SAP Cloud Infrastructure SOC 1 Audit Report 2024 H2
SAP Cloud Infrastructure (SCI) spearheads SAP’s 4+1 strategy and supports the adoption and governance of all services deployed as part of SAP’s Cloud Infrastructure Strategy. Specifically, this refers to the management of public cloud hyperscalers and SAP’s internal IaaS known as SAP Converged Cloud.
SAP Converged Cloud
Converged Cloud is SAP’s standardized Infrastructure as a Service (IaaS) offering to support all of SAP’s cloud business on a global scale. SAP Converged Cloud provides access to a vendor-agnostic hardware infrastructure architecture as well as infrastructure orchestration and automation services in all SAP. With SAP Converged Cloud, it is possible to deploy applications into data centers without needing to deploy a solution-specific infrastructure stack (the application infrastructure) beforehand.
The SAP Converged Cloud infrastructure landscape is hosted either in SAP SE owned data centers or co-location data centers, as detailed below:
| DC Locations | DC Providers |
| USA: Ashburn, VA | Co-Location Provider |
| Netherlands: Amsterdam | Co-Location Provider |
| USA: Colorado Springs, CO | SAP |
| Australia: Sydney | Co-Location Provider |
| Canada: Toronto | Co-Location Provider |
| United Arab Emirates: Dubai | Co-Location Provider |
| USA: Chandler, AZ | Co-Location Provider |
| Saudi Arabia: Dammam | Co-Location Provider |
| Germany: Frankfurt | Co-Location Provider |
| USA: Newtown Square, PA | SAP |
| Japan: Osaka | Co-Location Provider |
| Saudi Arabia: Riyadh | Co-Location Provider |
| Germany: St. Leon-Rot | SAP |
| China: Shanghai | Co-Location Provider |
| Brazil: São Paulo | Co-Location Provider |
| USA: Sterling, VA | Co-Location Provider |
| Japan: Tokyo | Co-Location Provider |
| Germany: Walldorf | SAP |
SAP Multi Cloud
The SAP Multi Cloud organization provides a ‘platform of enablement’ for Lines of Business (LoB) in the public cloud, providing costing services such as billing and cost optimization, architecture consultation and application design and security safeguards, tool engineering to automate and expand services offerings and hyperscaler operational support.
The SAP Multi Cloud infrastructure landscape is hosted either in SAP SE owned data centers or co-location data centers, as detailed below:
| DC Locations | DC Providers |
| USA: N. Virginia | AWS |
| Ireland | AWS |
| Canada: Central | AWS |
| Singapore | AWS |
| South Korea: Seoul | AWS |
| Japan: Osaka | AWS |
| France: Paris | AWS |
| Sweden: Stockholm | AWS |
| China: Beijing | AWS |
| USA: N. California | AWS |
| Bahrain | AWS |
| United Arab Emirates | AWS |
| Germany: Frankfurt | AWS |
| Spain | AWS |
| China: Hong Kong | AWS |
| Italy: Milan | AWS |
| Indonesia: Jakarta | AWS |
| Israel: Tel Aviv | AWS |
| UK: London | AWS |
| India: Mumbai | AWS |
| China: Ningxia | AWS |
| USA: Ohio | AWS |
| Brazil: São Paulo | AWS |
| South Africa: Cape Town | AWS |
| Australia: Sydney | AWS |
| Japan: Tokyo | AWS |
| India: Hyderabad | AWS |
| USA : Calgary | AWS |
| USA: Oregon | AWS |
| Australia: Melbourne | AWS |
| Switzerland: Zurich | AWS |
| Poland: Warsaw | Azure |
| USA: California | Azure |
| USA: Virginia | Azure |
| USA: Virginia | Azure |
| USA: Iowa | Azure |
| USA: Illinois | Azure |
| USA: Texas | Azure |
| USA: West Central | Azure |
| USA: Quincy, WA | Azure |
| USA: Virginia | Azure |
| USA: Iowa | Azure |
| USA: DoD East | Azure |
| USA: DoD Central | Azure |
| Canada: Quebec City | Azure |
| Canada: Toronto | Azure |
| Brazil: São Paulo | Azure |
| USA: Arizona | Azure |
| USA: Texas | Azure |
| Ireland: Dublin | Azure |
| Netherlands: Amsterdam | Azure |
| Spain: Madrid | Azure |
| Germany: Magdeburg | Azure |
| UK: Cardiff | Azure |
| UK: London | Azure |
| France: Paris | Azure |
| France: Marseille | Azure |
| Singapore | Azure |
