. In addition, the reference where Microsoft previously specified that the use of preferred assessors was required for assessing Section K has been removed.

Lastly, throughout the data protection requirements, Microsoft makes note that evidence of compliance with the DPRs must be made available to Microsoft upon request. With v12, the program guide references sanctions which specify that suppliers who fail to provide evidence upon request, or response to incident requests, may now be placed in Red Status.

This change emphasizes the importance of maintaining audit-ready documentation and supplier’s understanding of not just the DPRs, but context provided in the SSPA program guide.

Data Protection Requirement Updates 

Now that we’ve covered updates to the Program Guide, we must discuss changes to the actual data protection requirements (DPRs). As stated above, the changes with version 12 primarily reflect a consolidation, or refinement of existing requirements, accompanied by two net-new additions.  

Net-New DPRs in SSPA v12

  • DPR-041 (Section J: Security) - Protect information in networks and support systems via the following: 
    • Implement controls to prevent unauthorized access.
    • Ensure secure data transmission across networks.
    • Segment network traffic to reduce risk exposure.
    • Maintain updated network diagrams and configuration baselines.
    • Assign clear roles for network administration separate from general IT operations.

  • DPR-052 (Section K: AI Systems):
    • Supplier will not design, develop, place on the market, put into service, or use any AI Systems in connection with your work for Microsoft that are considered a Prohibited Practice.

These net-new DPR additions fall under the security requirements of Section J, and AI system requirements under section K. DPR-041 is specific to networking security, and can be met through evidence such as documented network security procedures, network diagrams, logging and monitoring activities, and encryption controls.

DPR-052 falls under the AI system requirements under Section K and can be met through adhering to Microsoft’s documented instructions within the executed agreement, and furnishing evidence of compliance to Microsoft upon request. 

In addition to these net-new requirements, the DPRs below were removed, or consolidated with existing requirements. 

Consolidated Requirements in SSPA v12

  • DPR-003 (Section A: Management) has consolidated its training requirements for personnel that access or process Microsoft personal or confidential data, previously listed as separate requirements under DPR-003 and DPR-052. In addition to completing security and privacy awareness training, this requirement now contains obligations for personnel that process such data within AI systems to complete AI training relevant to their role.  

  • DPR-056 (Section K: AI Systems) has consolidated its accountability requirements, previously separated in DPR 051 and DPR-058 
  • DPR-062 (Section K: AI Systems) has consolidated the health system monitoring methods previously listed as separate requirements under DPR-064 and DPR-065. The revised DPR-062 now requires that the methods and tools for monitoring are included in the transparency disclosure standard operating procedure and/or system health monitoring framework.  

Removed Requirements in SSPA v12 

  • DPR-054 (Section K: AI Systems), which required suppliers to implement red teaming of AI systems and address vulnerabilities prior to deployment, has been removed in v12. 
  • DPR-055 (Section K: AI Systems), which required suppliers to implement a responsible AI program and program documentation, has been removed in v12. Notably, responsible AI program documentation is still referenced as evidence of compliance in DPRs-055 through DPR-059 in v12, so this change is more likely aimed at reducing duplicative requirements rather than reducing supplier obligations. 
  • DPR-067 (Section K: AI Systems), which required suppliers to identify and disclose known demographic and marginalized groups potentially at risk of experiencing adverse impacts or poor quality of service based on the AI system intended uses, has been removed in v12. 

Verbiage Changes in SSPA v12 

  • DPR-054 (Section K: AI Systems) removed its reference to “intended uses” in the transparency disclosure requirements 
  • The following DPRs (Section K: AI Systems), which existed in v11, formerly referenced “sensitive uses” in the context of AI systems; however, these references have been removed in v12: 
    • DPR-055 (Signed Agreement) 
    • DPR-57 (Risk Assessment) 
    • DPR-060 (Required disclosures and reporting for intended uses) 
    • DPR-061(Updates to transparency disclosures and intended uses) 

Key Takeaways from the Microsoft DPR v12 Updates

As described above, the key changes in v12 of the SSPA Program Guide and MS DPRs primarily reflect a consolidation or refinement of existing requirements. This change did not introduce any new sections (as version 10 did, with the introduction of AI system requirements under Section K).

However, we know that even the smallest details matter in compliance. As such, we encourage each supplier to perform a detailed review of the program guide and DPRs prior to the refresh on March 30th to understand the upcoming changes and better inform your next audit cycle. 

If you have any additional questions about Microsoft DPR or the SSPA v12 updates, contact us today. Discover additional helpful insights in these resources:  

About Kathryn Young

Kathryn Young is a Privacy Technical Lead with Schellman based in Providence, Rhode Island. She currently performs privacy assessments and certifications related to ISO 27701, GDPR, SOC 2, and Microsoft DPR, among others. Prior to joining Schellman, Kathryn worked in a variety of privacy compliance and cybersecurity-focused roles in the information technology and healthcare sectors. She has her master's degree in cybersecurity and international cyber law from Norwich University, and is an active member of the International Association of Privacy Professionals (IAPP), and has obtained her CIPM, CCSK, and CISSP certifications.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.