SAP Cloud Infrastructure SOC 2 Audit Report 2024 H1
SAP Cloud Infrastructure (SCI) spearheads SAP’s 4+1 strategy and supports the adoption and governance of all services deployed as part of SAP’s Cloud Infrastructure Strategy. Specifically, this refers to the management of public cloud hyperscalers and SAP’s internal IaaS known as SAP Converged Cloud.
SAP Converged Cloud
Converged Cloud is SAP’s standardized Infrastructure as a Service (IaaS) offering to support all of SAP’s cloud business on a global scale. SAP Converged Cloud provides access to a vendor-agnostic hardware infrastructure architecture as well as infrastructure orchestration and automation services in all SAP. With SAP Converged Cloud, it is possible to deploy applications into data centers without needing to deploy a solution-specific infrastructure stack (the application infrastructure) beforehand.
The SAP Converged Cloud infrastructure landscape is hosted either in SAP SE owned data centers or co-location data centers, as detailed below:
Data Center Location | DC Provider |
United Arab Emirates: Dubai | Co-Location Provider |
Australia: Sydney | Co-Location Provider |
China: Shanghai | Co-Location Provider |
Japan: Tokyo | Co-Location Provider |
Japan: Osaka | Co-Location Provider |
Saudi Arabia: Riyadh | Co-Location Provider |
Saudi Arabia: Dammam | Co-Location Provider |
Germany: St. Leon-Rot | SAP |
Germany: Walldorf | SAP |
Germany: Frankfurt | Co-Location Provider |
Netherlands: Amsterdam | Co-Location Provider |
Brazil: São Paulo | Co-Location Provider |
Canada: Toronto | Co-Location Provider |
USA: Ashburn, VA | Digital Realty |
USA: Newtown Square, PA | SAP |
USA: Sterling, VA | Cyxtera (ex CenturyLink) |
USA: Colorado Springs, CO | SAP |
USA: Chandler, AZ | Internap (Digital Realty) |
SAP Multi Cloud
The SAP Multi Cloud organization provides a ‘platform of enablement’ for Lines of Business (LoB) in the public cloud, providing costing services such as billing and cost optimization, architecture consultation and application design and security safeguards, tool engineering to automate and expand services offerings and hyperscaler operational support.
The SAP Multi Cloud infrastructure landscape is hosted either in SAP SE owned data centers or co-location data centers, as detailed below:
| DC Locations | DC Providers |
USA: N. Virginia | AWS |
USA: NS2 Federal Civilian | AWS |
USA: NS2 DoD | AWS |
Ireland | AWS |
Canada: Central | AWS |
Singapore | AWS |
South Korea: Seoul | AWS |
Japan: Osaka | AWS |
France: Paris | AWS |
Sweden: Stockholm | AWS |
China: Beijing | AWS |
USA: N. California | AWS |
Bahrain | AWS |
UAE | AWS |
Germany: Frankfurt | AWS |
Spain | AWS |
China: Hong Kong | AWS |
Italy: Milan | AWS |
Indonesia: Jakarta | AWS |
Israel: Tel Aviv | AWS |
UK: London | AWS |
India: Mumbai | AWS |
China: Ningxia | AWS |
USA: Ohio | AWS |
Brazil: São Paulo | AWS |
South Africa: Cape Town | AWS |
Australia: Sydney | AWS |
Japan: Tokyo | AWS |
India: Hyderabad | AWS |
USA | AWS |
USA: Oregon | AWS |
Australia: Melbourne | AWS |
Switzerland: Zurich | AWS |
Australia: Sydney | AWS |
Canada: Montreal | AWS |
Australia: Sydney | AWS |
United Kingdom: London | AWS |
Australia: Sydney | Azure |
Australia: Sydney | Azure |
Poland: Warsaw | Azure |
USA: California | Azure |
USA: Virginia | Azure |
USA: Virginia | Azure |
USA: Iowa | Azure |
USA: Illinois | Azure |
USA: Texas | Azure |
USA: West Central | Azure |
USA: Quincy, WA | Azure |
USA: Virginia | Azure |
USA: Iowa | Azure |
USA: DoD East | Azure |
USA: DoD Central | Azure |
Canada: Quebec City | Azure |