| China: Hong Kong | Azure |
| Australia: New South Wales | Azure |
| Australia: Victoria | Azure |
| China: Shanghai | Azure |
| China: Beijing | Azure |
| India: Pune | Azure |
| India: Mumbai | Azure |
| India: Chennai | Azure |
| Japan: Tokyo | Azure |
| Mexico: Queretaro | Azure |
| Japan: Osaka | Azure |
| South Korea: Seoul | Azure |
| South Korea: Busan | Azure |
| South Africa: Cape Town | Azure |
| South Africa: Johannesburg | Azure |
| Australia: Canberra | Azure |
| Australia: Canberra | Azure |
| China: Shanghai | Azure |
| China: Beijing | Azure |
| United Arab Emirates: Abu Dhabi | Azure |
| United Arab Emirates: Dubai | Azure |
| Germany: North | Azure |
| Germany: Frankfurt | Azure |
| Switzerland: Zürich | Azure |
| Switzerland: Geneva | Azure |
| Norway: Oslo | Azure |
| Norway: Stavanger | Azure |
| Sweden: Staffanstorp | Azure |
| Sweden: Gävle | Azure |
| Brazil: Rio de Janeiro | Azure |
| Qatar: Doha | Azure |
| USA: Arizona | Azure |
| China: Hebei | Azure |
| China: Jiangsu | Azure |
| Israel | Azure |
| Italy: Milan | Azure |
| Israel: Tel Aviv | GCP |
| USA: Council Bluffs, IA | GCP |
| USA: The Dalles, OR | GCP |
| USA: Ashburn, VA | GCP |
| USA: Moncks Corner, SC | GCP |
| Belgium: St. Ghislain | GCP |
| UK: London | GCP |
| Singapore: Jurong West | GCP |
| Taiwan: Changhua County | GCP |
| Japan: Tokyo | GCP |
| Australia: Sydney | GCP |
| Germany: Frankfurt | GCP |
| USA: Los Angeles, CA | GCP |
| Canada: Montreal | GCP |
| China: Hong Kong | GCP |
| India: Mumbai | GCP |
| Finland: Hamina | GCP |
| Netherlands: Eemshaven | GCP |
| Brazil: São Paulo | GCP |
| Japan: Osaka | GCP |
| Switzerland: Zürich | GCP |
| South Korea: Seoul | GCP |
| Indonesia: Jakarta | GCP |
| USA: Salt Lake City, UT | GCP |
| USA: Las Vegas, NV | GCP |
| Poland: Warsaw | GCP |
| Australia: Melbourne | GCP |
| India: Delhi | GCP |
| Canada: Toronto | GCP |
| Chile: Santiago | GCP |
| France: Paris | GCP |
| Italy: Milan | GCP |
| Spain: Madrid | GCP |
| USA: Columbus, OH | GCP |
| USA: Dallas, TX | GCP |
| Germany: Berlin | GCP |
| Qatar: Doha | GCP |
| South Africa: Johannesburg | GCP |
| Italy: Turin | GCP |
Other Data Center Services
SAP uses additional co-location data centers for physical security of SAP Cloud Services other than SAP Converged Cloud.
DC Locations | DC Providers |
USA: Ashburn, VA | Raging Wire (NTT) |
Ireland: Dublin | Digital Realty |
Germany: Frankfurt | Nippon Telegraph and Telephone Corporation |
Malaysia: Selangor | Nippon Telegraph and Telephone Corporation |
Malaysia: Kuala Lumpur | Nippon Telegraph and Telephone Corporation |
Japan: Osaka | Nippon Telegraph and Telephone Corporation |
USA: Sacramento, CA | Raging Wire (NTT) |
USA: Santa Clara | Cologix |
Singapore | Nippon Telegraph and Telephone Corporation |
SOC 1 reports are prepared pursuant to AT-C Section 320 and International Standard on Assurance Engagements No. 3402. SOC 1 reports are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors). Please note that this examination's scope does not include the controls and related control objectives of any subservice organizations. SOC 1 Type 1 report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of controls to achieve the related control objectives as of a specified date, whereas a SOC 1 Type 2 also includes the operating effectiveness of controls to achieve the related control objectives throughout a specified period.
SAP Cloud Infrastructure has regularly prepared SOC 1 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. April 2024 to 30. September 2024.
The use of these reports is restricted to the management of the service organization, user entities, and user auditors. A copy of this report is available for all SAP Cloud Infrastructure customers who had productive and had financially-relevant systems during the audit period covered by the report.
