We follow a security policy framework that includes several levels of security documentation, each containing more detail on our global security policy. Key documents include SAP Security Policy, SAP Security Standards, SAP Security Procedure and Directive, and SAP Security Good Practices.

Our security incident response process is described in a document on SAP security concepts and implementation. Read the document.

Customers can report any a security-related issues or suspicious activity to SAP. Learn how to file a report.

Sub-processors are required to follow our security policy. See the list of sub-processors for SAP. Customer login required. 

Regular security awareness training is mandatory for all SAP employees. Additional role-specific training is also provided for some employees.

Redundancy is a system design where a component is duplicated as a backup measure. Reliability improves with the use of multiple redundant sites, which helps ensure that well-designed cloud computing solutions meet business continuity and disaster recovery requirements.

Penetration testing is an authorized simulated cyberattack against a system, performed to evaluate the security of the system by safely trying to exploit vulnerabilities.

Hashing is the use of an algorithm to generate a string of characters from a longer string of numbers or text. The shorter string created is of a fixed length and changes according to variations in input. With a good hashing algorithm, it’s impossible to turn a hash back into its original string.

SQL injection (SQLi) is an attack in which malicious SQL statements are inserted to manipulate the database. They can be inserted as input by the user through the user interface or using a program through the parameter interface from outside. 

Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in Web applications. It includes all vulnerabilities that allow an attacker to inject HTML or JavaScript into the affected Web application's front-end client. In the majority of cases, XSS is due to insecure programming.

Cross-site request forgery (CSRF) is an attack that tricks a victim’s browser into sending a request to a vulnerable Web application, which then performs an undesired action on behalf of the victim. This may include changing credentials, making an illegal purchase, or performing an online financial operation.

SAP security management processes are aligned with ISO 27001/IEC 27035:2011 principles and apply to all cloud personnel around the world. We strive to maintain a high level of protection for all data resources and to reduce the overall threat to computer, technology, and communications services.
 
The objective of our information security policy is to define our goals for management of information security in accordance with business requirements and relevant laws and regulations. This helps ensure that we implement and sustain appropriate levels of security protection such as threat management, penetration testing, and secure development lifecycles. In this way, we can maintain the confidentiality, integrity, and availability of our infrastructure, applications, and information. To learn more about cybersecurity, visit the SAP Cloud Trust Center security page.

All SAP cloud systems are configured to use secure communication in accordance with the protection requirement of the transmitted information. This includes encryption for data in transit and data at rest.

All SAP cloud storage systems processing sensitive data employ data-at-rest encryption.

All sensitive data is encrypted at rest and in transit.

SAP has robust controls and procedures in place for key management. We follow recommendations provided by the National Institute of Standards and Technology (NIST) whenever technically feasible. For symmetric encryption, the key is at least 128 bits. For asymmetric encryption, it is at least 2048 bits.

 
Keys are created and distributed using a secure channel. In addition,  segregation-of-duty rules are maintained in master key creation where the process of key splitting between the master key and key parts is not carried out by different people.

 
Public keys are stored in a central register, while private keys may only be made accessible to a specific user. SAP also has procedures in place to ensure key storage follows confidentiality and integrity principles.

Keys are revoked when they reach the end of their lifetime. In addition, keys are revoked immediately if a key has been compromised or contains incorrect data.

SAP is taking a proactive approach in fixing potential flaws related to Meltdown and Spectre. See details on security, data protection, and privacy at SAP. 

Yes, the cybersecurity team within SAP is responsible for security incident management and vulnerability testing to protect against cyberthreats and cyberattacks.

We issue product supplements, support policies, service level agreements, and data processing agreements based on languages. The agreements do not include country-specific legal details. Other cloud documentation, such as general terms and conditions, contain language specific to laws and requirements for conducting business in individual countries. Accordingly, some agreements are available based on language only, and others are available based on language and country.

