Skip to Content
Contact Us
Chat Now Chat Offline
Get live help and chat with an SAP representative.
Contact Us
E-mail us with comments, questions or feedback.
SAP Trust Center
A shield and a hand representing trust for SAP software

SAP Trust Center: FAQ's

Search the list below to find answers to frequently asked questions on topics such as cloud data privacy, security, compliance, and agreements.

Cloud Security

What is unique to cloud security? How does it differ from on-premise security?

According to security analysts (and contrary to popular belief) cloud security surpasses traditional on-premise security. The fundamental concerns from the security point of view (for example, external attack or malicious internal risk) do not change when moving to the cloud.

 

Working on a software-defined infrastructure, the cloud allows security implementation at a greater scale if you map your existing security controls to the ones provided in the cloud. Another clear advantage is better agility to address security concerns and lower the cost to research, develop, and deploy new security features throughout the stack.

Do I need to secure my instance and tenant, or just rely on SAP?

SAP has listed in its data processing agreement (DPA) under appendix 2 of the technical organizational measures (TOM) applied to the processing of the customer's data to secure the delivery environment of the customer's tenant and instance accordingly. For more information, please refer to the SAP Data Processing Agreement found on the agreements page.

 

The customer is responsible for the content of its data and entering it into the cloud service. This includes the security-related configuration of their own tenant/instance. It is up to customer to decide how to implement such as single sign-on (SSO), multi-factor authentication, access control policy and role-based access, review of application log, and so on.

What is SAP's cloud security strategy?

At SAP, we have a "plan, do, check, act" approach to security, constantly adjusting to customer needs and to a rapidly changing threat landscape. Our security strategy has three cornerstones (secure products, secure operations, and a secure company) and an overarching commitment to transparency.

Have any external parties assessed SAP’s security measures? If yes, where can I find the certificates?

Yes, ISO certifications can be downloaded and attestation reports can be requested, visit SAP Trust Center compliance page.

Cybersecurity

How does SAP protect my information against cyber-attacks?

As a good industry practice, SAP defines its security goals and objectives through its security policy framework, which is the fundamental basis for defining the security level at which SAP operates and which consists of multiple layers that target different groups and satisfy different needs. The security policy framework at SAP serves as the central guideline for the
secure delivery of SAP cloud services.
 
The security information and event management (SIEM) systems at SAP alert, monitor, analyze, and verify potential security attacks on any technical disruptions of SAP's cloud and corporate environment.
 
For further information on cybersecurity management at SAP, please refer to our brochure "Data Privacy and Cybersecurity."

Does SAP encrypt data in transit?

All Customer Data processed in Cloud solutions by SAP is classified as “Confidential” per SAP’s data classification standard, unless it is made visible to the public by Customer using tools in the applicable Cloud solution. The handling of data classified as “Confidential” includes, in addition to other protection measures encryption for transfer outside the SAP network.
 
All SAP Cloud systems are configured to use secure communication in accordance with the protection requirement of the transmitted information. For further information on SAP's Cybersecurity Management, refer to SAP's brochure "Data Privacy and Cybersecurity".
 
All SAP Cloud systems are configured to use secure communication in accordance with the protection requirement of the transmitted information. This includes encryption for data in transit and data at rest.

Does SAP encrypt data at rest?

All sensitive data is encrypted at rest (during production and backup) by application, database, or hardware-encrypted storage systems. Implementation depends on the cloud service architecture. Some cloud services may not encrypt data with the default configuration. For further information on SAP's Cybersecurity Management, refer to SAP's brochure "Data Privacy and Cybersecurity".

How does SAP manage encryption keys?

For secure communication and strong encryption methods and keys, SAP uses at least a 128-bit symmetric key or a 2,048-bit asymmetric key, as well as strong and internationally recognized cryptographic algorithms.
 
For secure storage, the encryption key is stored on the service processor or an external key management server.

What is SAP's position regarding the Meltdown and Spectre processor vulnerabilities?

SAP is taking a proactive approach in fixing potential flaws related to Meltdown and Spectre. See details on our security issue management page.

