SAP Customer Experience (SAP Cloud for Customer and SAP Sales Cloud and SAP Service Cloud Version 2) Cloud Computing Compliance Criteria Catalog (C5:2020) Audit Report 2025
Please Note: Starting from 2025 H1, SAP will release new SOC 1, SOC 2 and C5 audit reports called “SAP Central Cloud Services” comprising of SAP Cloud Services (IaaS, PaaS, SaaS) and SAP central services. Customers will automatically receive a copy of this audit report in addition to the requested report(s) to assess relevant controls of the internal subservice organization “SAP Central Cloud Services” as outlined in Section III.
Learn More: Digital Resources & Enablement
The scope of this C5 report includes the SAP Cloud for Customer and SAP Sales Cloud and SAP Service Cloud Version 2 Systems.
The SAP Cloud for Customer system is an SAP Customer Relationship Management (CRM) Software-as-a-Service (SaaS) offering. It is a set of solutions for sales and service teams. All solutions are pre-integrated with SAP Business Suite and the solutions are supported on a wide range of browsers and mobile devices. It is a multi-tenant cloud offering that brings sales, customer service and social CRM together.
The SAP Sales Cloud and SAP Service Cloud version 2 is an SAP Customer Relationship Management (CRM) Software-as-a-Service (SaaS) offering. It is a cloud native product built on the Amazon Web Services (AWS) hyperscaler. It is a set of solutions for sales and service teams. All solutions are pre-integrated with SAP Business Suite and the solutions are supported on a wide range of browsers and mobile devices. SAP Sales Cloud and SAP Service Cloud version 2 is a multi-tenant cloud offering that brings sales, customer service and social CRM together.
Cloud Computing Compliance Controls Catalogue (C5) reports are prepared in accordance with attestation standards established by the American Institute of Certified Public Accountants (“AICPA”) and in accordance with the International Standard on Assurance Engagements (“ISAE”) 3000 Revised, Assurance Engamenets Other than Audits or Reviews of Historical Financial Information, issued by the International Auditing and Assurance Board (IAASB). C5 outlines minimum security for cloud computing, aimed at cloud providers, auditors, and clients. Introduced in 2016, it helps customers choose a secure cloud provider and tailor a risk management system. C5 assures cloud services security by providing transparency via a standardized examination and reporting system. The 2020 version of C5 includes 125 criteria from 17 areas, based on national and international standards and publications.
SAP Customer Experience has regularly prepared C5 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. April 2024 to 31. March 2025.
The use of these reports is restricted. A copy of this report is available for all SAP customers and prospects with non-disclosure agreement in place.