As a German company, SAP SE follows the European Union (EU) Privacy Directive and the Federal German Privacy Act. The SAP data protection agreement acts as the legal basis for commissioned data processing and is based on both regulations.
Frequently Asked Questions
Cloud Data Protection and Privacy
What regulations are applied to personal data stored and processed in a customer’s cloud subscription?
Does SAP have an appointed data protection officer?
At SAP, we have always viewed the designation of a data protection officer (DPO) as a central part of our data protection strategy. Furthermore, SAP has established an entire data protection and privacy (DPP) team that consists of attorneys, auditors, and technical experts reporting to the DPO.
Is the SAP data protection agreement applicable only to your data center in Europe?
The SAP data protection agreement and treatment of personal data is applicable globally to all SAP data center and processing locations.
How does SAP ensure that sub-processors protect my personal data?
Sub-processors are used for the processing of personal data. They are subject to data protection agreements that contain the same level of protection as the agreements SAP enters with its customers.
How does SAP ensure appropriate security for the storage and processing of personal data?
SAP has implemented and is maintaining technical and organizational measures (TOMs). These TOMs comprise measures in the following areas: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control.
How does SAP provide evidence of compliance with its TOMs?
Depending on the relevant service, SAP provides evidence to the customer by way of certifications that show compliance with ISO 27001 or other standards such as ISAE3402 and ISAE3000.
Does SAP also hold a specific certificate related to data privacy?
SAP has established and implemented a data protection management system (DPMS), based on the British Standard BS 10012:2009. The DPMS is audited annually by internal and external auditors. Evidence is provided through the certificate and a customer audit report.
Does SAP have regional cloud services?
Yes, we provide the EU Access service from SAP for some of our cloud services. EU Access helps ensure that personal data is stored only in data centers within the European Economic Area, the European Union, and Switzerland. Furthermore, remote access to personal data is restricted to locations within these countries.
Data Center Security
Is there network latency across public and private clouds?
Is there network latency with solutions that are across multiple data centers?
At the cloud data center level, if the solutions are in different data centers, can you explain how integration, security, performance, failover, amonng others work?
Guidelines and Audits
Are there any data protection guidelines?
Have processes for maintaining data protection laws and regulations been defined to help ensure the confidentiality and security of customer data?
Are there regular checks to monitor compliance with the SAP security policy?
Does SAP have an information security team that oversees the implementation of the SAP security policy?
Is there a code of business conduct that outlines general codes of conduct for employees?
How are security incidents managed?
Does SAP have a guideline on classifying information?
Is access to customer data restricted to specific employees, and is the distribution of such information prohibited?
Is there an ISO 27001 certificate for information technology?
Is there a specific certificate for data protection?
What is the difference between a SOC 1, SOC 2, and SOC 3 reporting?
- IT strategy
- Environment and organization
- Logical and physical
- Access controls
- Program development
- Change management
- Computer operations such as incident management, backup, and monitoring
The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust center criteria (TSPs).
These additional TSPs are:
The SOC 3 report is designed to meet the needs of users who want assurance on the controls at a service organization, such as those related to security, availability, processing integrity, confidentiality, or privacy. However, the requestors do not require or have the knowledge necessary to make effective use of a SOC 2 report. This report is used for marketing purposes, as well as unrestricted use and distribution.
What is the difference between a type 1 and type 2 report?
- Type I: These reports contain the design of the in-scope controls. The control design is assessed based on a specific date.
- Type II: These are reports that include testing of the operational effectiveness of in-scope controls. Population samples for each control is tested based on the frequency that the control is tested. Populations are based on a six-month time period.