The scope of this C5 report includes the SAP Cloud Platform services hosted in SAP SE's data centers St. Leon–Rot, Germany as well as in the co-location data centers in Frankfurt (Germany), Sydney (Australia), Phoenix (Arizona, USA), Ashburn (Virginia, USA), Sterling (Virginia, USA), Tokyo (Japan), Osaka (Japan), Riyadh (Saudi Arabia), Toronto (Canada), Moscow (Russian Federation), Sao Paulo (Brazil), Dubai (United Arab Emirates) and Amsterdam (Netherlands).
SAP Cloud Platform is the SAP Business Application Platform-as-a-Service (PaaS) offering. As an essential part of SAP’s cloud strategy it enables SAP and its partners and customers to develop, deploy, run, operate, and use applications in a cloud environment.
The cloud platform is built to enable interoperability and at the same time to ensure security and integrity required by applications operating in a distributed network environment.
SAP Cloud Platform is a multitenant public cloud offering which allows application providers, including SAP itself, to build lightweight, collaborative, network-oriented applications to complement and extend existing SAP solutions.
Additionally, SAP provides and operates SaaS solutions on SAP Cloud Platform. Those also leverage the SAP Cloud Platform management system and operational controls. Therefore, everywhere in this system description where referred to SAP Cloud Platform, all services, tools, applications, SaaS solutions, part of or running on SAP Cloud Platform, are included as described in the chapter Technical Overview.
SAP Cloud Platform is a product implemented by SAP, and as such, it uses the Innovation Cycle framework for product and solution creation, certified with ISO 9001:2015.
The Cloud Computing Compliance Controls Catalogue (abbreviated “C5”) is intended primarily for cloud service providers as well as their customers and auditors. It is defined which requirements (also referred to as controls in this context) the cloud providers have to comply with or which minimum requirements the cloud providers should be obliged to meet. The catalogue is divided into 17 thematic sections (e.g. organization of information security, physical security). The surrounding parameters provide additional information on the data location, provision of services, place of jurisdiction, certifications and duties of investigation and disclosure towards government agencies and contain a system description.
SAP Cloud Platform has prepared C5 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. May 2018 to 31. October 2018, the location St. Leon–Rot, Germany as well as in the co-location data centers in Frankfurt (Germany), Sydney (Australia), Phoenix (Arizona, USA), Ashburn (Virginia, USA), Sterling (Virginia, USA), Tokyo (Japan), Osaka (Japan), Riyadh (Saudi Arabia), Toronto (Canada), Moscow (Russian Federation), Sao Paulo (Brazil), Dubai (United Arab Emirates) and Amsterdam (Netherlands).
The use of this report is restricted. A copy of this report is available for all SAP Cloud Platform customers with productive systems. This report is also available for prospective customers under the signed non-disclosure agreement.