SAP Cloud Infrastructure (SCI) spearheads SAP’s 4+1 strategy and supports the adoption and governance of all services deployed as part of SAP’s Cloud Infrastructure Strategy. Specifically, this refers to the management of public cloud hyperscalers and SAP’s internal IaaS known as SAP Converged Cloud.
SAP Converged Cloud
Converged Cloud is SAP’s standardized Infrastructure as a Service (IaaS) offering to support all of SAP’s cloud business on a global scale. SAP Converged Cloud provides access to a vendor-agnostic hardware infrastructure architecture as well as infrastructure orchestration and automation services in all SAP. With SAP Converged Cloud, it is possible to deploy applications into data centers without needing to deploy a solution-specific infrastructure stack (the application infrastructure) beforehand.
The SAP Converged Cloud infrastructure landscape is hosted either in SAP SE owned data centers or co-location data centers, as detailed below:
| DC Locations | DC Providers |
| USA: Ashburn, VA | Co-Location Provider |
| Netherlands: Amsterdam | Co-Location Provider |
| USA: Colorado Springs, CO | SAP |
| Australia: Sydney | Co-Location Provider |
| Canada: Toronto | Co-Location Provider |
| United Arab Emirates: Dubai | Co-Location Provider |
| USA: Chandler, AZ | Co-Location Provider |
| Saudi Arabia: Dammam | Co-Location Provider |
| Germany: Frankfurt | Co-Location Provider |
| USA: Newtown Square, PA | SAP |
| Japan: Osaka | Co-Location Provider |
| Saudi Arabia: Riyadh | Co-Location Provider |
| Germany: St. Leon-Rot | SAP |
| China: Shanghai | Co-Location Provider |
| Brazil: São Paulo | Co-Location Provider |
| USA: Sterling, VA | Co-Location Provider |
| Japan: Tokyo | Co-Location Provider |
| Germany: Walldorf | SAP |
SAP Multi Cloud
The SAP Multi Cloud organization provides a ‘platform of enablement’ for Lines of Business (LoB) in the public cloud, providing costing services such as billing and cost optimization, architecture consultation and application design and security safeguards, tool engineering to automate and expand services offerings and hyperscaler operational support.
The SAP Multi Cloud infrastructure landscape is hosted either in SAP SE owned data centers or co-location data centers, as detailed below:
| DC Locations | DC Providers |
| USA: N. Virginia | AWS |
| Ireland | AWS |
| Canada: Central | AWS |
| Singapore | AWS |
| South Korea: Seoul | AWS |
| Japan: Osaka | AWS |
| France: Paris | AWS |
| Sweden: Stockholm | AWS |
| China: Beijing | AWS |
| USA: N. California | AWS |
| Bahrain | AWS |
| United Arab Emirates | AWS |
| Germany: Frankfurt | AWS |
| Spain | AWS |
| China: Hong Kong | AWS |
| Italy: Milan | AWS |
| Indonesia: Jakarta | AWS |
| Israel: Tel Aviv | AWS |
| UK: London | AWS |
| India: Mumbai | AWS |
| China: Ningxia | AWS |
| USA: Ohio | AWS |
| Brazil: São Paulo | AWS |
| South Africa: Cape Town | AWS |
| Australia: Sydney | AWS |
| Japan: Tokyo | AWS |
| India: Hyderabad | AWS |
| USA : Calgary | AWS |
| USA: Oregon | AWS |
| Australia: Melbourne | AWS |
| Switzerland: Zurich | AWS |
| Poland: Warsaw | Azure |
| USA: California | Azure |
| USA: Virginia | Azure |
| USA: Virginia | Azure |
| USA: Iowa | Azure |
| USA: Illinois | Azure |
| USA: Texas | Azure |
| USA: West Central | Azure |
| USA: Quincy, WA | Azure |
| USA: Virginia | Azure |
| USA: Iowa | Azure |
| USA: DoD East | Azure |
| USA: DoD Central | Azure |
| Canada: Quebec City | Azure |
| Canada: Toronto | Azure |
| Brazil: São Paulo | Azure |
| USA: Arizona | Azure |
| USA: Texas | Azure |
| Ireland: Dublin | Azure |
| Netherlands: Amsterdam | Azure |
| Spain: Madrid | Azure |
| Germany: Magdeburg | Azure |
| UK: Cardiff | Azure |
| UK: London | Azure |
| France: Paris | Azure |
| France: Marseille | Azure |
| Singapore | Azure |
| China: Hong Kong | Azure |
