Microsoft VPA Program Guide Version 1.2 Page 1 of 8 Microsoft Confidential

Microsoft Vendor Privacy Assurance Program Guide

January 2006

Microsoft VPA Program Guide Version 1.2 Page 2 of 8 Microsoft Confidential

1. Program Overview

The Vendor Privacy Assurance (“VPA”) Program is a joint effort of Microsoft Corporate Procurement, Corporate Privacy, and

Corporate IT Security to ensure that basic privacy and security principles are followed when vendors handle Microsoft

customer, employee or partner personal information.

The requirements of the VPA Program are minimum, baseline, requirements; specific business groups at Microsoft may

require vendors to implement additional security and privacy requirements.

Questions: Please send email to the appropriate regional support center:

North America: ASKVPA@microsoft.com

Europe, Middle East, Africa: EMEAVPA@microsoft.com

Asia Pacific/Greater China Region: APACVPA@microsoft.com

2. Definitions

A “Microsoft Business Partner” is a person (either individually or as part of a company) with whom Microsoft engages in

conducting its business, and whose personal information your company may handle as part of providing the services called

for by your purchase order or contract with Microsoft.

A “Microsoft Customer” is a person (either individually or as part of a company) who receives Microsoft products or

services, and whose personal information your company may handle as part of providing the Microsoft products or services

called for by your purchase order or contract with Microsoft.

A “Microsoft Employee” is a person who is employed by Microsoft, and whose personal information your company may

handle as part of providing the services called for by your purchase order or contract with Microsoft. Collection of Microsoft

employee contact information or credit card data from Microsoft employees with whom your company interacts directly as

part the initiation/implementation/conclusion of the provision of services or goods would generally fall outside the scope of

the VPA Program.

Processing personal information “on Microsoft's behalf" means doing so as part of the execution of services being provided

per the terms of your purchase order or contract with Microsoft.

3. Program Requirements

All vendors must complete the annual Microsoft Personal Information (MPI) Inventory and comply with all applicable

requirements of the VPA Program. Certification of compliance must be submitted by any vendor handling Microsoft

customer, employee or partner personal information.

Privacy and Security Requirements: The detailed requirements for handling Microsoft customer, employee and partner

personal information are outlined in the Microsoft Vendor Data Protection Requirements (hereafter “DPR”). The DPR

contains the requirements that must be followed by all vendors handling data classified as “Moderate Business Impact” or

“High Business Impact.”

Certification Requirement: Vendors handling data classified as “Moderate Business Impact” are required to certify

compliance to the DPR and must submit a self-certification of compliance within 90 days of submission of the MPI

Inventory.

Attestation Requirement: Vendors handling data classified as “High Business Impact” are required to submit an unqualified

letter of attestation from an approved third-party within 90 days of submission of the MPI Inventory. A list of approved third-

parties can be found by consulting the appropriate country listing provided by the International Federation of Accountants

(http://www.ifac.org).

Microsoft VPA Program Guide Version 1.2 Page 3 of 8 Microsoft Confidential

4. Proof of Compliance

The requirements for proof of compliance are determined by the compliance cycle and the data class:

Initial Compliance Cycle:

Submission of self-certification or unqualified letter of attestation of compliance is voluntary.

Second Compliance Cycle:

All vendors handling data classified as “Moderate Business Impact” or “High Business Impact” must submit a

self-certification of compliance to the DPR.

Third and subsequent Compliance Cycles:

All vendors handling data classified as “High Business Impact” must submit an unqualified letter of attestation,

self-certification will no longer be sufficient.

All vendors handling data classified as “Moderate Business Impact” will continue to submit a self-certification of

compliance to the DPR.

5. Annual Compliance Cycle

Vendors are assigned an anniversary date on which they will receive an email from Microsoft containing a

hyperlink to the MPI Inventory.

Vendors have 30 days in which to submit a completed MPI Inventory.

Upon submission of the inventory, a data classification is assigned to the vendor.

Vendors handling data classified as “No Personal Information” or “Low Business Impact” have no further action.

Vendors handling data classified as “Moderate Business Impact” or “High Business Impact” must submit a self-

certification or unqualified letter of attestation of compliance to the DPR.

Vendors have 90 days in which to submit their self-certification or unqualified letter of attestation.