Canada: Toronto | Azure |
Brazil: São Paulo | Azure |
USA: Arizona | Azure |
USA: Texas | Azure |
Ireland: Dublin | Azure |
Netherlands: Amsterdam | Azure |
Germany: Magdeburg | Azure |
UK: Cardiff | Azure |
UK: London | Azure |
France: Paris | Azure |
France: Marseille | Azure |
Singapore | Azure |
China: Hong Kong | Azure |
Australia: New South Wales | Azure |
Australia: Victoria | Azure |
China: Shanghai | Azure |
China: Beijing | Azure |
India: Pune | Azure |
India: Mumbai | Azure |
India: Chennai | Azure |
Japan: Tokyo | Azure |
Japan: Osaka | Azure |
South Korea: Seoul | Azure |
Sout Korea: Busan | Azure |
South Africa: Cape Town | Azure |
South Africa: Johannesburg | Azure |
Australia: Canberra | Azure |
Australia: Canberra | Azure |
China: Shanghai | Azure |
China: Beijing | Azure |
United Arab Emirates: Abu Dhabi | Azure |
United Arab Emirates: Dubai | Azure |
Germany: North | Azure |
Germany: Frankfurt | Azure |
Switzerland: Zürich | Azure |
Switzerland: Geneva | Azure |
Norway: Oslo | Azure |
Norway: Stavanger | Azure |
Sweden: Staffanstorp | Azure |
Sweden: Gävle | Azure |
Brazil: Rio de Janeiro | Azure |
Qatar: Doha | Azure |
USA: Arizona | Azure |
China: Hebei | Azure |
China: Jiangsu | Azure |
Israel | Azure |
Italy: Milan | Azure |
Israel: Tel Aviv | GCP |
USA: Council Bluffs, IA | GCP |
USA: The Dalles, OR | GCP |
USA: Ashburn, VA | GCP |
USA: Moncks Corner, SC | GCP |
Belgium: St. Ghislain | GCP |
UK: London | GCP |
Singapore: Jurong West | GCP |
Taiwan: Changhua County | GCP |
Japan: Tokyo | GCP |
Australia: Sydney | GCP |
Germany: Frankfurt | GCP |
USA: Los Angeles, CA | GCP |
Canada: Montreal | GCP |
China: Hong Kong | GCP |
India: Mumbai | GCP |
Finland: Hamina | GCP |
Netherlands: Eemshaven | GCP |
Brazil: São Paulo | GCP |
Japan: Osaka | GCP |
Switzerland: Zürich | GCP |
South Korea: Seoul | GCP |
Indonesia: Jakarta | GCP |
USA: Salt Lake City, UT | GCP |
USA: Las Vegas, NV | GCP |
Poland: Warsaw | GCP |
Australia: Melbourne | GCP |
India: Delhi | GCP |
Canada: Toronto | GCP |
Chile: Santiago | GCP |
France: Paris | GCP |
Italy: Milan | GCP |
Spain: Madrid | GCP |
USA: Columbus, OH | GCP |
USA: Dallas, TX | GCP |
Saudi Arabia: Dammam | GCP |
Germany: Berlin | GCP |
Qatar: Doha | GCP |
Italy: Turin | GCP |
SOC 2 reports are prepared in accordance with AT-C Section 205, Examination Engagements under Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. SOC 2 reports fulfill various information and assurance needs of customers and aim to place trust in SAP’s service organization systems, processes, and controls. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to Security, Availability, and Processing Integrity of the systems that are used to process users’ data and the Confidentiality and Privacy of the information processed by these systems (AICPA, Trust Services Criteria). Additionally, they can play an important role in the oversight of the organization, vendor management programs, and regulatory oversight. Please note that this examination's scope does not include the controls of any subservice organizations. SOC 2 Type 1 covers management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time, whereas a SOC 2 Type 2 also includes the operating effectiveness of controls for a dedicated period of time.
SAP Cloud Infrastructure has regularly prepared SOC 2 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. April 2023 to 31. March 2024.
The use of these reports is restricted. A copy of this report is available for all SAP customers and prospects with non-disclosure agreement in place.
