Skip to Content
Contacteer ons

Frequently Asked Questions

Search the list below to find answers to frequently asked questions on topics such as cloud data privacy, security, compliance, and agreements.

Cloud Security

How does cloud security differ from on-premise security?

According to security analysts, and contrary to popular belief, cloud security standards are surpassing traditional on-premise security standards. Key security concerns are the same in the cloud or on premise, and include the risk of external attack or malicious insider activity.

 

Running on a software-defined infrastructure, cloud solutions enable you to implement security measures at greater scale if you map your existing security controls to those provided in the cloud. Another clear advantage of the cloud is increased agility in addressing security concerns and reduced cost for  researching, developing, and deploying new security features throughout the stack.

Do I need to configure security settings for my instance or tenancy, or just rely on SAP?

SAP has put in place a data processing agreement and technical and organizational data-protection measures that provide robust security for every customer instance and tenancy. In addition, customers can configure your own security settings, with options including single sign-on (SSO), multifactor authentication, access control policy and role-based access, and review of the application log.

What is SAP's cloud security strategy?

At SAP, we have a plan-do-check-act approach to security, constantly adjusting to customer needs and to a rapidly changing threat landscape. Our security strategy has three cornerstones: secure products, secure operations, and a secure company. We also have an overarching commitment to transparency.

Have any external parties assessed SAP’s security measures? If yes, where can I find the certificates?

Yes, to find our system and organization controls (SOC) reports, as well as ISO certification details, visit SAP Cloud Trust Center compliance page.

Security Policy

What are SAP's security policies?

We follow a security policy framework that includes several levels of security documentation, each containing more detail on our global security policy. Key documents include SAP Security Policy, SAP Security Standards, SAP Security Procedure and Directive, and SAP Security Good Practices.

What is SAP's security response process?

Our security incident response process is described in a document on SAP security concepts and implementation. Read the document.

How can I report a security incident or a suspected security issue?

Customers can report any a security-related issues or suspicious activity to SAP. Learn how to file a report.

How does SAP handle security requirements for contractors and subcontractors?

Sub-processors are required to follow our security policy. See the list of sub-processors for SAP. Customer login required. 

Do SAP employees participate in ongoing security training?

Regular security awareness training is mandatory for all SAP employees. Additional role-specific training is also provided for some employees.

Cybersecurity

What do these security terms mean?
• Redundancy
• Penetration testing
• Hashing
• SQL injection (SQLi)
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)

Redundancy is a system design where a component is duplicated as a backup measure. Reliability improves with the use of multiple redundant sites, which helps ensure that well-designed cloud computing solutions meet business continuity and disaster recovery requirements.

 

Penetration testing is an authorized simulated cyberattack against a system, performed to evaluate the security of the system by safely trying to exploit vulnerabilities.

 

Hashing is the use of an algorithm to generate a string of characters from a longer string of numbers or text. The shorter string created is of a fixed length and changes according to variations in input. With a good hashing algorithm, it’s impossible to turn a hash back into its original string.

 

SQL injection (SQLi) is an attack in which malicious SQL statements are inserted to manipulate the database. They can be inserted as input by the user through the user interface or using a program through the parameter interface from outside. 

 

Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in Web applications. It includes all vulnerabilities that allow an attacker to inject HTML or JavaScript into the affected Web application's front-end client. In the majority of cases, XSS is due to insecure programming.

 

Cross-site request forgery (CSRF) is an attack that tricks a victim’s browser into sending a request to a vulnerable Web application, which then performs an undesired action on behalf of the victim. This may include changing credentials, making an illegal purchase, or performing an online financial operation.

How does SAP protect my information against cyberattacks?

SAP security management processes are aligned with ISO 27001/IEC 27035:2011 principles and apply to all cloud personnel around the world. We strive to maintain a high level of protection for all data resources and to reduce the overall threat to computer, technology, and communications services.
 