Does SAP have a dedicated cybersecurity team?

Yes. The cybersecurity team within SAP is responsible for security incident management and vulnerability testing to protect against cyberthreats and cyber-attacks.

Guidelines and Audits

Are there any data protection guidelines?

Yes. SAP's global data protection and privacy policy outlines a standard for handling personal data. It defines the requirements for processing and accessing personal data, establishes clear responsibilities and organizational structures.
 
Refer to the SAP Trust Center privacy page for more details.

Is there a code of business conduct that outlines general codes of conduct for employees?

Yes. These rules are outlined in the code of business conduct applicable to all SAP employees. Read the code of business conduct for more details.

Does SAP have a guideline on classifying information?

SAP has a security policy framework that consists of several levels of security documents, each of which contains more details and references to the global security policy at SAP. This framework also contains a global standard on how information is classified and handled when processed within the SAP’s infrastructure.

 

For further information on SAP's security policy framework, refer to our brochure "Data Privacy and Cybersecurity."

Is access to customer data restricted to specific employees, and is the distribution of such information prohibited?

Yes. Only persons who are entitled to use data processing systems gain access only to the customer data that they have a right to access. Customer data must not be read, copied, modified, or removed without authorization in the course of processing, use, and storage.

 

For details, please refer to appendix 2 of the data processing agreement.

Are there any certificates that customers can access?

Customers can access SAP’s certifications at any time on the compliance area of the SAP Trust Center site.

Is there an ISO 27001 certificate for security and compliance?

Yes. You can access and check the availability on the compliance finder.

Is there a SOC report for security and compliance?

Yes. Access and check the availability for SOC 1 reports and SOC 2 reports.

Is there a BS 10012:2017 (data protection management system) certificate for data protection?

Yes. To access and check the availability, please see here.

Is there an ISO 27018 certificate for data protection?

Yes, to access and check the availability for an ISO 27018 certificate for data protection, refer to the compliance finder.

Are there regular checks to monitor compliance with the SAP security policy?

Yes. SAP regularly checks compliance through external reviews and audits and follows one common framework, including data security and privacy regulations, worldwide.

 

For evidence please check the latest certificates and reports on the compliance page

Has SAP had any external parties assess its security? If so, where can I find the certificates?

Yes. ISO certification can be downloaded and an attestation report requested here.

Penetration Tests and Vulnerability Scans

Does SAP implement penetration tests?

SAP engages independent testers to check for security issues in SAP applications. Frequently, recurring application penetration testing is executed for public cloud services, confirming the applications’ resistance against known vulnerabilities for Web-based services.
 
For further information on independent penetration testing, please refer to SAP's brochure "Data Privacy and Cybersecurity."

Does SAP perform vulnerability scans?

Vulnerability scans are performed on a regular basis to ensure controls are met in compliance and certification audits.

Security Policy

Do SAP employees participate in ongoing security training?

Security awareness and regular training are mandatory for all SAP employees. For role-specific employees, additional training is applicable.

What are SAP's security policies?

As an industry good practice SAP defines its security goals and objectives via the SAP Security Policy Framework, which is the fundamental basis for defining the security level at which SAP operates and which consists of multiple layers targeting different groups and satisfying different needs. The Security Policy Framework at SAP serves as the central guideline for the secure delivery of SAP cloud services.

How does SAP handle security requirements for sub-processors?

SAP has a selection process by which it evaluates the security, privacy, and confidentiality practices of a proposed sub-processor with regard to data handling. The data protection agreement (such as a master data protection agreement) is similar to the data processing agreement between SAP (data processor) and the customer (data controller) and are executed with all sub-processors.

Sub-processors are required to follow our security policy. See the list of sub-processors for SAP, a customer login is required.

Are there regular checks to monitor compliance with the SAP security policy?

A wide range of internal ISO 9001 and ISO 27001 audits are conducted to regularly check whether SAP employees adhere to the global policies and standards. This level of compliance to the security policy is monitored thoroughly. All audit activities are centrally organized by the responsible auditing organizations and conducted by certified internal auditors with the support of the central SAP security department.

