SAP Enterprise Cloud Services Cloud Computing Compliance Criteria Catalog (C5:2020) Audit Report 2025

​Please Note: Starting from 2025 H1, SAP will release new SOC 1, SOC 2 and C5 audit reports called “SAP Central Cloud Services” comprising of SAP Cloud Services (IaaS, PaaS, SaaS) and SAP central services. Customers will automatically receive a copy of this audit report in addition to the requested report(s) to assess relevant controls of the internal subservice organization “SAP Central Cloud Services” as outlined in Section III.

​Learn More: Digital Resources & Enablement

  • RISE with SAP S/4HANA Cloud, Private Edition

  • RISE with SAP S/4HANA Cloud, Private Cloud, Tailored Option incl. Customer Data Center Option

  • SAP HANA Enterprise Cloud Credit & Overage, Advanced Edition  incl. Customer Data Center Option (BYOL)

  • SAP S/4 HANA Cloud, Extended Edition

  • STE (Single Tenant Edition)

  • CPO (Cloud Private Option)

  • CPE (Cloud Private Edition)

  • SAP Credit & Overage HANA Enterprise Cloud Advanced Edition (Subscription)

  • SAP HANA Enterprise Cloud Advanced Edition (Subscription)

  • SAP HANA Enterprise Cloud Classic (Subscription and BYOL)

Services are offered on SAP Infrastructure, Customer Data Center Infrastructure, Amazon Web Services, Microsoft Azure or Google Cloud Platform.  A detailed list of locations of the datacenter is available within the report. The offered services are fully scalable and secure private managed cloud solutions available only from SAP. It empowers organizations to unlock the full value of SAP Enterprise Cloud Services in the cloud - accelerating growth and innovation, driving IT and business transformation, quickly delivering business outcomes, and reducing risk. The offered services are using the SAP Enterprise Cloud Services architecture and processes but includes also specific SAP products, use rights and services. The SAP Enterprise Cloud Services reference architecture helps the customer to use flexible services for modular and rapid deployment.

 

The following Data Centers are used by SAP Enterprise Cloud Services (ECS):

  • Australia: Sydney

  • Canada: Toronto

  • Germany: Frankfurt

  • Germany: St. Leon-Rot

  • Germany: Walldorf

  • Japan: Osaka

  • Japan: Tokyo

  • Netherlands: Amsterdam

  • USA: Ashburn, VA

  • USA: Colorado Springs, CO

  • USA: Santa Clara, CA

  • USA: Sterling, VA

Amazon Web Services

  • Asia-Pacific (Malaysia)

  • Australia: Melbourne

  • Australia: Sydney

  • Bahrain

  • Brazil: São Paulo

  • Canada: Calgary

  • Canada: Central

  • China: Beijing

  • China: Hong Kong

  • China: Ningxia

  • France: Paris

  • Germany: Frankfurt

  • India: Hyderabad

  • India: Mumbai

  • Indonesia: Jakarta

  • Ireland

  • Israel: Tel Aviv

  • Italy: Milan

  • Japan: Osaka

  • Japan: Tokyo

  • Singapore

  • South Africa: Cape Town

  • South Korea: Seoul

  • Spain

  • Sweden: Stockholm

  • Switzerland: Zurich

  • Thailand: Bangkok

  • UK: London

  • United Arab Emirates

  • USA: N. Virginia

  • USA: Ohio

  • USA: Oregon

Google Cloud Platform

  • Australia: Melbourne

  • Australia: Sydney

  • Belgium: St. Ghislain

  • Brazil: São Paulo

  • Canada: Montreal

  • Canada: Toronto

  • Chile: Santiago

  • China: Hong Kong

  • Dammam (Saudi Arabia)

  • Finland: Hamina

  • France: Paris

  • Germany: Berlin

  • Germany: Frankfurt

  • India: Delhi

  • India: Mumbai

  • Indonesia: Jakarta

  • Israel: Tel Aviv

  • Italy: Milan

  • Italy: Turin

  • Japan: Osaka

  • Japan: Tokyo

  • Netherlands: Eemshaven

  • Poland: Warsaw

  • Qatar: Doha

  • Singapore: Jurong West

  • South Africa: Johannesburg

  • South Korea: Seoul

  • Spain: Madrid

  • Switzerland: Zürich

  • Taiwan: Changhua County

  • UK: London

  • USA: Ashburn, VA

  • USA: Columbus, OH

  • USA: Council Bluffs, IA

  • USA: Dallas, TX

  • USA: Las Vegas, NV

  • USA: Los Angeles, CA

  • USA: Moncks Corner, SC

  • USA: Salt Lake City, UT

  • USA: The Dalles, OR

Microsoft Azure

  • Australia: Canberra

  • Australia: New South Wales

  • Australia: Victoria

  • Brazil: Rio de Janeiro

  • Brazil: São Paulo

  • Canada: Quebec City

  • Canada: Toronto

  • China: Hebei

  • China: Hong Kong

  • China: Jiangsu

  • China: Shanghai

  • France: Marseille

  • France: Paris

  • Germany: Frankfurt

  • Germany: North

  • India: Chennai

  • India: Pune

  • Ireland: Dublin

  • Israel

  • Italy: Milan

  • Japan: Osaka

  • Japan: Tokyo

  • Mexico: Querétaro

  • Netherlands: Amsterdam

  • Norway: Oslo

  • Norway: Stavanger

  • Poland: Warsaw

  • Qatar: Doha

  • Singapore

  • South Africa: Cape Town

  • South Africa: Johannesburg

  • South Korea: Busan

  • South Korea: Seoul

  • Spain: Madrid

  • Sweden: Gävle

  • Switzerland: Geneva

  • Switzerland: Zürich

  • UK: Cardiff

  • UK: London

  • United Arab Emirates: Abu Dhabi

  • United Arab Emirates: Dubai

  • USA: Arizona

  • USA: California

  • USA: Illinois

  • USA: Iowa

  • USA: Quincy, WA

  • USA: Texas

  • USA: Virginia

Cloud Computing Compliance Controls Catalogue (C5) reports are prepared in accordance with attestation standards established by the American Institute of Certified Public Accountants (“AICPA”) and in accordance with the International Standard on Assurance Engagements (“ISAE”) 3000 Revised, Assurance Engamenets Other than Audits or Reviews of Historical Financial Information, issued by the International Auditing and Assurance Board (IAASB). C5 outlines minimum security for cloud computing, aimed at cloud providers, auditors, and clients. Introduced in 2016, it helps customers choose a secure cloud provider and tailor a risk management system. C5 assures cloud services security by providing transparency via a standardized examination and reporting system. The 2020 version of C5 includes 125 criteria from 17 areas, based on national and international standards and publications.

 

SAP Enterprise Cloud Services has regularly prepared C5 Type 2 audit reports by an independent 3rd party accountant. This version of the report covers the audit period 1. April 2024 to 31. March 2025.

 

The use of these reports is restricted. A copy of this report is available for all SAP customers and prospects with non-disclosure agreement in place.