The objective of our information security policy is to define our goals for management of information security in accordance with business requirements and relevant laws and regulations. This helps ensure that we implement and sustain appropriate levels of security protection such as threat management, penetration testing, and secure development lifecycles. In this way, we can maintain the confidentiality, integrity, and availability of our infrastructure, applications, and information. To learn more about cybersecurity, visit the SAP Cloud Trust Center security page.

Does SAP encrypt data in transit?

All SAP cloud systems are configured to use secure communication in accordance with the protection requirement of the transmitted information. This includes encryption for data in transit and data at rest.

Does SAP encrypt data at rest?

All SAP cloud storage systems processing sensitive data employ data-at-rest encryption.

Does SAP encrypt all data transmissions, including all server-to-server data transmissions, within data centers?

All sensitive data is encrypted at rest and in transit.

How does SAP manage encryption keys?

SAP has robust controls and procedures in place for key management. We follow recommendations provided by the National Institute of Standards and Technology (NIST) whenever technically feasible. For symmetric encryption, the key is at least 128 bits. For asymmetric encryption, it is at least 2048 bits.

 
Keys are created and distributed using a secure channel. In addition,  segregation-of-duty rules are maintained in master key creation where the process of key splitting between the master key and key parts is not carried out by different people.

 
Public keys are stored in a central register, while private keys may only be made accessible to a specific user. SAP also has procedures in place to ensure key storage follows confidentiality and integrity principles.

Keys are revoked when they reach the end of their lifetime. In addition, keys are revoked immediately if a key has been compromised or contains incorrect data.

What is SAP's position regarding the Meltdown and Spectre processor vulnerabilities?

SAP is taking a proactive approach in fixing potential flaws related to Meltdown and Spectre. See details on security, data protection, and privacy at SAP. 

Does SAP have a dedicated cybersecurity team?

Yes, the cybersecurity team within SAP is responsible for security incident management and vulnerability testing to protect against cyberthreats and cyberattacks.

Cloud Agreements

Why are countries not listed in cloud services agreements?

We issue product supplements, support policies, service level agreements, and data processing agreements based on languages. The agreements do not include country-specific legal details. Other cloud documentation, such as general terms and conditions, contain language specific to laws and requirements for conducting business in individual countries. Accordingly, some agreements are available based on language only, and others are available based on language and country.

Why is my language not listed in the agreement finder?

SAP supports 14 languages for cloud services. The languages are as follows:  

  • Chinese (simplified) 
  • Chinese (traditional) 
  • English 
  • French 
  • French (Canada) 
  • German 
  • Indonesian 
  • Italian 
  • Japanese
  • Korean
  • Portuguese (Brazil) 
  • Russian (as needed) 
  • Spanish
  • Turkish

If a country language is not listed, we usually use the English version.

We release some cloud services in fewer languages, due to limited usage of the cloud service, or because the release is a pilot. We may then add other supported languages at a later date.

Cloud Data Protection and Privacy

What regulations are applied to personal data stored and processed in a customer’s cloud subscription?

As a German company, SAP SE follows the General Data Protection Regulation (GDPR). The SAP data protection agreement acts as the legal basis for commissioned data processing and is based on GDPR.

Does SAP have an appointed data protection officer?

At SAP, we have always viewed the designation of a data protection officer (DPO) as a central part of our data protection strategy. Furthermore, SAP has established an entire data protection and privacy (DPP) team that consists of attorneys, auditors, and technical experts reporting to the DPO.

How does SAP ensure that sub-processors protect my personal data?

Sub-processors are used for the processing of personal data. They are subject to data protection agreements that contain the same level of protection as the agreements SAP enters with its customers.

How does SAP ensure appropriate security for the storage and processing of personal data?

SAP has implemented and is maintaining technical and organizational measures (TOMs). These TOMs comprise measures in the following areas: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control.

How does SAP provide evidence of compliance with its TOMs?

Depending on the relevant service, SAP provides evidence to the customer by way of certifications that show compliance with ISO 27001 or other standards such as ISAE3402 and ISAE3000.

Does SAP also hold a specific certificate related to data privacy?

