Skip to Content
Two people shaking hands

SAP Trust Center

Find the information you need on security, compliance, privacy, and cloud service performance.

SAP Compliance Offerings - Explore Certificates, Reports, and Attestations

At SAP, we keep our finger on the pulse of ever-increasing security challenges by building a security foundation based on industry standards and compliance and regulatory requirements. View SAP’s latest security compliance offerings and reports.

Compliance resources

Additional access to documentation

The support portal edition of the SAP Trust Center extends the public offering by granting access to additional information, documents, and other content available only to SAP customers and partners with a valid SAP user ID. Sign in and learn more.

Ethics and compliance at SAP

By doing business the right way, in accordance with our Global Code of Ethics and Business Conduct, SAP can positively impact social and economic development, furthering education, justice, democracy, prosperity, development, and health worldwide. 

Security Compliance

Security compliance focuses on ensuring an organization acts in accordance with security requirements based on laws, regulations, industry standards, and the organization’s published policies.

Cloud Delivery Processes

Get insights into our cloud delivery processes and the ways they support critical business operations for cloud services.

Compliance FAQs

Since 1998 SAP has held an ISO 9001 certificate. We are also certified according to ISO 27001, ISO 22301, and BS 10012. All locations worldwide work according to one common process framework, including data security and privacy regulations. We regularly check compliance though internal reviews and audits.

It specifies a framework for implementing a personal information management system (PIMS) in compliance with the General Data Protection Regulation (GDPR) and mandates the implementation of such a system within corporate security programs. It describes a framework to manage the privacy of personal data and implement necessary policies, procedures, and controls to help ensure compliance with the GDPR.

The SOC 1 report covers all live customer systems during the audit cycle. It provides information about controls at a service-organization level that is relevant to the customer's internal control over financial reporting, known as IT general controls.

IT general controls cover:  

  • IT strategy
  • Environment and organization
  • Logical and physical
  • Access controls
  • Program development 
  • Change management
  • Computer operations such as incident management, backup, and monitoring

The SOC 2 report provides the management of a service organization, customers, and others with a report about the controls of a service organization that is relevant to the security, availability, and processing integrity of its system and the confidentiality and privacy of the data processed by that system. While security is always assessed in each SOC 2 report, management may decide to scope in other criteria, known as trust services criteria (TSPs).

These additional TSPs are:

  • Confidentiality
  • Integrity
  • Availability
  • Privacy

Our current certification portfolio includes BSI C5 (Cloud Computing Compliance Controls Catalogs), CSA STAR (Cloud Security Alliance Security Trust Assurance and Risk), ISO 22301:2021 (Business Continuity Management), ISO/IEC 27001:2013 (Information Security Management System), ISO/IEC 27017:2015 (Code of practice for Cloud service information security), ISO/IEC 27018:2019 (Code of practice for Personally identifiable information in public clouds), ISO 9001:2015 (Quality management systems), PCI-DSS (Payment Card Industry Data Security Standard), SOC1, SOC2 Report (System and Organization Controls Report), and TISAX (Trusted Information Security Assessment Exchange).

Bridge letters are intended to cover the gap between the end date of the referenced report and the issue date of the bridge letter. Bridge letters provide customers with information as to whether there have been any significant changes to their controls environment that could adversely impact the conclusions reached in the most recently completed SOC examination. Bridge letters are available on request on the SAP Trust Center.

Back to top