Microsoft Attestation

Microsoft/SSPA Attestation pertaining to defined in connection with the applicable sections and requirements of the Microsoft Supplier Data Protection Requirements (DPR), latest version, to provide reasonable assurance that the controls were designed in conformity with the DPR and that the design of these controls complies with the DPR. Organisation is responsible for the adequate design of these controls and compliance with the DPR on inherent limitations, controls may not prevent, detect, or correct errors or fraud which may occur. Also, projections of any evaluation of adequate design to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies and procedures may deteriorate.

Protecting confidential and private data is essential to building customer trust, and is often required by law such as with Europe’s General Data Protection Requirements (GDPR). Businesses large and small are subject to these regulations, yet the largest, global enterprises face the biggest risks due to the nature and volume of data they possess.

A recurring challenge for many enterprises is consistently ensuring confidential and private data are protected throughout their complex, global supply chains. Some organizations rely on System and Organization Controls (SOC) reports, but these are not always perfect or cost-effective solutions.

Forward-thinking enterprises are implementing SSPA programs to ensure suppliers are following standardized data protection requirements. The SSPA framework:

  • Assess risk levels based on set criteria
  • Requires certain controls and processes be in place based on the assessed level of risk
  • Help ensure the protection of confidential and private data to which suppliers have been entrusted

Often, these programs include independent verification of compliance by a qualified firm.

Compliance with SSPA programs can be essential for suppliers to remain in good standing with important customers. However, many companies have never been through a control assessment and the prospect can be daunting. Many companies are initially confused by the requirements and are worried that the process will be expensive and time-consuming. Fortunately, with an experienced partner like SC&H, the process can be manageable and cost-effective.

If you have a customer requiring your compliance with an SSPA, we hope you’ll contact us so we can talk about your situation and chart a path to compliance.

What we do

We provide Gap Assessment, Consulting, Third party compliance & attestation Services over the privacy and security of Microsoft Personal Data and Microsoft Confidential Data.


All suppliers must submit a self-attestation of SSPA compliance to the DPR for Microsoft approval upon onboarding and yearly thereafter, during which time a vendor must respond to each DPR. “Compliant,” “Not Compliant,” “Not Applicable,” “Legal Conflict,” and “Contractual Conflict” are some of the responses

Leave us message

How May We Help You!