SAP Enterprise Cloud Services SOC 2 Audit Report 2025

Please Note: Starting from 2025 H1, SAP will release new SOC 1, SOC 2 and C5 audit reports called “SAP Central Cloud Services” comprising of SAP Cloud Services (IaaS, PaaS, SaaS) and SAP central services. Customers will automatically receive a copy of this audit report in addition to the requested report(s) to assess relevant controls of the internal subservice organization “SAP Central Cloud Services” as outlined in Section III.

​Learn More: Digital Resources & Enablement

  • RISE with SAP S/4HANA Cloud, Private Edition

  • RISE with SAP S/4HANA Cloud, Private Cloud, Tailored Option including Customer Data Center Option

  • SAP HANA Enterprise Cloud Credit & Overage, Advanced Edition including Customer Data Center Option Bring your own license (BYOL)

  • SAP S/4HANA Cloud, Extended Edition

  • Single Tenant Edition

  • Cloud Private Option

  • Cloud Private Edition

  • SAP Credit & Overage HANA Enterprise Cloud Advanced Edition (Subscription)

  • SAP HANA Enterprise Cloud Advanced Edition (Subscription)

  • SAP HANA Enterprise Cloud Classic (Subscription and BYOL)

Services are offered on SAP infrastructure, Amazon Web Services, Microsoft Azure or Google Cloud Platform.  A detailed list of locations of the data centers are available within the report. RISE with SAP S/4 HANA Cloud, Private Edition, Private Cloud, Tailored Option, as well as the predecessors, SAP S/4 HANA Cloud Extended Edition, SAP HANA Enterprise Cloud Advanced Edition, SAP HANA Enterprise Classic and SAP Credit & Overage HANA Enterprise Cloud Advanced Edition are fully scalable and secure private managed cloud solutions available only from SAP. It empowers organizations to unlock the full value of SAP Enterprise Cloud Services in the cloud — accelerating growth and innovation, driving IT and business transformation, quickly delivering business outcomes, and reducing risk. SAP S/4 HANA Cloud, Extended Edition Service is using the SAP Enterprise Cloud Services architecture and processes but includes also specific SAP products, use rights and services.

 

The SAP Enterprise Cloud Services reference architecture helps the customer to use flexible services for modular and rapid deployment.  SAP ECS is offered in the primary data center locations:

  • Australia: Sydney

  • Canada: Toronto

  • Germany: Frankfurt

  • Germany: St. Leon-Rot

  • Germany: Walldorf

  • Japan: Osaka

  • Japan: Tokyo

  • Netherlands: Amsterdam

  • USA: Ashburn, VA

  • USA: Colorado Springs, CO

  • USA: Santa Clara, CA

  • USA: Sterling, VA

Amazon Web Services

  • Asia-Pacific (Malaysia)

  • Australia: Melbourne

  • Australia: Sydney

  • Bahrain

  • Brazil: São Paulo

  • Canada: Calgary

  • Canada: Central

  • China: Beijing

  • China: Hong Kong

  • China: Ningxia

  • France: Paris

  • Germany: Frankfurt

  • India: Hyderabad

  • India: Mumbai

  • Indonesia: Jakarta

  • Ireland

  • Israel: Tel Aviv

  • Italy: Milan

  • Japan: Osaka

  • Japan: Tokyo

  • Singapore

  • South Africa: Cape Town

  • South Korea: Seoul

  • Spain

  • Sweden: Stockholm

  • Switzerland: Zurich

  • Thailand: Bangkok

  • UK: London

  • United Arab Emirates

  • USA: N. Virginia

  • USA: Ohio

  • USA: Oregon

Google Cloud Platform

  • Australia: Melbourne

  • Australia: Sydney

  • Belgium: St. Ghislain

  • Brazil: São Paulo

  • Canada: Montreal

  • Canada: Toronto

  • Chile: Santiago

  • China: Hong Kong

  • Dammam (Saudi Arabia)

  • Finland: Hamina

  • France: Paris

  • Germany: Berlin

  • Germany: Frankfurt

  • India: Delhi

  • India: Mumbai

  • Indonesia: Jakarta

  • Israel: Tel Aviv

  • Italy: Milan

  • Italy: Turin

  • Japan: Osaka

  • Japan: Tokyo

  • Netherlands: Eemshaven

  • Poland: Warsaw

  • Qatar: Doha

  • Singapore: Jurong West

  • South Africa: Johannesburg

  • South Korea: Seoul

  • Spain: Madrid

  • Switzerland: Zürich

  • Taiwan: Changhua County

  • UK: London

  • USA: Ashburn, VA

  • USA: Columbus, OH

  • USA: Council Bluffs, IA

  • USA: Dallas, TX

  • USA: Las Vegas, NV

  • USA: Los Angeles, CA

  • USA: Moncks Corner, SC

  • USA: Salt Lake City, UT

  • USA: The Dalles, OR

Microsoft Azure

  • Australia: Canberra

  • Australia: New South Wales

  • Australia: Victoria

  • Brazil: Rio de Janeiro

  • Brazil: São Paulo

  • Canada: Quebec City

  • Canada: Toronto

  • China: Hebei

  • China: Hong Kong

  • China: Jiangsu

  • China: Shanghai

  • France: Marseille

  • France: Paris

  • Germany: Frankfurt

  • Germany: North

  • India: Chennai

  • India: Pune

  • Ireland: Dublin

  • Israel

  • Italy: Milan

  • Japan: Osaka

  • Japan: Tokyo

  • Mexico: Querétaro

  • Netherlands: Amsterdam

  • Norway: Oslo

  • Norway: Stavanger

  • Poland: Warsaw

  • Qatar: Doha

  • Singapore

  • South Africa: Cape Town

  • South Africa: Johannesburg

  • South Korea: Busan

  • South Korea: Seoul

  • Spain: Madrid

  • Sweden: Gävle

  • Switzerland: Geneva

  • Switzerland: Zürich

  • UK: Cardiff

  • UK: London

  • United Arab Emirates: Abu Dhabi

  • United Arab Emirates: Dubai

  • USA: Arizona

  • USA: California

  • USA: Illinois

  • USA: Iowa

  • USA: Quincy, WA

  • USA: Texas

  • USA: Virginia

SOC 2 reports are prepared in accordance with AT-C Section 205, Examination Engagements under Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification.  SOC 2 reports fulfill various information and assurance needs of customers and aim to place trust in SAP’s service organization systems, processes, and controls.  These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to Security, Availability, and Processing Integrity of the systems that are used to process users’ data and the Confidentiality and Privacy of the information processed by these systems (AICPA, Trust Services Criteria).  Additionally, they can play an important role in the oversight of the organization, vendor management programs, and regulatory oversight.  Please note that this examination's scope does not include the controls of any subservice organizations.  SOC 2 Type 1 covers management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time, whereas a SOC 2 Type 2 also includes the operating effectiveness of controls for a dedicated period of time.

 

SAP Enterprise Cloud Services has prepared SOC 2 Type 2 audit report by an independent 3rd party accountant. This version of the report covers as of the audit period 1. April 2024 to 31. March 2025, and the trust principles Security, Availability, Confidentiality, and Privacy.