Understand subprocessor onboarding and monitoring
When Microsoft initiates a support contract with a subprocessor, specific workflows and processes ensure subprocessors meet requirements before beginning contracted work. New subprocessors must complete a series of verifications to validate that their information systems meet the requirements applicable to the types of data they will process as part of contracted work. Alternatively, contracted work assigned to existing subprocessors who have already met requirements allows Microsoft to limit the number of subprocessors who process Customer or Personal Data.
Adding a new subprocessor
Adding a new subprocessor requires a series of rigorous verifications to ensure the subprocessor meets Microsoft standards before they can begin contracted work. These verification steps include but are not limited to:
- A business verification check: A review by the business to determine why the use of this supplier is needed instead of a supplier who is already approved. Once business approval has been granted, the additional verifications below must be performed.
- Privacy and compliance check: Validate that the subprocessor has already been disclosed for the appropriate amount of time and that all contracts and certification requirements have been met.
- Anti-corruption checks: Check against global relationship management systems and news for suppliers who may be engaged in corruption activities.
- Corruption risk score: This is a score that is assigned based on the anti-corruption check. The score indicates the risk level of the supplier being involved in corruption activities.
- A do-not-engage check: Internal Microsoft check against suppliers who have been deemed inappropriate for use.
- Trade sanctions screening: A review of watch sites, government records, and media searches to determine if trade sanctions apply to the supplier.
In addition, business unit approval is required as a final check after all scores and checks have been returned and accounted for.
Subprocessor enrollment begins with an email request to a prospective subprocessor with instructions to create a profile in the Microsoft Supplier Compliance Portal (MSCP). Subprocessors use the portal to choose the data processing activities they wish to be approved for. These data processing activities include:
- Processing of personal data and/or Microsoft confidential data
- Processing data on the supplier's network
- Data processing role (controller, processor, co-controller, etc.)
- Payment card processing
- Provision of Software as a Service (SaaS)
- Use of subcontractors
- Subprocessor designation
Once a subprocessor has completed their profile, they will be given either the full set or a subset of requirements from the DPR to complete within 90 days. Depending on the approvals selected by the subprocessor in their profile, Independent Assurance may be necessary in addition to verify compliance with the DPR controls assigned.
In some cases, requirements can be fulfilled through acceptable certification alternatives such as ISO 27701 (privacy) and ISO 27001 (security).
Once a subprocessor has passed all applicable checks, their SSPA status is subject to final review. Reviewers verify all relevant checks and decide which types of data processing should be approved. After the profile has been approved, subprocessors receive the requisite data processing approvals.