SAP Cloud Infrastructure (SCI) spearheads SAP’s 4+1 strategy and supports the adoption and governance of all services deployed as part of SAP’s Cloud Infrastructure Strategy. Specifically, this refers to the management of public cloud hyperscalers and SAP’s internal IaaS known as SAP Converged Cloud.
SAP Converged Cloud
Converged Cloud is SAP’s standardized Infrastructure as a Service (IaaS) offering to support all of SAP’s cloud business on a global scale. SAP Converged Cloud provides access to a vendor-agnostic hardware infrastructure architecture as well as infrastructure orchestration and automation services in all SAP. With SAP Converged Cloud, it is possible to deploy applications into data centers without needing to deploy a solution-specific infrastructure stack (the application infrastructure) beforehand.
The SAP Converged Cloud infrastructure landscape is hosted either in SAP SE owned data centers or co-location data centers, as detailed below:
Data Center Location | DC Provider |
United Arab Emirates: Dubai | Co-Location Provider |
Australia: Sydney | Co-Location Provider |
China: Shanghai | Co-Location Provider |
Japan: Tokyo | Co-Location Provider |
Japan: Osaka | Co-Location Provider |
Saudi Arabia: Riyadh | Co-Location Provider |
Saudi Arabia: Dammam | Co-Location Provider |
Germany: St. Leon-Rot | SAP |
Germany: Walldorf | SAP |
Germany: Frankfurt | Co-Location Provider |
Netherlands: Amsterdam | Co-Location Provider |
Brazil: São Paulo | Co-Location Provider |
Canada: Toronto | Co-Location Provider |
USA: Ashburn, VA | Digital Realty |
USA: Newtown Square, PA | SAP |
USA: Sterling, VA | Cyxtera (ex CenturyLink) |
USA: Colorado Springs, CO | SAP |
USA: Chandler, AZ | Internap (Digital Realty) |
SAP Multi Cloud
The SAP Multi Cloud organization provides a ‘platform of enablement’ for Lines of Business (LoB) in the public cloud, providing costing services such as billing and cost optimization, architecture consultation and application design and security safeguards, tool engineering to automate and expand services offerings and hyperscaler operational support.
The SAP Multi Cloud infrastructure landscape is hosted either in SAP SE owned data centers or co-location data centers, as detailed below:
| DC Locations | DC Providers |
USA: N. Virginia | AWS |
USA: NS2 Federal Civilian | AWS |
USA: NS2 DoD | AWS |
Ireland | AWS |
Canada: Central | AWS |
Singapore | AWS |
South Korea: Seoul | AWS |
Japan: Osaka | AWS |
France: Paris | AWS |
Sweden: Stockholm | AWS |
China: Beijing | AWS |
USA: N. California | AWS |
Bahrain | AWS |
UAE | AWS |
Germany: Frankfurt | AWS |
Spain | AWS |
China: Hong Kong | AWS |
Italy: Milan | AWS |
Indonesia: Jakarta | AWS |
Israel: Tel Aviv | AWS |
UK: London | AWS |
India: Mumbai | AWS |
China: Ningxia | AWS |
USA: Ohio | AWS |
Brazil: São Paulo | AWS |
South Africa: Cape Town | AWS |
Australia: Sydney | AWS |
Japan: Tokyo | AWS |
India: Hyderabad | AWS |
USA | AWS |
USA: Oregon | AWS |
Australia: Melbourne | AWS |
Switzerland: Zurich | AWS |
Australia: Sydney | AWS |
Canada: Montreal | AWS |
Australia: Sydney | AWS |
United Kingdom: London | AWS |
Australia: Sydney | Azure |
Australia: Sydney | Azure |
Poland: Warsaw | Azure |
USA: California | Azure |
USA: Virginia | Azure |
USA: Virginia | Azure |
USA: Iowa | Azure |
USA: Illinois | Azure |
USA: Texas | Azure |
USA: West Central | Azure |
USA: Quincy, WA | Azure |
USA: Virginia | Azure |
USA: Iowa | Azure |
USA: DoD East | Azure |
USA: DoD Central | Azure |
Canada: Quebec City | Azure |
Canada: Toronto | Azure |
