Skip to Content

Frequently Asked Questions

Search the list below to find answers to frequently asked questions on topics such as cloud data privacy, security, compliance, and agreements.

Cloud Security

How does cloud security differ from on-premise security?

According to security analysts, and contrary to popular belief, cloud security standards are surpassing traditional on-premise security standards. Key security concerns are the same in the cloud or on premise, and include the risk of external attack or malicious insider activity.

 

Running on a software-defined infrastructure, cloud solutions enable you to implement security measures at greater scale if you map your existing security controls to those provided in the cloud. Another clear advantage of the cloud is increased agility in addressing security concerns and reduced cost for  researching, developing, and deploying new security features throughout the stack.

Do I need to configure security settings for my instance or tenancy, or just rely on SAP?

SAP has put in place a data processing agreement and technical and organizational data-protection measures that provide robust security for every customer instance and tenancy. In addition, customers can configure your own security settings, with options including single sign-on (SSO), multifactor authentication, access control policy and role-based access, and review of the application log.

What is SAP's cloud security strategy?

At SAP, we have a plan-do-check-act approach to security, constantly adjusting to customer needs and to a rapidly changing threat landscape. Our security strategy has three cornerstones: secure products, secure operations, and a secure company. We also have an overarching commitment to transparency.

Have any external parties assessed SAP’s security measures? If yes, where can I find the certificates?

Yes, to find our system and organization controls (SOC) reports, as well as ISO certification details, visit SAP Cloud Trust Center compliance page.

Security Policy

What are SAP's security policies?

We follow a security policy framework that includes several levels of security documentation, each containing more detail on our global security policy. Key documents include SAP Security Policy, SAP Security Standards, SAP Security Procedure and Directive, and SAP Security Good Practices.

What is SAP's security response process?

Our security incident response process is described in a document on SAP security concepts and implementation. Read the document.

How can I report a security incident or a suspected security issue?

Customers can report any a security-related issues or suspicious activity to SAP. Learn how to file a report.

How does SAP handle security requirements for contractors and subcontractors?

Sub-processors are required to follow our security policy. See the list of sub-processors for SAP. Customer login required. 

Do SAP employees participate in ongoing security training?

Regular security awareness training is mandatory for all SAP employees. Additional role-specific training is also provided for some employees.

Cybersecurity

What do these security terms mean?
• Redundancy
• Penetration testing
• Hashing
• SQL injection (SQLi)
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)

Redundancy is a system design where a component is duplicated as a backup measure. Reliability improves with the use of multiple redundant sites, which helps ensure that well-designed cloud computing solutions meet business continuity and disaster recovery requirements.

 

Penetration testing is an authorized simulated cyberattack against a system, performed to evaluate the security of the system by safely trying to exploit vulnerabilities.

 

Hashing is the use of an algorithm to generate a string of characters from a longer string of numbers or text. The shorter string created is of a fixed length and changes according to variations in input. With a good hashing algorithm, it’s impossible to turn a hash back into its original string.

 

SQL injection (SQLi) is an attack in which malicious SQL statements are inserted to manipulate the database. They can be inserted as input by the user through the user interface or using a program through the parameter interface from outside. 

 

Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in Web applications. It includes all vulnerabilities that allow an attacker to inject HTML or JavaScript into the affected Web application's front-end client. In the majority of cases, XSS is due to insecure programming.

 

Cross-site request forgery (CSRF) is an attack that tricks a victim’s browser into sending a request to a vulnerable Web application, which then performs an undesired action on behalf of the victim. This may include changing credentials, making an illegal purchase, or performing an online financial operation.

How does SAP protect my information against cyberattacks?

SAP security management processes are aligned with ISO 27001/IEC 27035:2011 principles and apply to all cloud personnel around the world. We strive to maintain a high level of protection for all data resources and to reduce the overall threat to computer, technology, and communications services.
 
The objective of our information security policy is to define our goals for management of information security in accordance with business requirements and relevant laws and regulations. This helps ensure that we implement and sustain appropriate levels of security protection such as threat management, penetration testing, and secure development lifecycles. In this way, we can maintain the confidentiality, integrity, and availability of our infrastructure, applications, and information. To learn more about cybersecurity, visit the SAP Cloud Trust Center security page.

Does SAP encrypt data in transit?

