SAP Trust Center
Data protection and privacy
We respect each individual’s privacy. Our policies and data processing agreements help us abide by relevant laws worldwide.
Additional access to support documents
My Trust Center
The support portal addition of the SAP Trust Center extends the public offering by granting access to additional documention available only to SAP customers and partners with a valid SAP user ID.
- View our subprocessors list
- Learn about data protection and privacy for SAP products, cloud services, professional services, and support
Data protection and privacy FAQs
As a business-to-business enterprise application provider, SAP receives few requests from government agencies or similar parties (“Requesting Party”) requiring SAP to produce or disclose information that contains or includes any customer data (“Request”). In all cases where SAP receives Requests, SAP will advise the Requesting Party that all customer data stored in any SAP customer cloud system belongs to the customer, not to SAP, and that such data is confidential, and that SAP cannot and will not produce or disclose any such information to the Requesting Party without first complying with its contractual obligation to provide notice to the customer about the Request to give the customer an opportunity to consent or to object and seek an appropriate protective order.
If the Requesting Party prohibits SAP from providing such notice to the customer, then SAP will try to challenge the Request if it is invalid or unlawful. If the competent court issues a ruling that compels SAP to comply with a Request without prior notice to the customer, SAP will challenge such ruling to the extent recourse is available and SAP has a good faith basis under existing applicable law to challenge the ruling. If no such recourse exists, or if SAP’s attempt to challenge the ruling on appeal is not successful, SAP will make all reasonable efforts to narrow the scope of the Request to the extent permitted under applicable laws before complying with it.
SAP carefully evaluates the security, privacy, and confidentiality practices of a subprocessor prior to retention. All SAP subprocessors enter into a written agreement with SAP that includes data privacy and security terms. SAP also provides lists with subprocessors by SAP product or services, which customers can access on a self-service basis at any time through the SAP Trust Center site. These lists include details on the location and country of each subprocessor per product or service. Customers can subscribe to subprocessor lists and receive e-mail notifications of changes.
The determination of whether to conduct a DPIA or TIA rests with the controller of personal data. SAP acts as processor within the scope of its provision of SAP products and services to customers. However, SAP will cooperate with customers as necessary and provide customers with reasonable information to assist the customer in its completion of a DPIA or TIA.
The supplementary measures identified in the final recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data as issued by the European Data Protection Board (EDPB) are designed to enable transfer mechanisms (such as the SCCs) to provide an “essentially equivalent” protection.
The EDPB’s recommendations divide supplementary measures into three groups – technical, organizational, and contractual measures. SAP implements appropriate technical and organizational measures (TOMs) to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration.
SAP has implemented controls, policies, and procedures, as further described in SAP’s TOMs that are part of its DPAs, which can be found in SAP Trust Center. SAP also maintains multiple industry-standard third-party certifications and audit reports as described in SAP’s DPAs, which customers can request at any time on a self-serve basis through SAP Trust Center.
The EDPB guidance also describes the need for contractual commitments to provide transparency about, for example, processing locations, applicable laws, and government demands for data. These requirements are addressed in SAP’s existing agreements and were enhanced in SAP’s updated DPAs.
When the provision of products and services by SAP to its customers involves the international transfer of EU/EEA personal data to “Third Countries” (such as countries, organizations, or territories not acknowledged by the EEA/EU under Article 45 of the GDPR as a safe country with an adequate level of protection), SAP relies on the Standard Contractual Clauses as issued by the European Commission to legitimize such transfers.