Skip to Content

Security and Privacy

  • Security, privacy, and data protection are one of SAP’s material aspects.
  • We address security holistically throughout the software development process and solution provisioning of our cloud solutions.
  • Our global data protection and privacy policy secures data privacy in a world of increased access to personal data.

While enabling our customers to Run Simple by tackling complexity, they expect SAP to address threats to their on-premise software environments, as well as to their cloud and mobile services. We view our customers’ trust in our company as a key element of our success. This trust extends to the high quality and security of our entire suite of products and services, as well as our ability to operate our cloud business both securely and reliably. For this reason, we continually strive to protect customers, business partners, and our own company through a range of coordinated practices.

Comprehensive Security Practices

Security has always been a very important topic for SAP and our customers. That is why we introduced a secure software development lifecycle to address security holistically throughout the development process.

Our strategy includes:

  • A comprehensive global security expert team leading and guiding our development units to build at a high security level from the start of the product planning phase
  • Security functionality built into our products
  • Mandatory security training for developers
  • Solid testing and validation of our products, patches, and services before shipment
  • A software security response process to react rapidly to reported vulnerabilities
  • Security-related service offerings from our service and support organization
  • A specialized security consulting team
  • A large ecosystem of partners that specialize in security
  • A dedicated research organization focused on security
  • Corporate security at SAP locations to oversee the security of our data centers and development organization

Secure Cloud Computing

With cloud offerings, our core business applications are now available to everyone, from the largest enterprises to the smallest businesses. Security and data protection principles as well as related requirements are especially critical in the cloud, and we view trust in our security and data protection practices as an important differentiator for the cloud business. Our cloud operations meet international standards for availability, security, and data protection that are among the highest in our industry. Currently, SAP is adding new data centers and consolidating existing data centers to efficiently meet customer demands in the cloud business and meet preferences for local and regional options. Our data center strategy is built on using our own data center locations as well as using co-location providers – both applying similar security and data protection requirements. Throughout all of our data center locations and our worldwide operations, we comply with the European Data Protection Regulation, which provides a very high level of protection, and adapt it to local needs, if necessary.

At the same time, all SAP data centers are required to comply with the same standards for physical, technical, and operational security measures, which are among the highest in the industry. We also have measures to ensure that access to information is limited to a need-to-know basis and meeting a required set of privileges, and that all information is classified to reflect its level of confidentiality and is encrypted as appropriately as possible. We conduct full and incremental data backups on a daily, weekly, and monthly basis. As a result, cloud solutions from SAP meet high standards and have been certified in many areas, including data center operations, software operations, business continuity, and internal inspection. Certifications include SOC1 Type II, SOC2 Type II, ISO 27001, ISO 22301, and BS 10012, among others.

Mobile Security

To help our customers meet the diverse challenges of enterprise mobility head on, SAP Mobile Secure solutions provide robust mobile device management, mobile application management, and mobile content management. Through these advanced solutions, data, mobile apps, and content can be locked down to meet the strictest security requirements and ensure good protection if a mobile device is lost or stolen. These solutions manage and secure deployments of mobile devices for companies of any size, improving the mobile user experience while eliminating security bottlenecks.

Strict Data Protection and Privacy Policies

We recognize the growing importance of privacy in a world of increased access to personal data. We adhere to our SAP Data Protection and Privacy Policy that is not only designed to secure the privacy rights of employees, customers, prospects, and partners, but also of anyone whose data is processed by SAP and falls within the legal parameters of SAP or our customers. Privacy is a top priority of our Executive Board and our legal entities must abide by internal policies and applicable privacy laws.

With regards to data protection requirements, significant changes are expected subject to the upcoming European Data Protection Regulation. Furthermore, SAP is affected by the consequences of the decision of the European Court of Justice (ECJ), which declared Safe Harbor invalid, so that data transfers from within the European Union (EU) to the United States are no longer permitted based on Safe Harbor.

Further, recent landmark decisions by the ECJ on data protection matters, as well as official statements made by the European data protection supervisory authorities require SAP to carefully review our globalized business practices. Most importantly, the ECJ on October 6 ruled that data transfers by European companies to data processors in the United States can no longer be based on Safe Harbor. While SAP has not widely relied upon Safe Harbor, the data protection supervisory authorities have challenged the legality of other transfer mechanisms, such as the Standard Contractual Clauses used by SAP on the same grounds by which the ECJ has declared Safe Harbor invalid. The data protection supervisory authorities have threatened to start enforcement activities as early as end of January 2016 against European companies that still transfer data to the United States (or grant U.S. companies remote access to systems containing personal data in the EU) based on a transfer mechanism that the authorities consider invalid. Enforcement activities against SAP or against SAP customers because of services and products that SAP provides with the help of our U.S.-based entities and/or U.S.-based suppliers could lead to fines, civil liability, loss of customers, damage to our reputation, and could have an adverse effect on our business, financial position, profit, and cash flows.

Furthermore, SAP already offers an option for our customers by which customers can elect to have their personal data processed in and accessed from within the European Union/European Economic Area (EU/EEA) and Switzerland exclusively. The EU Access service from SAP is available for on-premise systems and a growing number of cloud solutions.

In 2015, SAP did not experience any significant incidents regarding breaches of customer privacy and losses of customer data, or incidents which would have required reporting subject to the provisions of the German Federal Data Protection Act.

    Back to top