All SAP cloud systems are configured to use secure communication in accordance with the protection requirement of the transmitted information. This includes encryption for data in transit and data at rest.

Does SAP encrypt data at rest?

All SAP cloud storage systems processing sensitive data employ data-at-rest encryption.

Does SAP encrypt all data transmissions, including all server-to-server data transmissions, within data centers?

All sensitive data is encrypted at rest and in transit.

How does SAP manage encryption keys?

SAP has robust controls and procedures in place for key management. We follow recommendations provided by the National Institute of Standards and Technology (NIST) whenever technically feasible. For symmetric encryption, the key is at least 128 bits. For asymmetric encryption, it is at least 2048 bits.

 
Keys are created and distributed using a secure channel. In addition,  segregation-of-duty rules are maintained in master key creation where the process of key splitting between the master key and key parts is not carried out by different people.

 
Public keys are stored in a central register, while private keys may only be made accessible to a specific user. SAP also has procedures in place to ensure key storage follows confidentiality and integrity principles.

Keys are revoked when they reach the end of their lifetime. In addition, keys are revoked immediately if a key has been compromised or contains incorrect data.

What is SAP's position regarding the Meltdown and Spectre processor vulnerabilities?

SAP is taking a proactive approach in fixing potential flaws related to Meltdown and Spectre. See details on security, data protection, and privacy at SAP. 

Does SAP have a dedicated cybersecurity team?

Yes, the cybersecurity team within SAP is responsible for security incident management and vulnerability testing to protect against cyberthreats and cyberattacks.

Cloud Agreements

Why are countries not listed in cloud services agreements?

We issue product supplements, support policies, service level agreements, and data processing agreements based on languages. The agreements do not include country-specific legal details. Other cloud documentation, such as general terms and conditions, contain language specific to laws and requirements for conducting business in individual countries. Accordingly, some agreements are available based on language only, and others are available based on language and country.

Why is my language not listed in the agreement finder?

SAP supports 14 languages for cloud services. The languages are as follows:  

  • Chinese (simplified) 
  • Chinese (traditional) 
  • English 
  • French 
  • French (Canada) 
  • German 
  • Indonesian 
  • Italian 
  • Japanese
  • Korean
  • Portuguese (Brazil) 
  • Russian (as needed) 
  • Spanish
  • Turkish

If a country language is not listed, we usually use the English version.

We release some cloud services in fewer languages, due to limited usage of the cloud service, or because the release is a pilot. We may then add other supported languages at a later date.

Cloud Data Protection and Privacy

What regulations are applied to personal data stored and processed in a customer’s cloud subscription?

As a German company, SAP SE  follows the European Union (EU) Privacy Directive and the Federal German Privacy Act. The SAP data protection agreement acts as the legal basis for commissioned data processing and is based on both regulations.

Does SAP have an appointed data protection officer?

At SAP, we have always viewed the designation of a data protection officer (DPO) as a central part of our data protection strategy. Furthermore, SAP has established an entire data protection and privacy (DPP) team that consists of attorneys, auditors, and technical experts reporting to the DPO.

Is the SAP data protection agreement applicable only to your data center in Europe?

The SAP data protection agreement and  treatment of personal data is applicable globally to all SAP data center and processing locations.

How does SAP ensure that sub-processors protect my personal data?

Sub-processors are used for the processing of personal data. They are subject to data protection agreements that contain the same level of protection as the agreements SAP enters with its customers.

How does SAP ensure appropriate security for the storage and processing of personal data?

SAP has implemented and is maintaining technical and organizational measures (TOMs). These TOMs comprise measures in the following areas: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control.

How does SAP provide evidence of compliance with its TOMs?

Depending on the relevant service, SAP provides evidence to the customer by way of certifications that show compliance with ISO 27001 or other standards such as ISAE3402 and ISAE3000.

Does SAP also hold a specific certificate related to data privacy?

SAP has established and implemented a data protection management system (DPMS), based on the British Standard BS 10012:2009. The DPMS is audited annually by internal and external auditors. Evidence is provided through the certificate and a customer audit report.

Does SAP have regional cloud services?

Yes, we provide the EU Access service from SAP for some of our cloud services. EU Access helps ensure that personal data is stored only in data centers within the European Economic Area, the European Union, and Switzerland. Furthermore, remote access to personal data is restricted to locations within these countries.