SAP has established and implemented a data protection management system (DPMS), based on the British Standards Institution (BSI) standard BS 10012:2017. The DPMS is audited annually by internal and external auditors. Proof of compliance is provided through the certificate and a customer audit report. BS 10012:2017 is a specification for a personal information management system and mandates the implementation of such a system within corporate security programs. It combines SAP data protection guidelines with GDPR in a management-style system. The BSI standard is used as a uniform standard which integrates multiple data protection requirements from different countries.

Solve your specific insurance needs

Does SAP have regional cloud services?

Yes, we provide the EU Access service from SAP for some of our cloud services. EU Access helps ensure that personal data is stored only in data centers within the European Economic Area, the European Union, and Switzerland. Furthermore, remote access to personal data is restricted to locations within these countries.

What provisions are there for protection of personal data transferred to other countries since the Safe Harbour Decision was deemed invalid by the European Court of Justice in October 2015?

Our Intra-Group Data Protection Agreement is based on the European Union (EU) Standard Contractual Clauses. It forms a legally binding agreement between SAP global entities, affiliates, and subsidiaries and provides a lawful mechanism for transferring personal data from the EU and the European Economic Area (EEA). It applies to transfers and processing of personal data, whether internal, external, or on behalf of customers, and provides baseline protection of cross-border personal data transfers. 

Is SAP certified in accordance with the Privacy Shield Framework for the European Union and the United States?

As a company based in the EU, we rely on EU Standard Contractual Clauses.

Who owns my data?

SAP does not acquire ownership or stewardship of the data processed for the customer when it performs services for cloud solutions. 

Does SAP adhere to region-specific data-protection regulations ?

We are fully committed to complying with all relevant legislation. This includes GDPR and other data protection laws such as the Japan Social Security and Tax Number regulation, the Argentina Personal Data Protection Act, and Canadian privacy laws.

Who is the data controller in the cloud environment?

A data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. A data processor is an entity which processes personal data on behalf of the controller. The data processor and controller in a cloud environment are the same as within an on-premise environment.

What is GDPR and when will it come into effect?

The GDPR is an EU law that went into force on May 25, 2018. The GDPR is a far-reaching and comprehensive regulation that protects the individual rights of data subjects in the EU. GDPR applies to all companies processing personal data of EU-based individuals, regardless of the company’s location.

What are the rules in case of breach notification under GDPR?

According to Article 33 of GDPR, "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."

What are the certifications available that demonstrate GDPR compliance?

SAP has established and implemented a DPMS based on the BSI standard BS 10012:2017. The DPMS is audited annually by internal and external auditors. Proof of compliance is provided through the certificate and a customer audit report. BS 10012:2017 is a specification for a personal information management system and mandates the implementation of such a system within corporate security programs. It combines SAP data protection guidelines with GDPR in a management-style system. The BSI standard is used as a uniform standard which integrates multiple data protection requirements from different countries.

Is there a difference between cloud and on-premise solutions when it comes to GDPR?

There is no difference between cloud and on-premise solutions when it comes to GDPR. GDPR applies to businesses and their processes. It does not apply to products. Compliance is a result of business processes that meet the requirements of the law. Both cloud and on-premise software can help make those processes happen. Cloud software can be updated more frequently, however, ensuring that the latest functionality and standards are in place.

Who must comply with GDPR?

GDPR applies to all companies processing and holding personal data of EU-based individuals, regardless of the company’s location.

What are the penalties for failing to comply with GDPR? Do they apply to the controller or the processor?

Depending on the violation, companies can expect punitive fines for non-compliance. For example, a company could be fined up to €10 million or 2% of its annual global turnover for issues such as not having its records in order, for failing to notify the supervising authority and data subject about a breach, or for not conducting an impact assessment. More substantial infringements carry heavier penalties of up to €20 million or 4% of an organization's annual revenue, whichever is greater. GDPR applies to every organization that processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed. The regulation also applies to every organization that serves the EU and processes personal data of EU-based individuals, but is established elsewhere.

