The scope of this C5 report includes the SAP Converged Cloud solutions as offered for the live productive customer systems that are hosted in SAP SE's data centers St. Leon–Rot (Germany), Walldorf (Germany), Newtown Square (USA) and Shanghai (China) as well as in the co-location Amsterdam (Netherlands), Sterling (USA), Dubai (UAE), Frankfurt (Germany), Moscow (Russia), Osaka (Japan), Riyadh (Saudi Arabia), Sao Paulo (Brazil), Toronto (Canada), Phoenix (USA), Sydney (Australia) and Tokyo (Japan).
Converged Cloud is SAP’s standardized Infrastructure as a Service (IaaS) offering to support all of SAP’s cloud business on a global scale. It provides a vendor agnostic and harmonized Hardware Infrastructure architecture as well as an infrastructure orchestration and automation layer in all major SAP data centers. With Converged Cloud it is possible to deploy applications into data centers without the need to deploy a solution specific infrastructure stack before it can be deployed.
Converged Cloud is compiled out of three main clusters. Converged Cloud Enterprise Edition, Converged Cloud Industry Edition and Monsoon 2 (Cluster 2). Monsoon 2 is out of scope for this audit. Converged Cloud has two architectural variants catering to varying customer demand.
Converged Cloud Enterprise Edition: IaaS used for general purpose solutions using no distro for OpenStack and VMware as hypervisor technology. Distro is short term for Linux distribution, which is an operating system made from a software collection, which is based upon Linux kernel and often packaged as management system.
Converged Cloud Industry Edition: IaaS specialized on Big Data and IoT as well as the SAP Cloud Platform on Cloud Foundry. It is based on SUSE OpenStack Cloud 7 and KVM hypervisor technology.
The Cloud Computing Compliance Controls Catalogue (abbreviated “C5”) is intended primarily for cloud service providers as well as their customers and auditors. It is defined which requirements (also referred to as controls in this context) the cloud providers have to comply with or which minimum requirements the cloud providers should be obliged to meet. The catalogue is divided into 17 thematic sections (e.g. organization of information security, physical security). The surrounding parameters provide additional information on the data location, provision of services, place of jurisdiction, certifications and duties of investigation and disclosure towards government agencies and contain a system description.
SAP Converged Cloud prepared C5 Type 2 audit report by an independent 3rd party accountant. This version of the report covers the audit period 1. November 2018 to 31. October 2019, the location St. Leon–Rot (Germany), Walldorf (Germany), Newtown Square (USA) and Shanghai (China) as well as in the co-location Amsterdam (Netherlands), Sterling (USA), Dubai (UAE), Frankfurt (Germany), Moscow (Russia), Osaka (Japan), Riyadh (KSA), Sao Paulo (Brazil), Toronto (Canada), Phoenix (USA), Sydney (Australia) and Tokyo (Japan).
The use of this report is restricted. A copy of this report is available for all SAP Converged Cloud Cloud customers with productive systems. This report is also available for prospective customers under the signed non-disclosure agreement.