SAP Trust Center
Find the information you need on cloud performance, security, privacy, and compliance.
SAP Trust Center: FAQs
Search the list below to find answers to frequently asked questions on topics such as cloud service availability, data protection and privacy, compliance, data centers, and agreements.
Cloud Service Availability
Downtimes related to regular maintenance and/or major upgrade activities (see SLA document) are not reflected on the SAP Trust Center. A disruption / degradation is visible in the Cloud Service Status if its duration is >= 5 minutes and if >= 5% of the productive systems in a data center are impacted. A detailed customer view including all downtimes and maintenance for customer-specific tenants is available in SAP for ME.
The availability data on the Cloud Service Status page is updated every five minutes or less.
The SAP cloud services are displayed in alphabetical order, grouped by product portfolio. Use the search functionality to find your specific cloud services or filter the results by product portfolio group.
SAP for Me is the central gateway to improve the SAP customer experience along all digital touchpoints with SAP, including your personalized cloud availability information. Customers can access SAP for Me with their S-user or SAP Universal ID. Follow the path > Customer Dashboard > Systems & Provisioning to get an overview of your cloud systems and their current availability status.
The Cloud System Notification Subscriptions (CSNS) application makes it easy to add, customize, and manage subscriptions to Cloud Availability Center notifications. Using this tool, SAP Cloud customers can remain constantly informed and receive timely updates regarding their SAP Cloud Services, including – but not limited to – planned and unplanned downtimes, and customer communications.
Data Protection and Privacy
SAP has appointed a group data protection officer (DPO). The officer is responsible for our overall data protection and privacy strategy. Mathias Cellarius is acting as the DPO. The SAP Data Protection and Privacy Office can be reached at firstname.lastname@example.org. Based on applicable local legal requirements or for other reasons, SAP has also appointed local DPOs (for example, in the Philippines or China).
SAP does not determine the purposes for which personal data is collected, uploaded to, and maintained in its products and services by customers (or their authorized users). Therefore, depending on the circumstances, when providing products and services to our customers, we and our subprocessors act as (sub)processors (or a similar role under applicable laws). SAP customers and their authorized users act as controllers or processors (or a similar role under applicable laws). For the purposes of the California Consumer Privacy Rights Act, we considers ourself a "service provider" when providing products and services to our customers.
Data entered by customers and their users belongs to the customer. This is also described in the applicable general terms and conditions for SAP products and services.
The EU-US Privacy Shield was developed by the U.S. Department of Commerce and the European Commission to enable companies to meet the EU adequacy requirements for transferring personal data to the United States. In the Schrems II decision, the Court of Justice of the European Union invalidated the European Commission’s adequacy decision for the EU-US Privacy Shield framework. This meant it is not an approved adequacy mechanism to protect cross-border transfers of personal data from the EU to the United States under the EU General Data Protection Regulation (GDPR). SAP did not generally adopt the EU-US Privacy Shield, which would only apply to transfers to the United States and not globally. Instead, we rely on SCCs as published by the European Commission, which we have in place throughout the SAP group of companies and with our third-party subprocessors. However, some acquired companies relied on the EU-US Privacy Shield to serve their customers. In such cases, the contractual relationships between such SAP entities and their customers are being reviewed.
When providing products and services to our customers, we comply with our obligations as a (sub)processor (or a similar role) under applicable data protection and privacy laws. Furthermore, we implement technical and organizational measures (TOMs) for our products and services. However, compliance with applicable data protection and privacy laws is a shared responsibility. For example, customers should also perform their own due diligence to determine whether the TOMs are appropriate for the intended use of SAP products and services by the customer. This is because SAP does not have actual control over what kind of data a customer and its authorized users transfer into SAP products and services.
The personal data that SAP processes depends on the SAP products and services a customer subscribes to and what personal data a customer uploads into those products and services. Every contract for SAP products and services includes a SAP personal DPA, which includes a description of data subjects and data categories. This includes the most common examples of how customers use SAP products and services.
Since 1998 SAP has held an ISO 9001 certificate. We are also certified according to ISO 27001, ISO 22301, and BS 10012. All locations worldwide work according to one common process framework, including data security and privacy regulations. We regularly check compliance though internal reviews and audits.
It specifies a framework for implementing a personal information management system (PIMS) in compliance with the General Data Protection Regulation (GDPR) and mandates the implementation of such a system within corporate security programs. It describes a framework to manage the privacy of personal data and implement necessary policies, procedures, and controls to help ensure compliance with the GDPR.
Access the compliance section of the SAP Trust Center and search for the document you need.
SAP provides a variety of certificates and reports. All compliance certifications and/or attestations can be viewed and requested via the SAP Trust Center.
The SOC 1 report covers all live customer systems during the audit cycle. It provides information about controls at a service-organization level that is relevant to the customer's internal control over financial reporting, known as IT general controls.
IT general controls cover:
- IT strategy
- Environment and organization
- Logical and physical
- Access controls
- Program development
- Change management
- Computer operations such as incident management, backup, and monitoring
The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust services criteria (TSPs).
These additional TSPs are:
Our current certification portfolio includes BSI C5 (Cloud Computing Compliance Controls Catalogs), CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk), ISO 22301:2021 (Business Continuity Management), ISO/IEC 27001:2013 (Information Security Management System), ISO/IEC 27017:2015 (Code of practice for Cloud service information security), ISO/IEC 27018:2019 (Code of practice for Personally identifiable information in public clouds), ISO 9001:2015 (Quality management systems), PCI-DSS (Payment Card Industry Data Security Standard), SOC1, SOC2 Report (System and Organization Controls Report), and TISAX (Trusted Information Security Assessment Exchange).
Our SOC reporting cycles are HY1 (covers from Nov 1st through April 30th) with planned delivery in July; and HY2 (covers from May 1st through October 31st) with planned delivery in January.
Bridge letters are intended to cover the gap between the end date of the referenced report and the issue date of the bridge letter. Bridge letters provide customers with information as to whether there have been any significant changes to their controls environment that could adversely impact the conclusions reached in the most recently completed SOC examination. Bridge letters are available on request on the SAP Trust Center.
A data center has equipment associated with supplying power, controlling temperature, and suppressing fires. An indicator of the security level is provided by the tier/rating as defined by the American National Standards Institute (ANSI) in its standard ANSI/TIA-942. Requirements of tier/rating 4, the highest, were the guiding principles in the design of the SAP data center.
Whether fire, data breach, or hardware defect, our data centers are protected against many hazards. At regular intervals, SAP’s data center technology and infrastructure are tested and certified.
SAP cloud services are provided in various data centers worldwide. For detailed information, please visit the data center location map.
The key to success of the SAP data center lies in the robust design of every individual component and in the redundancy of critical components. Find out more about power supply, cooling, and controlled access.
Electronic components – and especially the processors – generate heat when in operation. If it is not dissipated, a processor’s efficiency decreases, in extreme cases, to the point that the component could fail. Therefore, cooling is essential for data center operations.
The SAP cloud contract consists of 4 building blocks: the order form, cloud service description, data processing agreement, and general terms and conditions. The order form, data processing agreement, and general terms and conditions are basically the same for any cloud service on SAP’s price list while the cloud service description is a product-specific collection of documents.
The supplement determines additional product-specific terms, contains additional information on the usage metrics, and describes multiple cloud services in one supplement.
Service Level Agreement (SLA) determines the system availability of the cloud services and defines the service credits in case SAP fails to meet the SLA, and describes the maintenance windows for each Cloud Service.
General terms and conditions (GTC) contain the legal terms on your usage rights, determines ownership rights to the customer data, and defines warranties, limitation of liability and confidentiality.