Does my company need to designate a data protection officer (DPO) in response to GDPR ?

According to the EU GDPR Website (article 37), DPOs must be appointed in the case of public authorities; organizations that engage in large-scale systematic monitoring; or organizations that engage in large-scale processing of sensitive personal data. If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO. Note that this is not an exhaustive list and article 37 addresses several other requirements. Local laws may ask for other requirements, including checks for a DPO, so it is always best to check with your legal counsel.

How do I get started with GDPR?

GDPR compliance is an opportunity for businesses of all kinds to re-evaluate their processes and systems, and drive digital transformation. Building compliance into processes and systems during this effort enables readiness for current and future market demands and requirements. For more information, visit the Data Protection and Privacy section of the SAP Cloud Trust Center.

Where can I learn more about GDPR?

You can learn more about GDPR by visiting the Data Protection and Privacy section of the SAP Cloud Trust Center.

What stance does SAP take on GDPR?

We believe that respecting people's privacy is good for business and we are fully committed to complying with relevant laws and regulations, such as GDPR, to strengthen our customers’ confidence and trust. With over 40 years of leadership in data protection and privacy, we have enabled customers around the world to comply with regulations – long before the introduction of GDPR. Our products and services have data protection and privacy built in by design. This helps our customers address the requirements of GDPR enterprise-wide. 

What are the roles of customers, suppliers, and SAP cloud applications according to GDPR?

GDPR Article 4(7) states that a controller is "the natural or legal person, public authority, agency, or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data." 


In general, the controller assumes responsibility for all personal data collected, and must ensure that the rights of the data subject and the controller´s own legal obligations are also covered by the processor.SAP customers are data controllers when they use SAP cloud applications. SAP acts as data processor on behalf of the customer through contracts, such as data protection agreements, service descriptions, or statements of work.


GDPR Article 4(8) states that a processor is "a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller."


In general, this refers to data processing based on the instructions of the data controller, as contracted.As the cloud solution provider for customers and suppliers, SAP is the data processor for customers and suppliers who are data controllers.

How is data transfer secured between the U.S. and EU?

Transfers of personal data between the U.S. and EU are based on EU standard contractual clauses (SCCs). According to GDPR, SCCs are approved as appropriate safeguards. This provides a lawful mechanism of transferring personal data outside the EU and EEA and forms a legally binding agreement between SAP global entities that establishes requirements for a baseline protection of personal data.

What regulations are applied to personal data stored and processed in the customer’s cloud subscription?

SAP SE is a German company and is therefore under EU regulation. SAP follows the GDPR regulation introduced by the EU on May 25, 2018. Our Data Privacy Agreement acts as the contract for commissioned data processing and is based on the most current applicable data protection regulation. Each company must consider its own local laws and regulations when conducting business. 

Is the Data Privacy Agreement based on GDPR only applicable to SAP's European data centers?

Our Data Privacy Agreement is applicable to all of our data center and processing locations, globally.

How does SAP ensure that the level of protection required by the GDPR is also applied to the processing of the personal data when it is transferred outside the EU, the EEA, and Switzerland?

Our Intra-Group Data Protection Agreement is based on EU SCCs and forms a legally binding agreement between SAP global entities, affiliates, and subsidiaries. The agreement provides a lawful mechanism for transferring personal data from outside the EU and the EEA. It applies to transfers and processing of personal data, whether internal, external, or on behalf of customers, and provides baseline protection of cross-border personal data transfers. 

Cloud Service Status

Why are some cloud services missing in the product selection?

We integrate our cloud portfolio into our cloud service status information incrementally, so the service you are looking for may not yet be added.

What type of uptime and availability information is available for cloud services from SAP?

Cloud service status information provides data on the performance of cloud services across all SAP data centers around the world. This includes details of scheduled maintenance due to service degradation (such as latency or performance issues) through service disruption due to outage or downtime.

How long does a scheduled maintenance window last?

By clicking on the icon in the calendar view of the cloud service status screen, you can find the duration of each maintenance event. This also applies to scheduled maintenance. You can find further information on maintenance windows in the service level agreements in the agreements section.

