Besides the physical security of a data center, which is ensured through structural measures and various types of fail-safe equipment, customers must certainly wonder about data security; not only to satisfy their own curiosity, but also to fulfill legal requirements.

A customer using any of SAP’s cloud solutions generally has the following questions:

Where is my data?

  • SAP cloud customers specify in their contract which data center they want to use as the “data location.” For SAP Business ByDesign, for example, these locations are St. Leon-Rot (Germany) or Newtown Square, Pennsylvania (USA). SAP HANA Enterprise Cloud is based in St. Leon-Rot (Germany) and Amsterdam for European customers and Sterling, Virginia , and Santa Clara, California, for customers located in the USA.
  • The data persistence and thus its “service life” will not change, as long as the customer does not request to do so.
  • Backups are always located in the same jurisdiction as the data that is used in day-to-day operations, but for security reasons, the two are physically separated.

Is my data disseminated?

  • No. Third-party use of customer data is not part of the SAP’s business model for the cloud. In contrast to end-user cloud services (such as social networks), a high security level is at the core of the SAP’s cloud business.
  • SAP reserves the right to analyze and graphically map the utilization pattern of users in order to increase availability and service security. However, SAP will never store personal data or analyze customers’ business data.
  • All SAP employees are individually and contractually required to comply with data protection and information privacy provisions.

How do SAP employees access my data?

This depends on the cloud solution the customer uses. SAP Line of Business cloud solutions and SAP Business ByDesign follow this approach:

  • As the operator, SAP must grant its employees access to customer data when needed for maintenance and fault-correction purposes. To this end, dedicated terminal servers are provided for which employees receive individual accounts.
  • All access is limited to one hour.
  • Support-related access is only approved upon request and only then with a password that is generated for each particular situation. This prevents the dissemination and use of conventional passwords.

For SAP HANA Enterprise Cloud different options are offered. The extent of support provided by SAP differs by offering. SAP ensures that support personnel can only access customer data if necessary and requested by the customer. There are no generic support users with unlimited access authorization.

Who are the subcontractors?

  • The list of subcontractors is shared with customers prior to signing the contract. If there are any changes, customers are promptly notified.
  • Among its contractual partners, SAP differentiates between those without data access (“subcontractors”) and those with data access (“subprocessors”). Subprocessors located outside of Europe are employed according to EU model clauses. All external employees must, regardless of where they work, also sign individual confidentiality and privacy statements (CPS).

What verification options do I have?

  • The SAP cloud is inspected several times a year by external auditors, in accordance with various standards (including ISO 27001, ISAE-3402, and SSAE-16) to ensure that the security organization as well as all technical and organizational measures are implemented and reflect state-of-the-art technology. These certificates and audit reports may be shared with customers, although this may require signing a non-disclosure agreement (NDA).
  • Every year, SAP invests more than €500,000 to audit the SAP cloud. This expenditure is necessary to meet the legally mandated audit assistance obligation.
  • Customer-specific, on-site audits extending beyond this scope can also be conducted.

SAP cloud customers can entrust their data to SAP with a clear conscience.

The data is not stored “somewhere in the cloud,” but in clearly agreed-upon locations. No one has blanket access to the data, and comprehensive audits ensure that all technical and organizational measures are complied with and implemented.