Is access to customer data restricted to specific employees, and is the distribution of such information prohibited?

Yes. SAP has guidelines and processes that govern access to customer data. In particular, such access is restricted by a dedicated authorization process. See also the SAP security guideline “Information Classification.” This guideline also specifies rules regarding the forwarding or publishing of confidential or sensitive information.

Does SAP have guidelines on classifying information?

The SAP security guideline “Global Information Classification and Handling” outlines how information is classified.

Security Incident

How can I report a security incident or suspected security issue?

You can report a security related issue or suspicious activities to SAP on the SAP Trust Center security issue management page.

How are security incidents managed?

SAP has a security incident management process aligned with ISO/IEC 27035 principles. Security incidents are monitored and tracked by security specialists in cooperation with defined communication channels until resolved.

 

The security incident management process is described in the document “Protecting Information in Individual Incidents,” in both the “General Security at SAP” and "Security in the SAP Digital Business Services Organization” sections.

Security Response

What is SAP's security response process?

SAP has a security incident response process in place. For details please see the cloud services document or read this brief on SAP security concepts and implementation.

Compliance

What is the difference between a SOC 1, SOC 2, and SOC 3 reporting?

The SOC 1 report follows the ISAE 3402 and SSAE 18 standards on auditing engagements and covers all live customer systems during the audit cycle. It provides information about controls at a service-organization level that is relevant to the customer's internal control over financial reporting. The use of the SOC 1 report is restricted. It can only be shared with customers with a valid contract and productive system with regard to the cloud solution and audit period covered by the requested report.
 
The SOC 2 report follows the auditing standards ISAE 3000 and AT-C Sections 105 and 205. It provides the management of a service organization, customers and others with information about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. The SOC 2 report can be shared with customers and prospects under non-disclosure agreement (NDA).
 
The SOC 3 report is designed to meet the needs of users who want assurance on the controls at a service organization, such as those related to security, availability, processing integrity, confidentiality, or privacy. However, the requestors do not require or have the knowledge necessary to make effective use of a SOC 2 report. This report`s use is unrestricted. 

What is the difference between a type 1 and type 2 report?

SOC 1 and SOC 2 reports can be delivered in two types:
 
  • Type I:  These reports contain the design of the in-scope controls. The control design is assessed based on a specific date.
  • Type II:  These are reports that include testing of the operational effectiveness of in-scope controls. Population samples for each control is tested based on the frequency that the control is tested. Populations are based on a six-month time period.

Does SAP comply with SSAE 16, SSAE 18, SAS70, and ISAE 3402?

All these standards are auditing standards for SOC 1 reports. The standards SAS70 and SSAE 16 are outdated and have been replaced by SSAE 18. SSAE 18 is the auditing standard developed by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is the corresponding international auditing standard developed by the International Auditing and Assurance Standards Board (IAASB). Our SOC 1 reports follow the ISAE 3402 standard but are also aligned to SSAE 18.

Are there any certificates that are accessible to customers?

Yes, find all available certificates on the SAP Trust Center compliance page.

Is there an ISO 27001 certificate for information technology?

Yes, SAP possesses several ISO 27001 certificates and you can find them on the Compliance document finder.

Is there a specific certificate for data protection?

Yes, our compliance with data protection guidelines for personal information is certified by the British Standards Institution (BSI Group). To learn more about the BS10012 certification, access the SAP Trust Center compliance page.

Cloud Agreements

Why are countries not listed in cloud services agreements?

We issue product supplements, support policies, service level agreements, and data processing agreements based on languages. The agreements do not include country-specific legal details. Other cloud documentation, such as general terms and conditions, contain language specific to laws and requirements for conducting business in individual countries. Accordingly, some agreements are available based on language only, and others are available based on language and country.

Why is my language not listed in the agreement finder?