A new anniversary date will be assigned, based on the date of completion of (a) the MPI Inventory or (b)

submission of the self-certification or attestation letter, whichever is later.

Annual Compliance Cycle

Microsoft E-mails

link to PI inventory

to vendor

Vendor submits

PI inventory;

data class = LBI or

No PII

1

2

30 days1 year

Annual Compliance Cycle

Microsoft E-mails

link to PI inventory

to vendor

Vendor submits

self-certification or

attestation

Vendor submits

PI inventory;

data class = HBI or

MBI

1

2

3

90 days

30 days

1 year

Data Class = No Personal Information or LBI Data Class = HBI or MBI

Microsoft VPA Program Guide Version 1.2 Page 4 of 8 Microsoft Confidential

6. Data Classification

Responses to the MPI Inventory are used classify the Microsoft Personal Information handled by vendors. To assist with

completion of the inventory, a list of commonly-collected types of personally identifiable information (PII) and the

corresponding Microsoft data class has been compiled and is provided below. These classifications apply regardless of

whether the PII pertains to a Microsoft employee, a Microsoft customer or a Microsoft business partner.

High Business Impact (HBI): Access to this data should be limited to those with a direct business need to know.

Authentication/authorization credentials (i.e., username/password pairs, private cryptographic keys or numeric

identification sequences such as PIN’s, and hardware or software tokens).

Highly-sensitive personally identifiable information (PII) which includes:

o Government-provisioned identification credentials (e.g., passport, social security, or driver’s license

numbers)

o Financial transaction authorization data (e.g., credit card number, expiration date, and card ID)

o Financial profiles (e.g., consumer credit reports or personal income statements)

o Medical profiles (e.g., medical record numbers or biometric identifiers)

Moderate Business Impact (MBI): Access must be strictly monitored and controlled at all times.

All Personally Identifiable Information (PII) that is not listed as highly-sensitive PII (above), such as:

Information that can be used to contact an individual such as name, address, e-mail address, fax number, phone

number, IP address, etc.

Also includes, but is not limited to, information regarding an individual’s race, ethnic origin, political opinions,

religious beliefs, trade union membership, physical or mental health, sexual orientation, commission or alleged

commission of offenses and court proceedings.

7. Data Class Upgrade Process

Vendors handling data classified as “No PII” or “LBI” may choose to submit a self-certification or unqualified letter of

attestation of compliance to the DPR in order to document in advance their ability to properly handle Microsoft customer,

partner and employee personal information in either the “Moderate Business Impact” or “High Business Impact” data

classes.

After submitting the appropriate self-certification or unqualified letter of attestation, the vendor record will be updated

accordingly to reflect the vendor’s ability to handle “Moderate Business Impact” or “High Business Impact” data. Vendors

will need to pursue these “upgrades” annually if there has been no change in their assigned data class.

8. Exception Process

To request an exception to compliance with a requirement, vendors should email askvpa@microsoft.com. The maximum

exception period is one year.

9. Privacy Escalation Response Framework

Should a privacy event occur, vendors must e-mail askvpa@microsoft.com. Privacy events include, but are not limited to,

the following:

Inappropriate exposure of personal information

Theft or loss of personal information

Discovery of privacy policy non-compliance

Discovery of a flawed privacy policy or standard

Microsoft VPA Program Guide Version 1.2 Page 5 of 8 Microsoft Confidential

Glossary

This glossary references terms and concepts used in the VPA Program Guide, the Microsoft Vendor Data Protection

Requirements and other VPA Program materials.

A access

With respect to privacy, an individual's ability to view, modify, and contest the accuracy and completeness of personally

identifiable information (PII) collected about him or her. Access is an element of the Fair Information Practices Fair

Information Practices. With respect to vendor operations, access is defined as both logical (i.e., connection of one

device or system to another) and physical access to electronic or paper data sources.

accessible

Able to be (readily) understood.

anonymity

A condition in which an individual's true identity is unknown or cannot be ascertained.

anonymize

To render personal data sufficiently anonymous that an individual’s true identity cannot be ascertained.

antivirus software

Software specifically designed for the detection and prevention of known viruses.

authentication

The process for verifying that someone or something is who or what it claims to be. In private and public computer

networks (including the Internet), authentication is commonly performed through the use of logon passwords.

authorization

The process of giving someone permission to do or have something. It provides established controls that give specific

users access to information and prevents others from accessing the same information, often based upon an

authentication process. In reference to computing, especially remote computers on a network, the right granted an

individual or process to use a system and the data stored on it. Authorization is typically set up by a system

administrator and verified by the computer based on some form of user identification, such as a code number or

password.

