Understanding Microsoft SSPA Attestation

About Microsoft SSPA Attestation

The Microsoft Supplier Security and Privacy Assurance Program (SSPA), formerly known as the Vendor Privacy Assurance Program, is an initiative designed to standardize and strengthen how Microsoft’s customer, partner, and employee information is handled by Microsoft vendors worldwide. 

Who Needs Microsoft SSPA Attestation?

Organizations who are or want to become a Microsoft vendor must meet the requirements within the SSPA. This program requires that any vendor that collects, stores, or processes customer, partner, or employee information meet the reporting requirements.

All vendors must complete the annual Microsoft Personal Information (MPI) Inventory. Vendors are assigned an anniversary date where they will receive an email from Microsoft containing a hyperlink to the MPI Inventory. Depending on the type of data handled, per the inventory, the Microsoft SSPA Attestation reporting guidelines group vendors into three categories: high business impact, moderate business impact, and low business impact.

Low Business Impact

Low business impact organizations must complete the MPI Inventory within 30 days. Upon submission of the inventory, a data classification is assigned to the vendor.

Vendors handling data classified as having no personal information or low business impact require no further action. An anniversary date will be assigned based on the date of completion of the MPI Inventory, which will set the annual compliance cycle.

Moderate Business Impact

Moderate business impact data includes personally identifiable information (PII) that is not highly sensitive, such as (but not limited to):

  • Name
  • Address
  • Email address
  • Phone number
  • IP address
  • Racial information
  • Ethnic information
  • Political information
  • Religious beliefs
  • Sexual orientation
  • Trade union membership
  • Physical or mental health

After completing the MPI Inventory, all moderate business impact organizations must adhere to the Microsoft Vendor Data Protection Requirements (DPR) and are required to certify compliance to the DPR with a self-certification within 90 days of submission of the MPI Inventory during their second compliance cycle, and annually from that point on.

An anniversary date will be assigned based on the date of submission of the self-certification, which will set the annual compliance cycle.

High Business Impact

High business impact data includes the following, but is not limited to:

  • Authentication/authorization credentials, such as private cryptographic keys
  • Highly-sensitive PII, such as:
    • Financial transaction authorization data, such as credit card numbers
    • Financial profiles, such as consumer credit reports
    • Medical profiles, such as biometric identifiers

All high business impact organizations must also adhere to the DPR. Businesses that are considered high business impact must submit a letter of attestation from an approved third-party within 90 days of the submission of the annual MPI Inventory.

An approved third-party must be:

  • A member in good standing with the American Institute of Certified Public Accountants (AICPA) or the International Federation of Accountants (IFAC)
  • Qualified to conduct a Generally Accepted Privacy Principles (GAPP) assessment

Organizations that are high business impact must submit a letter of attestation after their third compliance cycle, and for all subsequent cycles. An anniversary date will be assigned based on the date of submission of the letter of attestation, which will set the annual compliance cycle.

Why Choose A-LIGN

As a licensed CPA firm and approved third-party attestation body, A-LIGN can help your organization meet the Microsoft SSPA Attestation requirements by performing the following activities:

  • Assessing your organization’s controls as they relate to the Microsoft SSPA requirements
  • Identifying any gaps against the SSPA requirements
  • Issuing the practitioner’s report, which addresses the following assessment criteria:
    • Management
    • Notice
    • Choice and Consent
    • Collection
    • Retention
    • Access
    • Disclosure to Third Parties
    • Quality
    • Monitoring and Enforcement
    • Security
  • Providing remediation recommendations based on assessment and gap findings
  • Completing the letter of attestation

Under certain circumstances, if a vendor is unable to meet the requirements, Microsoft may elect to terminate the business relationship with the vendor until they are able to demonstrate compliance.

Ensuring that your organization can meet the privacy principles included in the SSPA allows your organization to conduct business with Microsoft. Engaging with A-LIGN provides your organization with a team of privacy, security, and compliance professionals to assist you in understanding the Microsoft SSPA guidelines.

With the help of our privacy, security and compliance professionals, your organization can work towards meeting the Microsoft SSPA today. Have questions about Microsoft SSPA? Contact us at info@a-lign.com or 1-888-702-5446 to have all your questions answered today.