Understand Microsoft subprocessor requirements

Completed

Microsoft processes many kinds of data as part of providing cloud services to our customers. We categorize the data we process to ensure it is handled with appropriate security and privacy protections. Categories of data processed by Microsoft are defined in the Microsoft Products and Services Data Protection Addendum (DPA).

When Microsoft utilizes a supplier to deliver an aspect of our Online Services that may require the supplier to process such data, the supplier is identified as a "subprocessor" (in accordance with the GDPR terminology). All subprocessors who process “Personal Data” and “Microsoft Confidential Data” must adhere to the Microsoft Supplier Security and Privacy Assurance (SSPA) Program before being allowed to process data on behalf of Microsoft.

Types of data shared with Microsoft

Personal Data is defined as any information relating to an identified or identifiable natural person, also known as the data subject. Personal Data may fall into four separate and distinct data categories:

  • Customer data is all data, including all text, sound, video, or image files, and software that are provided to Microsoft by or on behalf of, Customer through use of the Online Service, excluding Microsoft Professional Services Data.
  • Service-generated data includes all data "generated" or "derived" by Microsoft through the operation of an online service. Microsoft aggregates this data from our online services and uses it to make sure performance, security, scaling, and other services that impact the customer experience are operating at the levels our customers require.
  • Diagnostic data includes all data "collected" or "obtained" from applications that are installed locally for use in connection with the Microsoft enterprise online service. It is used to help Microsoft ensure the client software is secure and performing properly.
  • Professional services data means all data, including all text, sound, video, image files or software, that are provided to Microsoft, by or on behalf of a Customer (or that Customer authorizes Microsoft to obtain from a Product) or otherwise obtained or processed by or on behalf of Microsoft through an engagement with Microsoft to obtain Professional Services. Professional Services Data includes support data that is provided to Microsoft during technical support for an online service.
  • Microsoft Confidential Data refers to any information which, if compromised through confidentiality or integrity means, can result in significant reputation or financial loss for Microsoft. This can include information on the development, testing, or manufacturing of Microsoft products, license keys, and pre-release marketing materials.
Types of data Definition
Customer data Provided by Customer
Diagnostic data Collected or obtained from software installed by Customer
Service generated data Generated or derived by Microsoft
Professional services data

Support data
Provided by Customer in connection with Professional Services

A subset of professional services data provided by Customer in connection with technical support
Personal data Any of the defined data types above that relate to an identified or identifiable natural person

Microsoft Supplier Security and Privacy Assurance (SSPA) program

The Microsoft Supplier Security and Privacy Assurance (SSPA) program is a corporate program designed to standardize and strengthen data handling practices by setting privacy and security requirements for Microsoft suppliers. The SSPA program requires suppliers to demonstrate compliance with Microsoft's strict privacy and security policies, legal obligations, and customer expectations. To protect the data entrusted to our suppliers, Microsoft requires all subprocessors who process Personal Data or Microsoft Confidential Data to comply with the SSPA program.

The SSPA program includes a set of security and privacy controls that must be implemented by subprocessors prior to processing data on behalf of Microsoft. We define these controls in the Data Protection Requirements (DPR). All subprocessors enrolled in the SSPA program must review and attest to their compliance with applicable DPR controls before beginning contracted work. In addition, subprocessors must complete a self-attestation of compliance with the DPR annually. Depending on the risk level associated with the data processed and services provided by the subprocessor, additional requirements may be necessary. We will cover those additional requirements later in this module.

Subprocessor compliance with the requirements of the SSPA program is tracked in Microsoft purchasing tools. Purchasing tools do not allow engagements with subprocessors to move forward until all requirements are completed. Failure to maintain compliance with SSPA requirements results in the subprocessor being blocked from accessing or processing data on behalf of Microsoft.

Learn more