Cloud Data Protection and Privacy

What regulations are applied to personal data stored and processed in a customer’s cloud subscription?

As a German company, SAP SE follows the European Union (EU) Privacy Directive and the Federal German Privacy Act. The SAP data protection agreement acts as the legal basis for commissioned data processing and is based on both regulations.

Does SAP have an appointed data protection officer?

At SAP, we have always viewed the designation of a data protection officer (DPO) as a central part of our data protection strategy. Furthermore, SAP has established an entire data protection and privacy (DPP) team that consists of attorneys, auditors, and technical experts reporting to the DPO.

Is the SAP data protection agreement applicable only to your data center in Europe?

The SAP data protection agreement and treatment of personal data is applicable globally to all SAP data center and processing locations.

How does SAP ensure that sub-processors protect my personal data?

Sub-processors are used for the processing of personal data. They are subject to data protection agreements that contain the same level of protection as the agreements SAP enters with its customers.

How does SAP ensure appropriate security for the storage and processing of personal data?

SAP has implemented and is maintaining technical and organizational measures (TOMs). These TOMs comprise measures in the following areas: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control.

How does SAP provide evidence of compliance with its TOMs?

Depending on the relevant service, SAP provides evidence to the customer by way of certifications that show compliance with ISO 27001 or other standards such as ISAE3402 and ISAE3000.

Does SAP also hold a specific certificate related to data privacy?

SAP has established and implemented a data protection management system (DPMS), based on the British Standard BS 10012:2009. The DPMS is audited annually by internal and external auditors. Evidence is provided through the certificate and a customer audit report.

Does SAP have regional cloud services?

Yes, we provide the EU Access service from SAP for some of our cloud services. EU Access helps ensure that personal data is stored only in data centers within the European Economic Area, the European Union, and Switzerland. Furthermore, remote access to personal data is restricted to locations within these countries.

Data Center Security

Is there network latency across public and private clouds?

SAP public cloud solutions and integrations with SAP ERP Central Component (SAP ECC) and S/4HANA is stateless, as such network latency is not a major topic to worry about.

Is there network latency with solutions that are across multiple data centers?

The network latency is depending various factors as such, no precise informationcan be provided on a general level. For more detail, we recommend you involve an SAP technical solution architect that works with this customer case.

At the cloud data center level, if the solutions are in different data centers, can you explain how integration, security, performance, failover, amonng others work?

All communication between Data Centers is encrypted by reasonable industry measures. The detail of implementation varies by solution and data flow. For more information, we recommend you involve the SAP technical solution architect who works with this customer case.

Guidelines and Audits

Are there any data protection guidelines?

Yes. Data protection guidelines form an element of the SAP security policy, the SAP security standard on data protection, as well as the document "SAP Global Personal Data Protection and Privacy Policy." Our data protection management system consists of data protection work instructions, regulations, and guidelines for all organizations in SAP.

Have processes for maintaining data protection laws and regulations been defined to help ensure the confidentiality and security of customer data?

A wide range of measures helps ensure the confidentiality of customer and sensitive data. Current processes and standards for maintaining data protection laws are described in the section “General Security at SAP” and “Maintaining Confidentiality While Handling Personal Data." Data protection in relation to customer incidents is described in the section “Security in the SAP Digital Business Services Organization.”

Are there regular checks to monitor compliance with the SAP security policy?

A wide range of internal ISO 9001 and ISO 27001 audits are conducted to regularly check whether SAP employees adhere to the global policies and standards. This level of compliance to the security policy is monitored thoroughly. All audit activities are centrally organized by the responsible auditing organizations and conducted by certified internal auditors with the support of the central SAP security department.

Does SAP have an information security team that oversees the implementation of the SAP security policy?

Each manager is responsible for implementing the security policy within their respective organizations. The central security department and the auditing and decentralized security units of SAP help managers in this process. Managers are informed about the performance and current implementation status of information security management systems in regular management reviews.

Is there a code of business conduct that outlines general codes of conduct for employees?

Yes. These rules are outlined in the code of business conduct and are fully accessible and understood by all employees. The code of business conduct also forms part of the SAP employment contract.

How are security incidents managed?

Security incidents at SAP are systematically documented and forwarded to the relevant officer. This security incident management process is described in detail in the information in “Protecting Information in Individual Incidents” in both the “General Security at SAP” and “Security in the SAP Digital Business Services Organization” sections.

Does SAP have a guideline on classifying information?

The SAP security guideline “Information Classification” outlines how information is classified.

Is access to customer data restricted to specific employees, and is the distribution of such information prohibited?

Yes. SAP has guidelines and processes that govern access to customer data. In particular, such access is restricted by a dedicated authorization process. See also the SAP security guideline “Information Classification.” This guideline also specifies rules regarding the forwarding or publishing of confidential or sensitive information.

Are there any certificates that are accessible to customers?

Certificates acquired by SAP can be inspected at any time on the compliance page for cloud solutions.

Is there an ISO 27001 certificate for information technology?

Yes. SAP possesses several ISO 27001 certificates.

Search for a certificate

Is there a specific certificate for data protection?

Yes. Compliance with the data protection guidelines is maintained regularly in collaboration with BSI as the certification body of SAP for personal information protection.

Search for a certificate


What is the difference between a SOC 1, SOC 2, and SOC 3 reporting?

The SOC 1 report covers all live customer systems during the audit cycle. It provides information about controls at a service-organization level that is relevant to the customer's internal control over financial reporting (also known as IT general controls).
IT general controls cover:

  • IT strategy
  • Environment and organization
  • Logical and physical
  • Access controls
  • Program development
  • Change management
  • Computer operations such as incident management, backup, and monitoring
The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust center criteria (TSPs). These additional TSPs are:
  • Confidentiality
  • Integrity
  • Availability
  • Privacy
The SOC 3 report is designed to meet the needs of users who want assurance on the controls at a service organization, such as those related to security, availability, processing integrity, confidentiality, or privacy. However, the requestors do not require or have the knowledge necessary to make effective use of a SOC 2 report. This report is used for marketing purposes, as well as unrestricted use and distribution.

What is the difference between a type 1 and type 2 report?

SOC 1 and SOC 2 reports can be delivered in two types:

  • Type I: These reports contain the design of the in-scope controls. The control design is assessed based on a specific date.
  • Type II: These are reports that include testing of the operational effectiveness of in-scope controls. Population samples for each control is tested based on the frequency that the control is tested. Populations are based on a six-month time period.

Why can't my customer or prospect have an SOC 1 report?

The SOC 1 report is only distributed to customers that were productive and had financially-relevant systems during the audit period covered by the report and need the report for their financial audits. These customer systems must be properly maintained as such in our various reporting and asset management tools; otherwise, the customer will not be sent the report.