SAP supports 14 languages for cloud services. The languages are as follows:  

  • Chinese (simplified) 
  • Chinese (traditional) 
  • English 
  • French 
  • French (Canada) 
  • German 
  • Indonesian 
  • Italian 
  • Japanese
  • Korean
  • Portuguese (Brazil) 
  • Russian (as needed) 
  • Spanish
  • Turkish

If a country language is not listed, we usually use the English version.

 

We release some cloud services in fewer languages, due to limited usage of the cloud service, or because the release is a pilot. We may then add other supported languages at a later date.

Data Protection and Privacy

What regulations are applied to personal data stored and processed in a customer’s cloud subscription?

As a German company, SAP SE follows the General Data Protection Regulation (GDPR). The SAP data protection agreement acts as the legal basis for commissioned data processing and is based on GDPR.

Does SAP have an appointed data protection officer?

At SAP, we have always viewed the designation of a data protection officer (DPO) as a central part of our data protection strategy. Furthermore, SAP has established an entire data protection and privacy (DPP) team that consists of attorneys, auditors, and technical experts reporting to the DPO.

How does SAP ensure that sub-processors protect my personal data?

Sub-processors are used for the processing of personal data. They are subject to data protection agreements that contain the same level of protection as the agreements SAP enters with its customers.

How does SAP ensure appropriate security for the storage and processing of personal data?

SAP has implemented and is maintaining technical and organizational measures (TOMs). These TOMs comprise measures in the following areas: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control.

How does SAP provide evidence of compliance with its TOMs?

Depending on the relevant service, SAP provides evidence to the customer by way of certifications that show compliance with ISO 27001 or other standards such as ISAE3402 and ISAE3000.

Does SAP also hold a specific certificate related to data privacy?

SAP has established and implemented a data protection management system (DPMS), based on the British Standards Institution (BSI) standard BS 10012:2017. The DPMS is audited annually by internal and external auditors. Proof of compliance is provided through the certificate and a customer audit report. BS 10012:2017 is a specification for a personal information management system and mandates the implementation of such a system within corporate security programs. It combines SAP data protection guidelines with GDPR in a management-style system. The BSI standard is used as a uniform standard which integrates multiple data protection requirements from different countries.

What provisions are there for protection of personal data transferred to other countries since the Safe Harbour Decision was deemed invalid by the European Court of Justice in October 2015?

Our Intra-Group Data Protection Agreement is based on the European Union (EU) Standard Contractual Clauses. It forms a legally binding agreement between SAP global entities, affiliates, and subsidiaries and provides a lawful mechanism for transferring personal data from the EU and the European Economic Area (EEA). It applies to transfers and processing of personal data, whether internal, external, or on behalf of customers, and provides baseline protection of cross-border personal data transfers. 

Is SAP certified in accordance with the Privacy Shield Framework for the European Union and the United States?

As a company based in the EU, we rely on EU Standard Contractual Clauses.

Who owns my data?

SAP does not acquire ownership or stewardship of the data processed for the customer when it performs services for cloud solutions. 

Does SAP adhere to region-specific data-protection regulations?

We are fully committed to complying with all relevant legislation. This includes GDPR and other data protection laws such as the Japan Social Security and Tax Number regulation, the Argentina Personal Data Protection Act, Canadian
privacy laws and the more recent California Consumer Privacy Act. 

What is GDPR?

The GDPR is an EU law that went into force on May 25, 2018. The GDPR is a far-reaching and comprehensive regulation that protects the individual rights of data subjects in the EU. GDPR applies to all companies processing personal data of EU-based individuals, regardless of the company’s location.

What are the rules in case of breach notification under GDPR?

According to Article 33 of GDPR, "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."

What are the certifications available that demonstrate GDPR compliance?

SAP has established and implemented a DPMS based on the BSI standard BS 10012:2017. The DPMS is audited annually by internal and external auditors. Proof of compliance is provided through the certificate and a customer audit report. BS 10012:2017 is a specification for a personal information management system and mandates the implementation of such a system within corporate security programs. It combines SAP data protection guidelines with GDPR in a management-style system. The BSI standard is used as a uniform standard which integrates multiple data protection requirements from different countries.