Data Center Security

Is there network latency across public and private clouds?

SAP public cloud solutions and integrations with SAP ERP Central Component (SAP ECC) and S/4HANA is stateless, as such network latency is not a major topic to worry about.

Is there network latency with solutions that are across multiple data centers?

The network latency is depending various factors as such, no precise informationcan be provided on a general level. For more detail, we recommend you involve an SAP technical solution architect that works with this customer case.

At the cloud data center level, if the solutions are in different data centers, can you explain how integration, security, performance, fail over, among others work?

All communication between Data Centers is encrypted by reasonable industry measures. The detail of implementation varies by solution and data flow. For more information, we recommend you involve the SAP technical solution architect who works with this customer case.

What are SAP's backup retention procedures?

We conduct backups in the form of a disk-to-disk copy, which enables rapid data creation and recovery. In addition to full backups done on a daily basis, we create interim backup versions several times each day. As with all our backups, we archive these at a secondary location for security purposes.

What certification standards do SAP data centers fulfill?

SAP data centers participate in enterprise-wide internal and external ISO 27001 audits that take place annually. Furthermore, our data centers are also an integral part of our SOC 1 (ISAE 3402) and SOC 2 reporting, which takes place twice a year. 

How is access to the data center monitored and logged?

SAP data centers are monitored around the clock with video cameras at every entry point. We use these cameras to record and monitor each access event and log this in our access system for 90 days. 

What are the physical security measures in place for SAP data centers?

SAP data centers are monitored around the clock. Single-person access and "mantrap" systems provide access only to authorized individuals. Technicians can enter special rooms using custom-configured ID cards. High-sensitivity areas require authentication by means of biometric scans. Our data centers offer:

  • Video monitoring and traceability of access to the premises
  • Redundant climate control with environmental monitoring of gas, moisture, heat, and water
  • Fire alarms with automatic fire-fighting equipment
  • Uninterruptible power supply equipment that is regularly tested against fictional power outages 
  • Compliance with recognized industry standards of physical security and reliability, including ISO/IEC 27001:2013, and ISO27000 for facilities and data center operations.

In which region or country is my data stored? Where is my backup stored?

We store your data in one of our many SAP data centers.

Penetration Tests and Vulnerability Scans

Does SAP implement penetration tests?

Yes, we scan all our public cloud systems – including all Internet-facing systems, such as firewalls, load-balancers, and Web application servers – regularly to evaluate the cybersecurity strength of our cloud infrastructure. 

Does SAP perform vulnerability scans?

As part of our continuous validation activities, we regularly carry out both internal and independent vulnerability scans for our public cloud offerings. This enables us to identify, assess, and mitigate known vulnerabilities.

How often are the vulnerability scans performed?

Vulnerability scans are performed regularly. 

Guidelines and Audits

Are there any data protection guidelines?

Yes. Data protection guidelines form an element of the SAP security policy, the SAP security standard on data protection, as well as the document "SAP Global Personal Data Protection and Privacy Policy." Our data protection management system consists of data protection work instructions, regulations, and guidelines for all organizations in SAP.

Have processes for compliance with data protection laws and regulations been defined to help ensure the confidentiality and security of customer data?

A wide range of measures helps to ensure the confidentiality of customer and personal data. Current processes and standards for maintaining data protection laws are described in the section “General Security at SAP” and “Maintaining Confidentiality While Handling Personal Data." Data protection in relation to customer incidents is described in the section “Security in the SAP Digital Business Services Organization.”

Are there regular checks to monitor compliance with the SAP security policy?

A wide range of internal ISO 9001 and ISO 27001 audits are conducted to regularly check whether SAP employees adhere to the global policies and standards. This level of compliance to the security policy is monitored thoroughly. All audit activities are centrally organized by the responsible auditing organizations and conducted by certified internal auditors with the support of the central SAP security department.

Does SAP have an information security team that oversees the implementation of the SAP security policy?