| Australia: New South Wales | Azure |
| Australia: Victoria | Azure |
| China: Shanghai | Azure |
| China: Beijing | Azure |
| India: Pune | Azure |
| India: Mumbai | Azure |
| India: Chennai | Azure |
| Japan: Tokyo | Azure |
| Mexico: Queretaro | Azure |
| Japan: Osaka | Azure |
| South Korea: Seoul | Azure |
| South Korea: Busan | Azure |
| South Africa: Cape Town | Azure |
| South Africa: Johannesburg | Azure |
| Australia: Canberra | Azure |
| Australia: Canberra | Azure |
| China: Shanghai | Azure |
| China: Beijing | Azure |
| United Arab Emirates: Abu Dhabi | Azure |
| United Arab Emirates: Dubai | Azure |
| Germany: North | Azure |
| Germany: Frankfurt | Azure |
| Switzerland: Zürich | Azure |
| Switzerland: Geneva | Azure |
| Norway: Oslo | Azure |
| Norway: Stavanger | Azure |
| Sweden: Staffanstorp | Azure |
| Sweden: Gävle | Azure |
| Brazil: Rio de Janeiro | Azure |
| Qatar: Doha | Azure |
| USA: Arizona | Azure |
| China: Hebei | Azure |
| China: Jiangsu | Azure |
| Israel | Azure |
| Italy: Milan | Azure |
| Israel: Tel Aviv | GCP |
| USA: Council Bluffs, IA | GCP |
| USA: The Dalles, OR | GCP |
| USA: Ashburn, VA | GCP |
| USA: Moncks Corner, SC | GCP |
| Belgium: St. Ghislain | GCP |
| UK: London | GCP |
| Singapore: Jurong West | GCP |
| Taiwan: Changhua County | GCP |
| Japan: Tokyo | GCP |
| Australia: Sydney | GCP |
| Germany: Frankfurt | GCP |
| USA: Los Angeles, CA | GCP |
| Canada: Montreal | GCP |
| China: Hong Kong | GCP |
| India: Mumbai | GCP |
| Finland: Hamina | GCP |
| Netherlands: Eemshaven | GCP |
| Brazil: São Paulo | GCP |
| Japan: Osaka | GCP |
| Switzerland: Zürich | GCP |
| South Korea: Seoul | GCP |
| Indonesia: Jakarta | GCP |
| USA: Salt Lake City, UT | GCP |
| USA: Las Vegas, NV | GCP |
| Poland: Warsaw | GCP |
| Australia: Melbourne | GCP |
| India: Delhi | GCP |
| Canada: Toronto | GCP |
| Chile: Santiago | GCP |
| France: Paris | GCP |
| Italy: Milan | GCP |
| Spain: Madrid | GCP |
| USA: Columbus, OH | GCP |
| USA: Dallas, TX | GCP |
| Germany: Berlin | GCP |
| Qatar: Doha | GCP |
| South Africa: Johannesburg | GCP |
| Italy: Turin | GCP |
Other Data Center Services
SAP uses additional co-location data centers for physical security of SAP Cloud Services other than SAP Converged Cloud.
DC Locations | DC Providers |
USA: Ashburn, VA | Raging Wire (NTT) |
Ireland: Dublin | Digital Realty |
Germany: Frankfurt | Nippon Telegraph and Telephone Corporation |
Malaysia: Selangor | Nippon Telegraph and Telephone Corporation |
Malaysia: Kuala Lumpur | Nippon Telegraph and Telephone Corporation |
Japan: Osaka | Nippon Telegraph and Telephone Corporation |
USA: Sacramento, CA | Raging Wire (NTT) |
USA: Santa Clara | Cologix |
Singapore | Nippon Telegraph and Telephone Corporation |
SOC 1 reports are prepared pursuant to AT-C Section 320 and International Standard on Assurance Engagements No. 3402. SOC 1 reports are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors). Please note that this examination's scope does not include the controls and related control objectives of any subservice organizations. SOC 1 Type 1 report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of controls to achieve the related control objectives as of a specified date, whereas a SOC 1 Type 2 also includes the operating effectiveness of controls to achieve the related control objectives throughout a specified period.
SAP Cloud Infrastructure has regularly prepared SOC 1 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. April 2024 to 30. September 2024.
The use of these reports is restricted to the management of the service organization, user entities, and user auditors. A copy of this report is available for all SAP Cloud Infrastructure customers who had productive and had financially-relevant systems during the audit period covered by the report.