SAP supports 14 languages for cloud services. The languages are as follows:  

• Chinese (simplified) 
• Chinese (traditional) 
• English 
• French 
• French (Canada) 
• German 
• Indonesian 
• Italian 
• Japanese
• Korean
• Portuguese (Brazil) 
• Russian (as needed) 
• Spanish
• Turkish

If a country language is not listed, we usually use the English version.

We release some cloud services in fewer languages, due to limited usage of the cloud service, or because the release is a pilot. We may then add other supported languages at a later date.

As a German company, SAP SE follows the General Data Protection Regulation (GDPR). The SAP data protection agreement acts as the legal basis for commissioned data processing and is based on GDPR.

At SAP, we have always viewed the designation of a data protection officer (DPO) as a central part of our data protection strategy. Furthermore, SAP has established an entire data protection and privacy (DPP) team that consists of attorneys, auditors, and technical experts reporting to the DPO.

Sub-processors are used for the processing of personal data. They are subject to data protection agreements that contain the same level of protection as the agreements SAP enters with its customers.

SAP has implemented and is maintaining technical and organizational measures (TOMs). These TOMs comprise measures in the following areas: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control.

Depending on the relevant service, SAP provides evidence to the customer by way of certifications that show compliance with ISO 27001 or other standards such as ISAE3402 and ISAE3000.

SAP has established and implemented a data protection management system (DPMS), based on the British Standards Institution (BSI) standard BS 10012:2017. The DPMS is audited annually by internal and external auditors. Proof of compliance is provided through the certificate and a customer audit report. BS 10012:2017 is a specification for a personal information management system and mandates the implementation of such a system within corporate security programs. It combines SAP data protection guidelines with GDPR in a management-style system. The BSI standard is used as a uniform standard which integrates multiple data protection requirements from different countries.

Yes, we provide the EU Access service from SAP for some of our cloud services. EU Access helps ensure that personal data is stored only in data centers within the European Economic Area, the European Union, and Switzerland. Furthermore, remote access to personal data is restricted to locations within these countries.

Our Intra-Group Data Protection Agreement is based on the European Union (EU) Standard Contractual Clauses. It forms a legally binding agreement between SAP global entities, affiliates, and subsidiaries and provides a lawful mechanism for transferring personal data from the EU and the European Economic Area (EEA). It applies to transfers and processing of personal data, whether internal, external, or on behalf of customers, and provides baseline protection of cross-border personal data transfers. 

As a company based in the EU, we rely on EU Standard Contractual Clauses.

SAP does not acquire ownership or stewardship of the data processed for the customer when it performs services for cloud solutions. 

We are fully committed to complying with all relevant legislation. This includes GDPR and other data protection laws such as the Japan Social Security and Tax Number regulation, the Argentina Personal Data Protection Act, and Canadian privacy laws.

A data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. A data processor is an entity which processes personal data on behalf of the controller. The data processor and controller in a cloud environment are the same as within an on-premise environment.

The GDPR is an EU law that went into force on May 25, 2018. The GDPR is a far-reaching and comprehensive regulation that protects the individual rights of data subjects in the EU. GDPR applies to all companies processing personal data of EU-based individuals, regardless of the company’s location.

According to Article 33 of GDPR, "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."

SAP has established and implemented a DPMS based on the BSI standard BS 10012:2017. The DPMS is audited annually by internal and external auditors. Proof of compliance is provided through the certificate and a customer audit report. BS 10012:2017 is a specification for a personal information management system and mandates the implementation of such a system within corporate security programs. It combines SAP data protection guidelines with GDPR in a management-style system. The BSI standard is used as a uniform standard which integrates multiple data protection requirements from different countries.

There is no difference between cloud and on-premise solutions when it comes to GDPR. GDPR applies to businesses and their processes. It does not apply to products. Compliance is a result of business processes that meet the requirements of the law. Both cloud and on-premise software can help make those processes happen. Cloud software can be updated more frequently, however, ensuring that the latest functionality and standards are in place.

