Microsoft SSPA

Mandatory compliance services for all Microsoft vendors.

The Microsoft Supplier Security and Privacy Assurance Program (SSPA), formerly known as the Vendor Privacy Assurance Program, is a compliance initiative to regulate how the data of a Microsoft employee, customer or vendor is being handled by Microsoft partners and vendors. The Microsoft SSPA groups vendors into one of three categories: Low Business Impact, Moderate Business Impact, and High Business Impact.

Schedule a consultation

Our Microsoft SSPA Services

The 360 Advanced team provides assessment, remediation and recommendations, a Letter of Attestation, and a practitioner’s report.

Each assessment begins with a scoping session to understand which data protection requirements (DPRs) are relevant for your organization. Next, our cybersecurity professionals will develop a project plan considering how best to minimize the impact on your team’s resources. Finally, we will request evidence so we can compare your policies and procedures to the DPRs.

Over the course of our careers, our professionals have had the benefit of working with thousands of companies, so we’ve seen companies fall all over the spectrum with regard to security and privacy compliance and practices. Using this experience, during the assessment process, we will identify any areas requiring remediation and share recommendations for industry best practices.

Organizations that handle “high business impact” data — such as financial transaction or financial profiles data, medical information, or authentication/authorization credentials — will need to submit a Letter of Attestation from an approved third party (a licensed CPA firm like 360 Advanced) in order to remain in compliance.

We can also issue a practitioner’s report which addresses criteria relating to Management, Consent, Collection, Retention, Accessibility, Security, Monitoring, Disclosure, and Quality.

Which category does my organization fall under?

Handling data containing no personal information requires no further action other than the annual completion of the Microsoft Personal Information (MPI) Inventory, a requirement of all Microsoft vendors.

Handling data that includes Personally Identifiable Information (PII) such as Name, Address, Email Address, Phone Number, IP Address, Racial Information, Ethnic Information, Political Affiliation, Religious Beliefs, Sexual Orientation, or Physical and/or Mental Health Information would qualify your organization as having a Moderate Business Impact. At this level, a vendor is required to certify with a self-certification within 90 days of the MPI submission.

Handling data that includes Authentication Credentials, Cryptographic Keys, Financial Reports, Credit Card Numbers, and Medical Profiles would mean that the organization must adhere to Microsoft Vendor Data Protection Requirements (DPR) and they must submit a Letter of Attestation within 90 days of the MPI submission.

See what our clients are saying about us.

The one thing that sticks out more than anything else is the audit readiness they provide before the audit process starts. I appreciated the coaching and mentoring we received so we were well prepared for the audit. 360 Advanced always answer their phones, whether for quick issues or questions. And, they are not nickel and diming us – we paid one fee and they are still assisting us post audit.

SAM FRENCH
Vice President and Chief Information Officer
R.C. Giltner Services, Inc.

I think the strength of SSA16 accreditation compliance has been such an advantage for us, allowing us to improve our processes, provide oversight and have our customers see the difference. The SOC examination has exceeded our wildest dreams. We are communicating this as part of our sales process and now it’s a requirement in nearly all the RFPs. We’ve won every single bid we submitted on since we received compliance. We think that is the key differentiator.

EXECUTIVE
Audit Services Company

You deserve a conversation, not a questionnaire.

We build long-term relationships through trust and value. If you’re looking for a trusted business advisor to build your holistic compliance strategy, let’s chat!