DPR Version 11 went live!
Here is what you need to know:


The Microsoft Supplier Security and Privacy Assurance (SSPA) program, designed to ensure suppliers and partners uphold stringent security and privacy standards, released its latest Data Protection Requirements (DPR) update, Version 11, in 2025. So, to keep up with the latest compliance, you need to pay attention to the changes. 

 

1. New requirements

Version 11 introduces two new requirements to strengthen supplier accountability:

Data Protection Agreements with Subcontractors: Suppliers must ensure formal agreements are in place with subcontractors to align with Microsoft’s data protection standards. This enhances oversight and ensures compliance throughout the supply chain.

Background Verification Checks: Suppliers must conduct background checks for personnel assigned to Microsoft projects, reinforcing security for sensitive roles.


2. Enhanced compliance flexibility

SOC 2 Report Acceptance: For Section J (Information Security Management System), Version 11 clarifies that an SOC 2 report covering security may be accepted in place of an independent assessment, provided it has no qualifications. This offers greater flexibility for suppliers already maintaining SOC 2 compliance.
 

Looking for an SSPA Independent Assessment?
RSM is here to help!

As part of the SSPA program, Microsoft suppliers and partners may be required to provide an independent assessment of their compliance with data protection requirements (DPR), based on their profile. 

RSM is certified by Microsoft to support the SSPA and DPR (Data Protection Requirements) programs. 

RSM provides an SSPA/DPR assessment for your company, producing a report with detailed findings for each applicable control, enabling your organization to evaluate potential strengths and weaknesses in each area. Our assessment includes: 

☑️ Assessment of SSPA/DPR applicability. 
☑️ Review of policies and procedures. 
☑️ Review of documentation for each applicable requirement. 
☑️ A letter describing whether your organization is compliant, to share with Microsoft. 
 

RSM also provides the following value-added services: 


1. Expert guidance for your first SSPA Readiness Assessment 
A rapid readiness assessment leaded by our SSPA experts can help your organization ensure alignment with the SSPA program before the independent assessment. 


2. Timely remediation of non-complaint gaps  
If issues arise during your assessment, we provide implementable recommendations to resolve non-compliance swiftly.  


3. Replace Section J with ISO 27001 and/or SOC 2  
Transition seamlessly to ISO 27001 certification and SOC 2 attestation with our tailored readiness assessments.  
 
Aaron Wong
Director
View profile
Hong Kong
+852 2508 2858