GDPR applies to all companies processing and holding personal data of EU-based individuals, regardless of the company’s location.

Depending on the violation, companies can expect punitive fines for non-compliance. For example, a company could be fined up to €10 million or 2% of its annual global turnover for issues such as not having its records in order, for failing to notify the supervising authority and data subject about a breach, or for not conducting an impact assessment. More substantial infringements carry heavier penalties of up to €20 million or 4% of an organization's annual revenue, whichever is greater. GDPR applies to every organization that processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed. The regulation also applies to every organization that serves the EU and processes personal data of EU-based individuals, but is established elsewhere.

According to the EU GDPR Website (article 37), DPOs must be appointed in the case of public authorities; organizations that engage in large-scale systematic monitoring; or organizations that engage in large-scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO. Note that this is not an exhaustive list and article 37 addresses several other requirements. Local laws may ask for other requirements, including checks for a DPO, so it is always best to check with your legal counsel.

GDPR compliance is an opportunity for businesses of all kinds to re-evaluate their processes and systems, and drive digital transformation. Building compliance into processes and systems during this effort enables readiness for current and future market demands and requirements. For more information, visit the Data Protection and Privacy section of the SAP Cloud Trust Center.

You can learn more about GDPR by visiting the Data Protection and Privacy section of the SAP Cloud Trust Center.

We believe that respecting people's privacy is good for business and we are fully committed to complying with relevant laws and regulations, such as GDPR, to strengthen our customers’ confidence and trust. With over 40 years of leadership in data protection and privacy, we have enabled customers around the world to comply with regulations – long before the introduction of GDPR. Our products and services have data protection and privacy built in by design. This helps our customers address the requirements of GDPR enterprise-wide. 

GDPR Article 4(7) states that a controller is "the natural or legal person, public authority, agency, or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data." 

In general, the controller assumes responsibility for all personal data collected, and must ensure that the rights of the data subject and the controller´s own legal obligations are also covered by the processor.SAP customers are data controllers when they use SAP cloud applications. SAP acts as data processor on behalf of the customer through contracts, such as data protection agreements, service descriptions, or statements of work.

GDPR Article 4(8) states that a processor is "a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller."

In general, this refers to data processing based on the instructions of the data controller, as contracted.As the cloud solution provider for customers and suppliers, SAP is the data processor for customers and suppliers who are data controllers.

Transfers of personal data between the U.S. and EU are based on EU standard contractual clauses (SCCs). According to GDPR, SCCs are approved as appropriate safeguards. This provides a lawful mechanism of transferring personal data outside the EU and EEA and forms a legally binding agreement between SAP global entities that establishes requirements for a baseline protection of personal data.

SAP SE is a German company and is therefore under EU regulation. SAP follows the GDPR regulation introduced by the EU on May 25, 2018. Our Data Privacy Agreement acts as the contract for commissioned data processing and is based on the most current applicable data protection regulation. Each company must consider its own local laws and regulations when conducting business. 

Our Data Privacy Agreement is applicable to all of our data center and processing locations, globally.

Our Intra-Group Data Protection Agreement is based on EU SCCs and forms a legally binding agreement between SAP global entities, affiliates, and subsidiaries. The agreement provides a lawful mechanism for transferring personal data from outside the EU and the EEA. It applies to transfers and processing of personal data, whether internal, external, or on behalf of customers, and provides baseline protection of cross-border personal data transfers. 

We integrate our cloud portfolio into our cloud service status information incrementally, so the service you are looking for may not yet be added.

Cloud service status information provides data on the performance of cloud services across all SAP data centers around the world. This includes details of scheduled maintenance due to service degradation (such as latency or performance issues) through service disruption due to outage or downtime.

By clicking on the icon in the calendar view of the cloud service status screen, you can find the duration of each maintenance event. This also applies to scheduled maintenance. You can find further information on maintenance windows in the service level agreements in the agreements section.

