Data protection and privacy

Understand how SAP respects and protects individual privacy rights.
Two people looking at data center in anvil

Safeguarding data protection and privacy at SAP

placeholder

We uphold data protection and privacy by employing advanced security protocols and fostering a culture of trust to ensure that our customers' information is always safeguarded. Learn more about how we prioritize data protection and privacy.

Data protection and privacy

We respect the privacy of every individual. Our policies and data processing agreements help us abide by relevant laws worldwide and provide a trusted foundation for our customers to operate their businesses in a compliant way.

placeholder

Our commitment to data protection and privacy

We monitor the global regulatory landscape to implement safeguards to protect the fundamental rights of anyone whose data is processed by SAP, including customers, suppliers, partners, prospects, employees, and applicants.

Data protection and privacy by design

SAP is continuously focused on improving its product development standards. We embed data protection and privacy features in our products and services by design and by default.

Read about SAP's data protection and privacy principles 

Artificial intelligence (AI) at SAP

Our use of AI and its development is governed by SAP’s global AI ethics policy and applicable laws.

Read the global AI ethics policy 

Data protection management system (DPMS)

SAP has implemented a DPMS with respect to its internal data protection and privacy controls in accordance with internally recognized industry standards.

placeholder

General Data Protection Regulation (GDPR)

In Europe, an individual’s right to data privacy is a human right. As a German-based company, SAP has a long-standing commitment to these data privacy and protection principles.

EU Standard Contractual Clauses

Find out how SAP implements the EU Standard Contractual Clauses (EU SCC) as published by the European Commission following the Schrems II decision.

Read the document 

EU Cloud Code of Conduct (EU Cloud CoC)

Approved by the European Data Protection Board, SAP has sought a "Declaration of Adherence" to the EU Cloud CoC for certain cloud services.

Read the EU Cloud CoC reports 

DPA Amendment Self Service for EU/EEA and UK Customers

SAP supports international data transfers in line with the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA). Customers in the EU/EEA and UK can easily manage compliance by signing a Data Processing Agreement (DPA) amendment through SAP’s self-service portal.

Access the DPA amendment 
placeholder

Global data protection and privacy compliance

Find out how SAP monitors and stays compliant with the always-evolving global data protection and privacy requirements applicable to SAP's products and services.

California Privacy Rights (CCPA/CPRA)

SAP supports California Privacy Rights initiatives, which grants California residents more control over their personal data and imposes heightened compliance obligations on businesses who share and sell such information.

Learn more 

The Health Insurance Portability and Accountability Act (HIPAA)

Under certain circumstances, SAP enters into a Business Associate Addendum (BAA) as a covered entity and business associate to enable compliance for those SAP customers that intend to process Personal Health Information (PHI).

Learn more 

Vietnam's Personal Data Protection Decree

Vietnam issued Decree 13 on Personal Data Protection (PDPD). Vietnam will become the fifth country in the ASEAN region with an omnibus set of data protection regulations.

Learn more 

The Philippines Data Processing Systems and Data Protection Officers registrations

Find out about SAP's Philippines Data Processing Systems and Data Protection Officers registrations and seals.

Learn more 

Brazil’s General Data Protection Law

New regulations governing cross-border transfers of personal data are reshaping Brazil’s data protection landscape. SAP supports global compliance by embedding privacy into its operational model, promoting secure and lawful data flows across international boundaries.

Learn more 

India's Digital Personal Data Protection Act

A preliminary overview of key provisions, scope and implications for global enterprises.

Learn more 
placeholder

Data processing at SAP

SAP protects the rights of individuals whose data we process. We strive to continuously strengthen our reputation as a trusted and reliable business partner in the market.

Data processing agreements (DPAs)

SAP signs DPAs with each of our customers. DPAs enable us and our customers to comply with applicable laws when SAP processes personal data on behalf of customers.

View the DPA for cloud services from SAP 
View the DPA for support and professional services  
Read the DPA FAQs 

Technical and organizational measures (TOMs)

SAP constantly improves upon TOMs to protect the data we process on behalf of customers against unauthorized access, change, or deletions.

Read the TOMs 

Subprocessors

SAP use of subprocessors may require access to and transfer of customer data to subprocessors for the hosting of customer data and related infrastructure support.

