Microsoft’s Supplier Security and Privacy Assurance (SSPA) program requires that vendors that process Microsoft personal and/or confidential information comply with their Data Protection Requirements (DPR) on an annual basis.
The Microsoft SSPA program requires annual self-assessment and for certain vendors, independent assessment of compliance with the DPR. The DPR includes privacy requirements that relate to notice, collection, choice and consent, retention, and disclosure of personal or confidentiality information. The DPR requirements also include data subject rights as well as security related requirements to protect the integrity of information, incident response procedures, and business continuity / disaster recovery procedures.
Microsoft will select certain vendors to undergo an independent verification of compliance with the DPR. This assessment against the DPR will examine controls in place as a of point in time to determine compliance with the applicable requirements. Suppliers will need to provide their completed self-assessment questionnaire that was previously provided to Microsoft. The examination will result in an attestation report that includes an opinion letter, brief overview of the scope of the environment included in the examination as well as the results of Schellman’s verification of the organization’s design of controls and whether the organization is in compliance with the applicable DPR requirements.
We begin each project with your end goals in mind and to provide preparation for future key project activities. Effective communication and timely coordination of project planning activities are central to our methodology with our clients.
LEARN MORE ABOUT OUR PROCESSOur Schellman teams have experience performing thousands of SOC examinations.
We’re here to answer any questions.