We conduct backups in the form of a disk-to-disk copy, which enables rapid data creation and recovery. In addition to full backups done on a daily basis, we create interim backup versions several times each day. As with all our backups, we archive these at a secondary location for security purposes.

SAP data centers participate in enterprise-wide internal and external ISO 27001 audits that take place annually. Furthermore, our data centers are also an integral part of our SOC 1 (ISAE 3402) and SOC 2 reporting, which takes place twice a year. 

SAP data centers are monitored around the clock with video cameras at every entry point. We use these cameras to record and monitor each access event and log this in our access system for 90 days. 

SAP data centers are monitored around the clock. Single-person access and "mantrap" systems provide access only to authorized individuals. Technicians can enter special rooms using custom-configured ID cards. High-sensitivity areas require authentication by means of biometric scans. Our data centers offer:

• Video monitoring and traceability of access to the premises
• Redundant climate control with environmental monitoring of gas, moisture, heat, and water
• Fire alarms with automatic fire-fighting equipment
• Uninterruptible power supply equipment that is regularly tested against fictional power outages 
• Compliance with recognized industry standards of physical security and reliability, including ISO/IEC 27001:2013, and ISO27000 for facilities and data center operations.

We store your data in one of our many SAP data centers.

Yes, we scan all our public cloud systems – including all Internet-facing systems, such as firewalls, load-balancers, and Web application servers – regularly to evaluate the cybersecurity strength of our cloud infrastructure. 

As part of our continuous validation activities, we regularly carry out both internal and independent vulnerability scans for our public cloud offerings. This enables us to identify, assess, and mitigate known vulnerabilities.

Vulnerability scans are performed regularly. 

All managers are responsible for implementing the security policy within their respective organizations. The central security department, the audit team, and decentralized security units within SAP help managers in this process. Managers are informed about the performance and current implementation status of information security management systems in regular management reviews.

Yes, there is a code of business conduct applicable to all SAP employees.

The SAP security guideline “Global Information Classification and Handling” outlines how information is classified.

Yes, to access SAP certification at any time, visit SAP Cloud Trust Center compliance page.

Yes, SAP possesses several ISO 27001 certificates.

Yes, our compliance with data protection guidelines for personal information is certified by the German Federal Office for Information Security (BSI). To learn more, visit SAP Cloud Trust Center compliance page.

• IT strategy
• Environment and organization
• Logical and physical
• Access controls
• Program development 
• Change management
• Computer operations such as incident management, backup, and monitoring

The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust center criteria (TSPs).

These additional TSPs are:

• Confidentiality
• Integrity
• Availability
• Privacy

The SOC 3 report is designed to meet the needs of users who want assurance on the controls at a service organization, such as those related to security, availability, processing integrity, confidentiality, or privacy. However, the requestors do not require or have the knowledge necessary to make effective use of a SOC 2 report. This report is used for marketing purposes, as well as unrestricted use and distribution.

• Type I:  These reports contain the design of the in-scope controls. The control design is assessed based on a specific date.
• Type II:  These are reports that include testing of the operational effectiveness of in-scope controls. Population samples for each control is tested based on the frequency that the control is tested. Populations are based on a six-month time period.

SAP has obtained the following certifications for its coud solutions: BS10012, C5, CSA Star, ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27018, GxP, PCI DSS, SOC 1, SOC 2, SOC 3 and TISAX. Not all cloud solutions from SAP maintain all of these listed certifications. Please check the Compliance Finder on SAP Cloud Trust Center for the specific availability of certifications for each cloud solution.

All these standards are auditing standards for SOC 1 reports. The standards SAS70 and SSAE 16 are outdated and have been replaced by SSAE 18. SSAE 18 is the auditing standard developed by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is the corresponding international auditing standard developed by the International Auditing and Assurance Standards Board (IAASB). Our SOC 1 reports follow the ISAE 3402 standard but are also aligned to SSAE 18 and cover the differences between SSAE 18 and ISAE 3402.