SAP Enterprise Cloud Services SOC 1 Audit Report Q3 2025

SAP Enterprise Cloud Services (ECS) includes the following Active Offerings area:

  • SAP Cloud ERP Private (successor of RISE with SAP S/4HANA Cloud, private edition, premium

  • SAP Cloud ERP Private, tailored option ( successor of RISE with SAP S/4HANA Cloud Private Edition, core, tailored option)

  • SAP Cloud ERP Private, base option (successor of RISE with SAP S/4 HANA Cloud Private Edition, base.

  • SAP Cloud ERP Private, limited option

SAP Enterprise Cloud Services includes the following Passive Offerings area:

  • RISE with SAP S/4HANA Cloud, Private Edition Premium

  • RISE with SAP S/4HANA Cloud, Private Cloud, Tailored Option including Customer Data Center Option

  • SAP ERP, Private Cloud Edition, Tailored Option

  • SAP HANA Enterprise Cloud Credit & Overage, Advanced Edition including Customer Data Center Option Bring your own license (BYOL)

  • SAP S/4HANA Cloud, Extended Edition

  • Single Tenant Edition

  • Cloud Private Option

  • Cloud Private Edition

  • SAP Credit & Overage HANA Enterprise Cloud Advanced Edition (Subscription)

  • SAP HANA Enterprise Cloud Advanced Edition (Subscription)

  • SAP HANA Enterprise Cloud Classic (Subscription and BYOL)

The following Data Centers are used by SAP Enterprise Cloud Services:

  • Australia: Sydney

  • Canada: Toronto 

  • Germany: Frankfurt 

  • Germany: St. Leon-Rot 

  • Germany: Walldorf

  • Japan: Osaka 

  • Japan: Tokyo 

  • Netherlands: Amsterdam 

  • USA: Ashburn, VA

  • USA: Colorado Springs, CO 

  • USA: Santa Clara, CA 

  • USA: Sterling, VA 

  • Asia-Pacific (Malaysia)

  • Australia: Canberra 

  • Australia: Melbourne 

  • Australia: New South Wales 

  • Australia: Sydney 

  • Australia: Victoria 

  • Bahrain 

  • Belgium: St. Ghislain 

  • Brazil: Rio de Janeiro 

  • Brazil: São Paulo 

  • Canada: Calgary 

  • Canada: Central 

  • Canada: Montreal 

  • Canada: Quebec City 

  • Canada: Toronto 

  • Chile: Santiago 

  • China: Beijing 

  • China: Hebei 

  • China: Hong Kong 

  • China: Jiangsu 

  • China: Ningxia 

  • China: Shanghai 

  • Dammam (Saudi Arabia) 

  • Finland: Hamina 

  • France: Marseille 

  • France: Paris 

  • Germany: Berlin 

  • Germany: Frankfurt 

  • Germany: North

  • India: Chennai

  • India: Delhi 

  • India: Hyderabad 

  • India: Mumbai 

  • India: Pune 

  • Indonesia: Jakarta 

  • Ireland 

  • Ireland: Dublin 

  • Israel 

  • Israel: Tel Aviv 

  • Italy: Milan 

  • Italy: Turin 

  • Japan: Osaka 

  • Japan: Tokyo 

  • Mexico: Querétaro 

  • Netherlands: Amsterdam 

  • Netherlands: Eemshaven 

  • New Zeeland North/Auckland 

  • Norway: Oslo 

  • Norway: Stavanger 

  • Poland: Warsaw 

  • Qatar: Doha 

  • Singapore 

  • Singapore: Jurong West 

  • South Africa: Cape Town 

  • South Africa: Johannesburg 

  • South Korea: Busan 

  • South Korea: Seoul 

  • Spain 

  • Spain: Madrid 

  • Sweden: Gävle 

  • Sweden: Stockholm

  • Switzerland: Zürich

  • Taiwan: Changhua County 

  • Thailand: Bangkok 

  • UK: Cardiff 

  • UK: London 

  • United Arab Emirates 

  • United Arab Emirates: Abu Dhabi 

  • United Arab Emirates: Dubai 

  • USA: Arizona 

  • USA: Ashburn, VA 

  • USA: California 

  • USA: Columbus, OH 

  • USA: Council Bluffs, IA 

  • USA: Dallas, TX 

  • USA: Illinois 

  • USA: Iowa 

  • USA: Las Vegas, NV 

  • USA: Los Angeles, CA 

  • USA: Moncks Corner, SC 

  • USA: N. Virginia 

  • USA: Ohio 

  • USA: Oregon 

  • USA: Quincy, WA 

  • USA: Salt Lake City, UT 

  • USA: Texas 

  • USA: The Dalles, OR 

  • USA: Virginia

SOC 1 reports are prepared in accordance with AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, under Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. SOC 1 reports are specifically intended to meet the needs of the entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors).  Please note that this examination's scope does not include the controls and related control objectives of any subservice organizations. SOC 1 Type 1 report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of controls to achieve the related control objectives as of a specified date, whereas a SOC 1 Type 2 also includes the operating effectiveness of controls to achieve the related control objectives throughout a specified period.

 

SAP Enterprise Cloud Services has prepared SOC 1 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period April 1, 2025 to September 30, 2025.

 

The use of these reports is restricted to the management of the service organization, user entities, and user auditors. A copy of this report is available for all SAP Enterprise Cloud Services customers who had productive and had financially-relevant systems during the audit period covered by the report.