The scope of this SOC report includes the SAP Cloud Platform services hosted in SAP SE's data centers St. Leon–Rot, Germany as well as in the co-location data centers in Sydney (Australia) and Ashburn (Virginia, USA)
SAP Cloud Platform is the SAP Business Application platform-as-a-Service (PaaS) offering, powered by SAP HANA®. As an essential part of SAP’s cloud strategy, it enables SAP and its partners and customers to develop, deploy, run, operate, and use applications in a cloud environment.
The cloud platform is built for enabling interoperability through openness and at the same time ensuring security and integrity required by applications operating in a distributed network environment.
SAP Cloud Platform is a multitenant public cloud offering which allows application providers, including SAP itself, to build lightweight, collaborative, network-oriented applications to complement and extend existing SAP solutions.
Additionally, SAP provides and operates Software-as-a-Service (SaaS) solutions on SAP Cloud Platform. Those also leverage the SAP Cloud Platform management system and operational controls. Therefore, everywhere in the document, where referred to SAP Cloud Platform, is meant all services, tools, applications, SaaS solutions, part of or running on SAP Cloud Platform, described in the chapter Technical Overview.
SAP Cloud Platform is a product implemented by SAP, and as such, it uses the Innovation Cycle framework for product and solution creation, certified with ISO-9001.
SOC1 reports specifically address service organizations internal control over financial reporting and controls specified by the service provider. The SOC1 reports are intended solely for the information and use of existing user entities (for ex. Exiting customers of the service organization), their financial statement auditors and management of the service organization. SOC 1 reports are prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No.16, a new guidance that the auditors use to conduct a SOC1 engagement. SOC1 Type 1 covers management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time, whereas a SOC1 Type 2 also includes the operating effectiveness of controls for a dedicated period of time.
SAP Cloud Platform has regularly prepared SOC1 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. May 2016 to 31. October 2016, the location St. Leon–Rot, Germany as well as in the co-location data centers in Sydney (Australia) and Ashburn (Virginia, USA).
The use of these reports is restricted. A copy of this report is available for all SAP Cloud Platform customers who had productive and had financially-relevant systems during the audit period covered by the report.