Read about subprocessors 

Government requests to access customer data

SAP receives few requests from government agencies requiring SAP to produce or disclose information that contains or includes any customer data.

Read the document 
Read about the Cloud Act 

Data Subject Rights

Submit a request to exercise your data subject rights.

Complete the form 
Read more 

Continuous improvement of Cloud Services

We regularly update our cloud services to support performance, security and innovation, while respecting our data protection and privacy obligations.

Read the document 

Data Privacy and Transfer Impact Assessments

Find out how SAP supports customers with common questions related to data privacy and transfer impact assessments when using SAP products and services.

Read the FAQs 

DPA Amendment Self Service for EU/EEA and UK Customers

SAP supports international data transfers in line with the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA). Customers in the EU/EEA and UK can easily manage compliance by signing a Data Processing Agreement (DPA) amendment through SAP’s self-service portal.

Access the DPA amendment 

Product Development Schedule

The Product Development Schedule sets out terms on how SAP may use customer data for general product research and development.

Learn more 
placeholder

Data protection and privacy certifications

SAP has a wide range of third-party audit reports, certifications, and attestations that demonstrate our compliance with data protection and privacy requirements.

Audit reports and certifications

SAP maintains multiple industry-standard, third-party certifications, and audit reports in support of the TOMs described in our DPAs.

View certifications 

Industry-specific attestations

SAP has a variety of sector-specific attestations and authorizations for certain products and services to meet the needs of customers in various industries, including FedRAMP and PCI DSS.

View attestations 

EU Cloud CoC reports

SAP has sought a Declaration of Adherence to the EU Cloud CoC for certain cloud services to demonstrate GDPR compliance in the SAP product and services portfolio.

View EU Cloud CoC reports 

Data protection management system (DPMS)

SAP has implemented a DPMS with respect to its internal data protection and privacy controls in accordance with internationally recognized industry standards.

Data protection and privacy FAQs

Frequently asked questions

SAP implements technical and organizational measures to protect personal data, such as encryption, access controls, and privacy-by-design principles. These measures are incorporated into SAP’s Data Processing Agreement. SAP also complies with international data protection laws, including the General Data Protection Regulation, and holds a range of third-party certifications that validate our commitment to strong security and privacy practices across products and services.

As a business-to-business provider of enterprise cloud solutions, SAP receives few requests from government entities seeking access to customer data. When such requests do arise, SAP follows a defined legal process when responding to government data requests. Whenever possible, we inform customers before disclosing any information—unless prohibited by law—and we challenge demands that are unlawful or excessive. Protecting customer data from unauthorized access remains a top priority.

SAP thoroughly evaluates the security, privacy, and confidentiality practices of each subprocessor before engagement. All subprocessors must enter into a written agreement with SAP that includes robust data protection and security provisions. SAP maintains and regularly updates product- and service-specific subprocessor lists, which detail the location and country of each subprocessor. These lists are accessible to customers at any time via SAP Trust Center. Customers may also subscribe to receive email notifications about changes to subprocessor lists. Learn more about SAP's subprocessors.

While SAP acts as a data processor, we provide comprehensive documentation to assist with DPIAs and TIAs. Access relevant templates and guidance directly from SAP Trust Center.

SAP complies with the European Data Protection Board (EDPB) recommendations by implementing supplementary measures to support data transfer mechanisms—such as standard contractual clauses—in providing an “essentially equivalent” level of protection. These measures include:

  • Technical and organizational measures (TOMs): SAP uses safeguards to prevent unauthorized processing and accidental disclosure, access, loss, destruction, or alteration of personal data. These TOMs are outlined in SAP’s Data Processing Agreements (DPAs), available through SAP Trust Center.

  • Third-party certifications and audit reports: SAP holds various independent certifications and audit reports that verify our data protection standards. Customers can access these resources on a self-service basis via SAP Trust Center.

  • Contractual safeguards: SAP’s agreements include transparency commitments covering topics such as data processing locations, applicable laws, and government data access requests. These contractual provisions align with EDPB guidance.

When SAP provides products and services that involve transferring personal data from the EU/EEA to third countries—those not recognized under Article 45 of the General Data Protection Regulation as offering adequate protection—SAP relies on the standard contractual clauses issued by the European Commission to legitimize such transfers.