C choice

An individual's ability to determine whether and how personally identifiable information (PII) collected from him or her

may be used, especially for purposes beyond those for which the information was originally provided. Choice is an

element of the personal relationship.

collect

The gathering of personal information; collection may be direct, through means such as online forms or mail-in

registration cards, or indirect, through third parties.

computer security

The discipline, techniques, and tools designed to help protect the confidentiality, integrity, and availability of data and

systems.

consent

Permission given to use or share PII in specified ways. Consent can be implicit or explicit.

contact preference

Data collected about an individual’s preferred means of making contact such as by e-mail, phone, or mail.

cookie

A small data file that is stored on a user's local computer for record-keeping purposes and which contains information

about the user that is pertinent to a Web site, such as user preferences.

credentials

Information that includes identification and proof of identification that is used to gain access to local and network

resources. Examples of credentials are user names and passwords, smart cards, and certificates.

D data integrity / data quality

A key principle of privacy, data integrity / data quality refers to the requirement to organizations to ensure that PII is

accurate, complete and current.

data transfer

As a key principle of privacy, the movement of personally identifiable information (PII) between entities, such as a

customer list being shared between two different companies.

Microsoft VPA Program Guide Version 1.2 Page 6 of 8 Microsoft Confidential

destruction

Items must be physically destroyed in a manner that eliminates any possibility for the recovery of information from the

destroyed remnants.

digital asset

An electronic object that has value for some purpose. It may have been created digitally or it may have been digitized

from a non-digital original source.

disclosure

A component of the notice principle, wherein a company should make available its data handling practices including

notices on how it collects, uses and shares personally identifiable information (PII).

distribute

The transfer from one party to another party, who then assumes possession or control of the information.

E encryption

In basic terms, encryption is the process of converting plaintext into cipher text by using a cryptographic algorithm and

key.

enforcement

A privacy principle which provides mechanisms for assuring compliance with the Fair Information Practices, recourse for

individuals affected by non-compliance, and consequences for the non-compliant organization. Such methods for

enforcement may include a review by independent third parties, such as TRUSTe.

F Fair Information Practices

The basis for privacy best practices, both online and offline. The Practices originated in the Privacy Act of 1974, the

legislation that protects personal information collected and maintained by the U.S. government. In 1980, these

principles were adopted by the Organization for Economic Cooperation and Development and incorporated in its

Guidelines for the Protection of Personal Data and Trans-border Data Flows. They were adopted later in the EU Data

Protection Directive of 1995, with modifications. The Fair Information Practices include notice, PUID, choice, access,

onward transfer, data integrity, and remedy.

financial information

Data collected by a site or service provider on an individual’s finances, including account status, account balances,

payment history and credit information. This information should generally be treated as High Business Impact.

H health information

Data concerning an individual’s physical or mental health, including inquiries into healthcare services and information,

and purchases of healthcare products. This information should be treated as High Business Impact.

I integrity

The principle of Fair Information Practices that reasonable steps should be taken to ensure that PII is relevant and

reliable (i.e., accurate, complete, and current) for its intended use.

IP address

A number used to uniquely identify the sender and receiver of information packets that are sent over the Internet. IP

addresses can either be static (unchanging) or dynamic.

M Microsoft Personal Information

Any information provided by Microsoft or collected by vendors on behalf of Microsoft: (i) that identifies or can be used to

identify, contact, or locate the person to whom such information pertains, or (ii) from which identification or contact

information of an individual person can be derived. Microsoft Personal Information includes but is not limited to: name,

address, phone number, fax number, email address, social security number or other government-issued identifier, and

credit card information. Additionally, to the extent any other information (such as, a personal profile, unique identifier,

biometric information, or IP address) is associated or combined with Personal Information, then such information also

will also be considered Personal Information.