Brazil: São Paulo | Azure |
USA: Arizona | Azure |
USA: Texas | Azure |
Ireland: Dublin | Azure |
Netherlands: Amsterdam | Azure |
Germany: Magdeburg | Azure |
UK: Cardiff | Azure |
UK: London | Azure |
France: Paris | Azure |
France: Marseille | Azure |
Singapore | Azure |
China: Hong Kong | Azure |
Australia: New South Wales | Azure |
Australia: Victoria | Azure |
China: Shanghai | Azure |
China: Beijing | Azure |
India: Pune | Azure |
India: Mumbai | Azure |
India: Chennai | Azure |
Japan: Tokyo | Azure |
Japan: Osaka | Azure |
South Korea: Seoul | Azure |
Sout Korea: Busan | Azure |
South Africa: Cape Town | Azure |
South Africa: Johannesburg | Azure |
Australia: Canberra | Azure |
Australia: Canberra | Azure |
China: Shanghai | Azure |
China: Beijing | Azure |
United Arab Emirates: Abu Dhabi | Azure |
United Arab Emirates: Dubai | Azure |
Germany: North | Azure |
Germany: Frankfurt | Azure |
Switzerland: Zürich | Azure |
Switzerland: Geneva | Azure |
Norway: Oslo | Azure |
Norway: Stavanger | Azure |
Sweden: Staffanstorp | Azure |
Sweden: Gävle | Azure |
Brazil: Rio de Janeiro | Azure |
Qatar: Doha | Azure |
USA: Arizona | Azure |
China: Hebei | Azure |
China: Jiangsu | Azure |
Israel | Azure |
Italy: Milan | Azure |
Israel: Tel Aviv | GCP |
USA: Council Bluffs, IA | GCP |
USA: The Dalles, OR | GCP |
USA: Ashburn, VA | GCP |
USA: Moncks Corner, SC | GCP |
Belgium: St. Ghislain | GCP |
UK: London | GCP |
Singapore: Jurong West | GCP |
Taiwan: Changhua County | GCP |
Japan: Tokyo | GCP |
Australia: Sydney | GCP |
Germany: Frankfurt | GCP |
USA: Los Angeles, CA | GCP |
Canada: Montreal | GCP |
China: Hong Kong | GCP |
India: Mumbai | GCP |
Finland: Hamina | GCP |
Netherlands: Eemshaven | GCP |
Brazil: São Paulo | GCP |
Japan: Osaka | GCP |
Switzerland: Zürich | GCP |
South Korea: Seoul | GCP |
Indonesia: Jakarta | GCP |
USA: Salt Lake City, UT | GCP |
USA: Las Vegas, NV | GCP |
Poland: Warsaw | GCP |
Australia: Melbourne | GCP |
India: Delhi | GCP |
Canada: Toronto | GCP |
Chile: Santiago | GCP |
France: Paris | GCP |
Italy: Milan | GCP |
Spain: Madrid | GCP |
USA: Columbus, OH | GCP |
USA: Dallas, TX | GCP |
Saudi Arabia: Dammam | GCP |
Germany: Berlin | GCP |
Qatar: Doha | GCP |
Italy: Turin | GCP |
SOC 2 reports are prepared in accordance with AT-C Section 205, Examination Engagements under Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. SOC 2 reports fulfill various information and assurance needs of customers and aim to place trust in SAP’s service organization systems, processes, and controls. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to Security, Availability, and Processing Integrity of the systems that are used to process users’ data and the Confidentiality and Privacy of the information processed by these systems (AICPA, Trust Services Criteria). Additionally, they can play an important role in the oversight of the organization, vendor management programs, and regulatory oversight. Please note that this examination's scope does not include the controls of any subservice organizations. SOC 2 Type 1 covers management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time, whereas a SOC 2 Type 2 also includes the operating effectiveness of controls for a dedicated period of time.
SAP Cloud Infrastructure has regularly prepared SOC 2 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. April 2023 to 31. March 2024.
The use of these reports is restricted. A copy of this report is available for all SAP customers and prospects with non-disclosure agreement in place.