Skip to Content

SAP Trust Center

SAP Enterprise Cloud Services SOC 2 (ISAE 3000) Audit Report 2021 H2

The scope of this SOC report includes the SAP Enterprise Cloud Services and the SAP S/4 HANA Cloud, Extended Edition services as offered in the data centers for the productive customer systems that have the status “business live” (i.e. in daily productive business use) in the following locations: St. Leon–Rot (Germany), Amsterdam (Netherlands), Sterling (US), Santa Clara (US), Tokyo (Japan), Osaka (Japan), Sydney (Australia), Moscow (Russia), Toronto (Canada), Frankfurt (Germany), US East (Virginia), US West (Oregon), Singapore, Hongkong, Seoul (Korea) and Ireland (Dublin). SAP Enterprise Cloud Services and the SAP S/4 HANA Cloud, Extended Edition services are fully scalableand secure private managed cloud solutions available only from SAP. It empowers organizations to unlock the full value of SAP Enterprise Cloud Services in the cloud — accelerating growth and innovation, driving IT and business transformation, quickly delivering business outcomes, and reducing risk. SAP S/4 HANA Cloud, Extended Edition Service is using the SAP Enterprise Cloud Services architecture and processes but includes also specific SAP products, use rights and services.The SAP Enterprise Cloud Services reference architecture helps the customer to use flexible services for modular and rapid deployment.  SOC 2 reports fulfill various information and assurance needs of customers and aim to place trust in SAPs service organization systems, processes and controls. These narratives are related to the trust principles Security, Availability, Confidentiality Processing Integrity or Privacy which must be met to demonstrate a well-designed system. SOC 2 also contains details on performed tests and their results. SOC 2 Type 1 covers management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time, whereas a SOC 2 Type 2 also includes the operating effectiveness of controls for a dedicated period of time. 

SAP Enterprise Cloud Services / SAP S/4 HANA Cloud, Extended Edition Services has regularly prepared SOC 2 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. May 2021 to 31. October 2021, the locations St. Leon–Rot (Germany), Amsterdam (Netherlands), Sterling (US), Santa Clara (US), Tokyo (Japan), Osaka (Japan), Sydney (Australia), Moscow (Russia), Toronto (Canada), Frankfurt (Germany), US East (Virginia), US West (Oregon), Singapore, Hongkong, Seoul (Korea) and Ireland (Dublin). 

GxP: This report contains the controls for demonstrating compliance with GxP requirements. This controls address additional criteria related to the deployment and quality assurance. The controls have been tested along with the controls put in place for trust principles Security, Availability andConfidentiality.   
The use of these reports is restricted. A copy of this report is available for all SAP customers and prospects with non-disclosure agreement in place.


New:

The scope of this SOC report includes SAP HANA Enterprise Cloud (BYOL & Subscription), SAP S/4 HANA Cloud, Extended Edition & their predecessors, SAP RISE with S/4HANA Cloud, Private Edition services as offered in the data centers for the productive customer systems that have the status “business live” (i.e. in daily productive business use) in the following locations:

Colorado (USA), St. Leon-Rot (Germany), Walldorf (Germany), Amsterdam (Netherlands), Frankfur (Germany), Moscow (Russia), Osaka (Japan), Santa Clara (USA), Sterling (USA), Sydney (Austrailia), Tokyo (Japan), Toronto (Canada), Ashburn (USA), Asia-Pacific (Mumbai), Asia-Pacific (Seoul), Asia-Pacific (Singapore), EU (Ireland), EU (Milan), EU (Paris), EU (Stockholm), MIddle East (Bahrain), South America (Sao Paulo), North Virginia (USA), Oregon (USA), UAE Central (Abu Dhabi), Beijing (China), Toronot (Canada), Cardiff (UK West), Chennai (South India), Hong Kong (East Asia), Pune (Central India), Quebec City (Canada), South Africa North (Johannesburg), Texas (South Central USA), Washington (USA West), Belgium (West Europe), Finland (North Europe), Iowa (USA).

SAP HANA Enterprise Cloud (BYOL & Subscription), SAP S/4 HANA Cloud, Extended Edition & their predecessors, SAP RISE with S/4HANA Cloud, Private Edition services are fully scalable and secure private managed cloud solutions available only from SAP. It empowers organizations to unlock the full value of SAP Enterprise Cloud Services in the cloud — accelerating growth and innovation, driving IT and business transformation, quickly delivering business outcomes, and reducing risk. SAP S/4 HANA Cloud, Extended Edition Service is using the SAP Enterprise Cloud Services architecture and processes but includes also specific SAP products, use rights and services.
The SAP Enterprise Cloud Services reference architecture helps the customer to use flexible services for modular and rapid deployment.  SOC2 reports fulfill various information and assurance needs of customers and aim to place trust in SAPs service organization systems, processes and controls. These narratives are related to the trust principles Security, Availability, Confidentiality Processing Integrity or Privacy which must be met to demonstrate a well-designed system. SOC2 also contains details on performed tests and their results. SOC2 Type 1 covers management’s description of a serviceorganization’s system and the suitability of the design of controls at a specific point in time, whereas a SOC2 Type 2 also includes the operating effectiveness of controls for a dedicated period of time. 

SAP HANA Enterprise Cloud (BYOL & Subscription), SAP S/4 HANA Cloud, Extended Edition & their predecessors, SAP RISE with S/4HANA Cloud, Private Edition services has regularly prepared SOC2 Type 2audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. May 2021 to 31. October 2021, the locations as stated above.


GxP: This report contains the controls for demonstrating compliance with GxP requirements. This controls address additional criteria related to the deployment and quality assurance. The controls have been tested along with the controls put in place for trust principles Security, Availability and Confidentiality.   

The use of these reports is restricted. A copy of this report is available for all SAP customers and prospects with non-disclosure agreement in place.

Back to top