Understanding Microsoft’s Supplier Security and Privacy Assurance (SSPA) Program

If you’re a vendor looking to do business with Microsoft, you may be required to complete the Supplier Security and Privacy Assurance (SSPA) program as part of the procurement process. The SSPA program is Microsoft’s mechanism for evaluating whether suppliers meet its baseline security, privacy, and AI governance expectations outlined in the Microsoft Data Protection Requirements (DPR). 

Schellman is one of the preferred assessors for conducting independent assessments under SSPA, and Chris Lippert, Director of Schellman’s Privacy Practice, shares additional insight into the program. 

What Is the SSPA Program? 

The SSPA program is designed to assess a supplier’s ability to safeguard Microsoft data. It aligns with Microsoft’s Supplier Code of Conduct and applies to vendors that process or access Microsoft data or systems. Depending on the nature of the services provided, suppliers may be required to complete a self-assessment, undergo an independent assessment, or both. 

How the SSPA Process Works 

Suppliers must first complete a supplier profile, answering questions about the type of services they provide, the types of data they process, and any third parties involved. Based on this information, Microsoft determines which DPR controls apply. 

 Next, suppliers complete a self-assessment, comprised of questions that Microsoft has deemed applicable based on the answers and information provided in the supplier profile. Microsoft personnel review the responses and may request clarification or follow-up information from the supplier. Once Microsoft approves the self-assessment, an independent assessment may be required depending on the scope. 

When Is an Independent Assessment Required for SSPA?  

While Microsoft recommends using a preferred assessor for independent assessments, it becomes mandatory when the AI requirements in Section K of the DPR are in scope. This distinction is especially important for suppliers offering AI-enabled products or services. 

Microsoft maintains a public list of preferred assessors and provides detailed guidance on when independent assessments are required through its SSPA Program Guide. 

SSPA Timing and Planning Considerations 

For suppliers subject to annual SSPA reviews, Microsoft typically allows a 90-day window—starting from the supplier’s anniversary date—to complete profile updates, the self-assessment, and any required independent assessment. 

 Once a supplier engages a preferred assessor, the independent assessment itself generally takes one to two months to complete. Because of these timelines, early planning is critical. While 90-day extensions may be requested and engagement letters can be submitted as interim evidence, these options are best treated as last resorts. 

Moving Forward With SSPA 

Suppliers should monitor Microsoft’s SSPA webpage regularly because requirements can evolve over time, as demonstrated by the addition of AI-specific controls in late 2024. Changes to the DPR may require suppliers to reassess compliance before engaging in new Microsoft business, depending on the technologies or services involved. 

Microsoft’s SSPA webpage also has a current listing of preferred assessors available, as well as a comprehensive program guide which contains a wealth of information about the SSPA program, including a processing profile which outlines when independent assessments are required based on supplier profile responses. 

Navigating Microsoft’s SSPA requirements can be complex, particularly for organizations with evolving services or AI components, but working with an experienced preferred assessor like Schellman can help streamline the process and reduce surprises. For more information, contact us and one of our privacy professionals will reach out to provide more details about the process.