Is there a difference between cloud and on-premise requirements when it comes to GDPR?

There is no difference between cloud and on-premise requirements when it comes to GDPR. GDPR applies to businesses and their processes. It does not apply to products. Compliance is a result of business processes that meet the requirements of the law. Both cloud and on-premise software can help make those processes happen. Cloud software can be updated more frequently, however, ensuring that the latest functionality and standards are in place.

Who must comply with GDPR?

GDPR applies to all companies processing and holding personal data of EU-based individuals, regardless of the company’s location.

What are the penalties for failing to comply with GDPR? Do they apply to the controller or the processor?

Depending on the violation, companies can expect punitive fines for non-compliance. For example, a company could be fined up to €10 million or 2% of its annual global turnover for issues such as not having its records in order, for failing to notify the supervising authority and data subject about a breach, or for not conducting an impact assessment. More substantial infringements carry heavier penalties of up to €20 million or 4% of an organization's annual revenue, whichever is greater. GDPR applies to every organization that processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed. The regulation also applies to every organization that serves the EU and processes personal data of EU-based individuals, but is established elsewhere.

Does my company need to designate a data protection officer (DPO) in response to GDPR?

According to the EU GDPR Website (article 37), DPOs must be appointed in the case of public authorities; organizations that engage in large-scale systematic monitoring; or organizations that engage in large-scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO. Note that this is not an exhaustive list and article 37 addresses several other requirements. Local laws may ask for other requirements, including checks for a DPO, so it is always best to check with your legal counsel.

How do I get started with GDPR?

GDPR compliance is an opportunity for businesses of all kinds to re-evaluate their processes and systems, and drive digital transformation. Building compliance into processes and systems during this effort enables readiness for current and future market demands and requirements. For more information, visit the Data Protection and Privacy section of the SAP Trust Center.

Where can I learn more about GDPR?

You can learn more about GDPR by visiting the Data Protection and Privacy page on the SAP Trust Center.

What stance does SAP take on GDPR?

We believe that respecting people's privacy is good for business and we are fully committed to complying with relevant laws and regulations, such as GDPR, to strengthen our customers’ confidence and trust. With over 40 years of leadership in data protection and privacy, we have enabled customers around the world to comply with regulations – long before the introduction of GDPR. Our products and services have data protection and privacy built in by design. This helps our customers address the requirements of GDPR enterprise-wide. 

What are the roles of customers, suppliers, and SAP cloud applications according to GDPR?

GDPR Article 4(7) states that a controller is "the natural or legal person, public authority, agency, or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data." 


In general, the data controller assumes responsibility for all personal data collected and must ensure that the rights of the data subject and the data controller´s own legal obligations are also covered by the data processor. SAP customers are data controllers when they use SAP cloud applications. SAP acts as data processor on behalf of the customer through contracts, such as data protection agreements, service descriptions, or statements of work.


GDPR Article 4(8) states that a processor is "a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller."


In general, this refers to data processing based on the instructions of the data controller, as contracted. As the cloud solution provider for customers and suppliers, SAP is the data processor for customers and suppliers who are data controllers.

How is data transfer secured between the U.S. and EU?

Transfers of personal data between the U.S. and EU are based on EU standard contractual clauses (SCCs). According to GDPR, SCCs are approved as appropriate safeguards. This provides a lawful mechanism of transferring personal data outside the EU and EEA and forms a legally binding agreement between SAP global entities that establishes requirements for a baseline protection of personal data.

What regulations are applied to personal data stored and processed in the customer’s cloud subscription?

SAP SE is a German company and is therefore under EU regulation. SAP follows the GDPR regulation introduced by the EU on May 25, 2018. Our Data Privacy Agreement acts as the contract for commissioned data processing and is based on the most current applicable data protection regulation. Each company must consider its own local laws and regulations when conducting business. 

Is the Data Privacy Agreement based on GDPR only applicable to SAP's European data centers?

Our Data Privacy Agreement is applicable to all of our data center and processing locations, globally.