All managers are responsible for implementing the security policy within their respective organizations. The central security department, the audit team, and decentralized security units within SAP help managers in this process. Managers are informed about the performance and current implementation status of information security management systems in regular management reviews.

Is there a code of business conduct for employees?

Yes, there is a code of business conduct applicable to all SAP employees.

How are security incidents managed?

Security incidents at SAP are systematically documented and forwarded to the relevant officer. This security incident management process is described in detail in the information in “Protecting Information in Individual Incidents” in both the “General Security at SAP” and “Security in the SAP Digital Business Services Organization” sections.

Does SAP have guidelines on classifying information?

The SAP security guideline “Global Information Classification and Handling” outlines how information is classified.

Is access to customer data restricted to specific employees, and is the distribution of such information prohibited?

Yes. SAP has guidelines and processes that govern access to customer data. In particular, such access is restricted by a dedicated authorization process. See also the SAP security guideline “Information Classification.” This guideline also specifies rules regarding the forwarding or publishing of confidential or sensitive information.

Are there any certificates that are accessible to customers?

Yes, to access SAP certification at any time, visit SAP Cloud Trust Center compliance page.

Is there an ISO 27001 certificate for information technology?

Yes, SAP possesses several ISO 27001 certificates.

Is there a specific certificate for data protection?

Yes, our compliance with data protection guidelines for personal information is certified by the German Federal Office for Information Security (BSI). To learn more, visit SAP Cloud Trust Center compliance page.

Compliance

What is the difference between a SOC 1, SOC 2, and SOC 3 reporting?

The SOC 1 report covers all live customer systems during the audit cycle. It provides information about controls at a service-organization level that is relevant to the customer's internal control over financial reporting (also known as IT general controls).
 
IT general controls cover:
  • IT strategy
  • Environment and organization
  • Logical and physical
  • Access controls
  • Program development 
  • Change management
  • Computer operations such as incident management, backup, and monitoring

 

The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust center criteria (TSPs).

 

These additional TSPs are:

  • Confidentiality
  • Integrity
  • Availability
  • Privacy

 

The SOC 3 report is designed to meet the needs of users who want assurance on the controls at a service organization, such as those related to security, availability, processing integrity, confidentiality, or privacy. However, the requestors do not require or have the knowledge necessary to make effective use of a SOC 2 report. This report is used for marketing purposes, as well as unrestricted use and distribution.

What is the difference between a type 1 and type 2 report?

SOC 1 and SOC 2 reports can be delivered in two types:
 
  • Type I:  These reports contain the design of the in-scope controls. The control design is assessed based on a specific date.
  • Type II:  These are reports that include testing of the operational effectiveness of in-scope controls. Population samples for each control is tested based on the frequency that the control is tested. Populations are based on a six-month time period.

Why can't my customer or prospect have an SOC 1 report?

The SOC 1 report is only distributed to customers that were productive and had financially-relevant systems during the audit period covered by the report and need the report for their financial audits. These customer systems must be properly maintained as such in our various reporting and asset management tools; otherwise, the customer will not be sent the report.

What compliance certifications and attestations are SAP cloud services assessed for?

SAP has obtained the following certifications for its coud solutions: BS10012, C5, CSA Star, ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27018, GxP, PCI DSS, SOC 1, SOC 2, SOC 3 and TISAX. Not all cloud solutions from SAP maintain all of these listed certifications. Please check the Compliance Finder on SAP Cloud Trust Center for the specific availability of certifications for each cloud solution.

Does SAP comply with SSAE 16, SSAE 18, SAS70, and ISAE 3402?

All these standards are auditing standards for SOC 1 reports. The standards SAS70 and SSAE 16 are outdated and have been replaced by SSAE 18. SSAE 18 is the auditing standard developed by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is the corresponding international auditing standard developed by the International Auditing and Assurance Standards Board (IAASB). Our SOC 1 reports follow the ISAE 3402 standard but are also aligned to SSAE 18 and cover the differences between SSAE 18 and ISAE 3402.

Back to top