N notice

A privacy principle that requires reasonable disclosure to a consumer of an entity's personally identifiable information

(PII) collection and use practices. Whenever PII is collected from an individual, that individual must be given notice as to

what information is being collected and how that information will be used. This disclosure information is typically

conveyed in a privacy notice or privacy policy. Notice is addressed in Fair Information Practices.

Microsoft VPA Program Guide Version 1.2 Page 7 of 8 Microsoft Confidential

O onward transfer

The transfer of personally identifiable information (PII) by the recipient of the original data to a second recipient (i.e., the

recipient of the onward transfer). For example, the transfer of PII from an entity in Germany to an entity in the United

States constitutes onward transfer of that data. Onward transfer is addressed in Fair Information Practices.

opt in

A method of obtaining an individual’s explicit consent for the use of PII beyond the primary purpose for which it was

originally provided. Opt-in requires the user to take an explicit additional action (such as checking a box) in order to

provide consent. Typically used in marketing programs and offerings, whereby an action (such as the use of personal

information beyond the original, primary purpose for which it was collected) is not undertaken unless an individual

explicitly consents.

opt out

A method of obtaining an individual’s consent for the use of PII beyond the primary purpose for which it was originally

provided. Opt-out infers consent based on a users failure to take an explicit action (such as un-checking a box) to

withhold the consent. Typically used in marketing programs and offerings, whereby an action (such as the use of

personal information beyond the original, primary purpose for which it was collected) is undertaken unless an individual

explicitly declines.

P personally identifiable information (PII)

Any information relating to an identified or identifiable individual. Such information may include name, country, street

address, e-mail address, credit card number, Social Security number, government ID number, IP address, or any unique

identifier that is associated with PII in another system. Also known as personal information or personal data.

policy

A written statement that communicates management’s intent, objectives, requirements, responsibilities, and/or

standards.

primary use

Purpose for which the information was originally provided; for example, collecting shipping information to send a

product or processing registration for an event.

privacy

The control customers have over the collection, use, and distribution of their personal information.

privacy policy

An organization's requirements for complying with privacy regulations and directives.

privacy statement

An externally-facing document that describes, among other things, what information the product, site or service

collects; with whom the data is shared; and how users can control the use of their personal information.

privileges

The permission granted to a user to perform a specific task, usually one that affects an entire computer system rather

than a particular object. Privileges are assigned by administrators to individual users or groups of users as part of the

security settings for a computer.

R relevancy

The collection of PII should be limited to that which is relevant to the provision of the requested service.

S secondary use

Use of personal information for purposes other than those for which the information was collected. The Fair Information

Practices state that a person can provide personal information for a specific purpose without the fear that it may later

be used for an unrelated purpose without that person's knowledge or consent.

security

Security is a principle of the Fair Information Practices which provides that organizations should take reasonable steps

to protect the confidentiality, integrity and availability of PII.

sensitive data / sensitive information

From the European Union perspective, personally identifiable information (PII) regarding race or ethnic origin, political

opinions, religious or philosophical beliefs, sexual preference, or trade union membership. Within the United States,

sensitive information also includes information about health, finances, and children.

system

A system consists of multiple components organized to achieve a specified objective. These components can

include infrastructure (facilities, equipment, and networks), software (systems, applications, and utilities), people

(developers, operators, users, and managers), procedures (automated and manual), and data (transaction streams,

files, databases, and tables).

Microsoft VPA Program Guide Version 1.2 Page 8 of 8 Microsoft Confidential

subcontractor

An individual, or an entity, hired by a vendor to perform subcontracting services to fulfill the vendor’s contract with

Microsoft.

T transfer

The hand off of customer data to a Third Party who can internally store and use this information to contact customers

regarding its own products and services.

U unqualified letter of attestation

An unqualified letter of attestation is distinguished by the phrase “In our opinion, management’s assertion [assertion

identified] is fairly stated in all material respects.” An unqualified report does not include the phrase “except for.”

use

The use of Microsoft Personal Information in fulfillment of the procured services.

user profile

Settings that define customization preferences for a particular user, such as desktop settings, persistent network

connections personally identifiable information (PII), web site use, or other behaviors and demographics data.

V vendor

An individual, or an entity, hired to provide products or perform a service to or on behalf of Microsoft. A vendor is not

considered an independent third-party to Microsoft.