How does SAP ensure that the level of protection required by the GDPR is also applied to the processing of the personal data when it is transferred outside the EU, the EEA, and Switzerland?

Our Intra-Group Data Protection Agreement is based on EU SCCs and forms a legally binding agreement between SAP global entities, affiliates, and subsidiaries. The agreement provides a lawful mechanism for transferring personal data from outside the EU and the EEA. It applies to transfers and processing of personal data, whether internal, external, or on behalf of customers, and provides baseline protection of cross-border personal data transfers. 

Are there any data protection guidelines?

Yes. Data protection guidelines form an element of the SAP security policy, the SAP security standard on data protection, as well as the document "SAP Global Personal Data Protection and Privacy Policy." Our data protection management system consists of data protection work instructions, regulations, and guidelines for all organizations in SAP.

Have processes for compliance with data protection laws and regulations been defined to help ensure the confidentiality and security of customer data?

A wide range of measures helps to ensure the confidentiality of customer and personal data. Current processes and standards for maintaining data protection laws are described in the section “General Security at SAP” and “Maintaining Confidentiality While Handling Personal Data." Data protection in relation to customer incidents is described in the section “Security in the SAP Digital Business Services Organization.”

Data Center Security

Is there network latency across public and private clouds?

SAP public cloud solutions and integrations with SAP ERP Central Component (SAP ECC) and S/4HANA is stateless, as such network latency is not a major topic to worry about.

Is there network latency with solutions that are across multiple data centers?

The network latency is depending various factors as such, no precise information can be provided on a general level. For more detail, we recommend you involve an SAP technical solution architect that works with this customer case.

At the cloud data center level, if the solutions are in different data centers, can you explain how integration, security, performance, fail over, among others work?

All communication between Data Centers is encrypted by reasonable industry measures. The detail of implementation varies by solution and data flow. For more information, we recommend you involve the SAP technical solution architect who works with this customer case.

What are SAP's backup retention procedures?

We conduct backups in the form of a disk-to-disk copy, which enables rapid data creation and recovery. In addition to full backups done on a daily basis, we create interim backup versions several times each day. As with all our backups, we archive these at a secondary location for security purposes.

What certification standards do SAP data centers fulfill?

Data centers are certified by ISO 27001, PCI-DSS compliance, and/or SOC audits. For an overview of SAP Cloud Data Centers and related information, please visit the SAP Trust Center data center page. 

How is access to the data center monitored and logged?

SAP data centers are monitored around the clock with video cameras at every entry point. We use these cameras to record and monitor each access event and log this in our access system for 90 days. 

What are the physical security measures in place for SAP data centers?

SAP data centers are monitored around the clock. Single-person access and "mantrap" systems provide access only to authorized individuals. Technicians can enter special rooms using custom-configured ID cards. High-sensitivity areas require authentication by means of biometric scans. Our data centers offer:

  • Video monitoring and traceability of access to the premises
  • Redundant climate control with environmental monitoring of gas, moisture, heat, and water
  • Fire alarms with automatic fire-fighting equipment
  • Uninterruptible power supply equipment that is regularly tested against fictional power outages 
  • Compliance with recognized industry standards of physical security and reliability, including ISO/IEC 27001:2013, and ISO27000 for facilities and data center operations.

In which region or country is my data stored? Where is my backup stored?

We store your data in one of our many SAP data centers.

Cloud Status

Why are some cloud services missing in the product selection?

We integrate our cloud portfolio into our cloud service status information incrementally, so the service you are looking for may not yet be added.

What type of uptime and availability information is available for cloud services from SAP?

Cloud service status information provides data on the performance of cloud services across all SAP data centers around the world. This includes details of scheduled maintenance due to service degradation (such as latency or performance issues) through service disruption due to outage or downtime.

How long does a scheduled maintenance window last?

By clicking on the icon in the calendar view of the cloud service status screen, you can find the duration of each maintenance event. This also applies to scheduled maintenance. You can find further information on maintenance windows in the service level agreements in the agreements section.

Back to top