Cloud Service Status

Why are some cloud services missing in the product selection?

We integrate our cloud portfolio into our cloud service status information incrementally, so the service you are looking for may not yet be added.

What type of uptime and availability information is available for cloud services from SAP?

Cloud service status information provides data on the performance of cloud services across all SAP data centers around the world. This includes details of scheduled maintenance due to service degradation (such as latency or performance issues) through service disruption due to outage or downtime.

How long does a scheduled maintenance window last?

By clicking on the icon in the calendar view of the cloud service status screen, you can find the duration of each maintenance event. This also applies to scheduled maintenance. You can find further information on maintenance windows in the service level agreements in the agreements section.

Data Center Security

Is there network latency across public and private clouds?

SAP public cloud solutions and integrations with SAP ERP Central Component (SAP ECC) and S/4HANA is stateless, as such network latency is not a major topic to worry about.

Is there network latency with solutions that are across multiple data centers?

The network latency is depending various factors as such, no precise informationcan be provided on a general level. For more detail, we recommend you involve an SAP technical solution architect that works with this customer case.

At the cloud data center level, if the solutions are in different data centers, can you explain how integration, security, performance, fail over, among others work?

All communication between Data Centers is encrypted by reasonable industry measures. The detail of implementation varies by solution and data flow. For more information, we recommend you involve the SAP technical solution architect who works with this customer case.

What are SAP's backup retention procedures?

We conduct backups in the form of a disk-to-disk copy, which enables rapid data creation and recovery. In addition to full backups done on a daily basis, we create interim backup versions several times each day. As with all our backups, we archive these at a secondary location for security purposes.

What certification standards do SAP data centers fulfill?

SAP data centers participate in enterprise-wide internal and external ISO 27001 audits that take place annually. Furthermore, our data centers are also an integral part of our SOC 1 (ISAE 3402) and SOC 2 reporting, which takes place twice a year. 

How is access to the data center monitored and logged?

SAP data centers are monitored around the clock with video cameras at every entry point. We use these cameras to record and monitor each access event and log this in our access system for 90 days. 

What are the physical security measures in place for SAP data centers?

SAP data centers are monitored around the clock. Single-person access and "mantrap" systems provide access only to authorized individuals. Technicians can enter special rooms using custom-configured ID cards. High-sensitivity areas require authentication by means of biometric scans. Our data centers offer:

  • Video monitoring and traceability of access to the premises
  • Redundant climate control with environmental monitoring of gas, moisture, heat, and water
  • Fire alarms with automatic fire-fighting equipment
  • Uninterruptible power supply equipment that is regularly tested against fictional power outages 
  • Compliance with recognized industry standards of physical security and reliability, including ISO/IEC 27001:2013, and ISO27000 for facilities and data center operations.

In which region or country is my data stored? Where is my backup stored?

We store your data in one of our many SAP data centers.

Penetration Tests and Vulnerability Scans

Does SAP implement penetration tests?

Yes, we scan all our public cloud systems – including all Internet-facing systems, such as firewalls, load-balancers, and Web application servers – regularly to evaluate the cybersecurity strength of our cloud infrastructure. 

Does SAP perform vulnerability scans?

As part of our continuous validation activities, we regularly carry out both internal and independent vulnerability scans for our public cloud offerings. This enables us to identify, assess, and mitigate known vulnerabilities.

How often are the vulnerability scans performed?

Vulnerability scans are performed regularly. 

Guidelines and Audits

Are there any data protection guidelines?

Yes. Data protection guidelines form an element of the SAP security policy, the SAP security standard on data protection, as well as the document "SAP Global Personal Data Protection and Privacy Policy." Our data protection management system consists of data protection work instructions, regulations, and guidelines for all organizations in SAP.

Have processes for compliance with data protection laws and regulations been defined to help ensure the confidentiality and security of customer data?

A wide range of measures helps to ensure the confidentiality of customer and personal data. Current processes and standards for maintaining data protection laws are described in the section “General Security at SAP” and “Maintaining Confidentiality While Handling Personal Data." Data protection in relation to customer incidents is described in the section “Security in the SAP Digital Business Services Organization.”

Are there regular checks to monitor compliance with the SAP security policy?

A wide range of internal ISO 9001 and ISO 27001 audits are conducted to regularly check whether SAP employees adhere to the global policies and standards. This level of compliance to the security policy is monitored thoroughly. All audit activities are centrally organized by the responsible auditing organizations and conducted by certified internal auditors with the support of the central SAP security department.

Does SAP have an information security team that oversees the implementation of the SAP security policy?

All managers are responsible for implementing the security policy within their respective organizations. The central security department, the audit team, and decentralized security units within SAP help managers in this process. Managers are informed about the performance and current implementation status of information security management systems in regular management reviews.

Is there a code of business conduct for employees?

Yes, there is a code of business conduct applicable to all SAP employees.

How are security incidents managed?

Security incidents at SAP are systematically documented and forwarded to the relevant officer. This security incident management process is described in detail in the information in “Protecting Information in Individual Incidents” in both the “General Security at SAP” and “Security in the SAP Digital Business Services Organization” sections.

Does SAP have guidelines on classifying information?

The SAP security guideline “Global Information Classification and Handling” outlines how information is classified.

Is access to customer data restricted to specific employees, and is the distribution of such information prohibited?

Yes. SAP has guidelines and processes that govern access to customer data. In particular, such access is restricted by a dedicated authorization process. See also the SAP security guideline “Information Classification.” This guideline also specifies rules regarding the forwarding or publishing of confidential or sensitive information.

Are there any certificates that are accessible to customers?

Yes, to access SAP certification at any time, visit SAP Cloud Trust Center compliance page.

Is there an ISO 27001 certificate for information technology?

Yes, SAP possesses several ISO 27001 certificates.

Is there a specific certificate for data protection?

Yes, our compliance with data protection guidelines for personal information is certified by the German Federal Office for Information Security (BSI). To learn more, visit SAP Cloud Trust Center compliance page.

Compliance

What is the difference between a SOC 1, SOC 2, and SOC 3 reporting?

The SOC 1 report covers all live customer systems during the audit cycle. It provides information about controls at a service-organization level that is relevant to the customer's internal control over financial reporting (also known as IT general controls).
 
IT general controls cover:
  • IT strategy
  • Environment and organization
  • Logical and physical
  • Access controls
  • Program development 
  • Change management
  • Computer operations such as incident management, backup, and monitoring

 

The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust center criteria (TSPs).

 

These additional TSPs are:

  • Confidentiality
  • Integrity
  • Availability
  • Privacy

 

The SOC 3 report is designed to meet the needs of users who want assurance on the controls at a service organization, such as those related to security, availability, processing integrity, confidentiality, or privacy. However, the requestors do not require or have the knowledge necessary to make effective use of a SOC 2 report. This report is used for marketing purposes, as well as unrestricted use and distribution.

What is the difference between a type 1 and type 2 report?

SOC 1 and SOC 2 reports can be delivered in two types:
 
  • Type I:  These reports contain the design of the in-scope controls. The control design is assessed based on a specific date.
  • Type II:  These are reports that include testing of the operational effectiveness of in-scope controls. Population samples for each control is tested based on the frequency that the control is tested. Populations are based on a six-month time period.

Why can't my customer or prospect have an SOC 1 report?

The SOC 1 report is only distributed to customers that were productive and had financially-relevant systems during the audit period covered by the report and need the report for their financial audits. These customer systems must be properly maintained as such in our various reporting and asset management tools; otherwise, the customer will not be sent the report.

What compliance certifications and attestations are SAP cloud services assessed for?

SAP has obtained the following certifications for its coud solutions: BS10012, C5, CSA Star, ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27018, GxP, PCI DSS, SOC 1, SOC 2, SOC 3 and TISAX. Not all cloud solutions from SAP maintain all of these listed certifications. Please check the Compliance Finder on SAP Cloud Trust Center for the specific availability of certifications for each cloud solution.

Does SAP comply with SSAE 16, SSAE 18, SAS70, and ISAE 3402?

All these standards are auditing standards for SOC 1 reports. The standards SAS70 and SSAE 16 are outdated and have been replaced by SSAE 18. SSAE 18 is the auditing standard developed by the American Institute of Certified Public Accountants (AICPA) and ISAE 3402 is the corresponding international auditing standard developed by the International Auditing and Assurance Standards Board (IAASB). Our SOC 1 reports follow the ISAE 3402 standard but are also aligned to SSAE 18 and cover the differences between SSAE 18 and ISAE 3402.

Back to top