Cloud offers many advantages: it does not require a large investment in hardware and software licenses and it offers a very flexible infrastructure that can be adjusted quickly to fulfill new requirements. In addition, various employees from everywhere can access the same data at any time. The installation and maintenance of the IT systems is not done at the company, but rather is outsourced and handled by specialists.
However, there are still reservations about cloud solutions, especially when the concern is security: Where is the data? Who has control over this data? Especially if companies store their core processes and data in the cloud, these questions are justified. SAP has been hosting data for on-premise customers for more than 40 years. This experience is also reflected in the handling of its cloud customers' data.
Where is my data?
You as customer specify in the contract which computer center you would like to use as your "data location." For example, SAP's German computer center in St. Leon-Rot (Germany), just 5 km from Walldorf. Thus your data is stored on secure servers in Germany.
How secure are the SAP computer centers?
Here the infrastructure of the computer centers is especially important. They are equipped with an extensive security system: biometric access control, redundant data storage and power supply, measures to protect against fire and flood.
The constant back-ups are also done in the same jurisdiction. For security reasons, however, spatially separated from the data for ongoing operation. With extensive audits, SAP ensures that all technical and organizational measures are implemented and adhered to.
How is data access monitored?
The data stream in the computer centers is monitored at all SAP computer centers. Suspicious activities are identified by an "Intrusion Detection System" (IDS), several firewalls from various manufacturers protect the data in the computer center. Data is always exchanged encrypted with customers and back-up files are also encrypted or transmitted via tap-proof fiber optic cables.
What legal framework applies for data protection?
SAP orients itself according to the legal framework and standards of the local authorities. This means if your data is in Germany, then especially strict German federal data protection laws apply when it comes to data protection. In addition, SAP adheres to other international standards such as ISO 27001, ISAE-3402, and SSAE-16.
Is data transmitted?
Data is not transmitted to third parties. Personal data is neither saved nor is our customers' business data analyzed. However, SAP reserves the right to analyze user behavior and prepare it graphically in order to increase the availability and reliability of its services. All SAP employees are contractually obligated to protect data.
How do SAP employees access data?
As operator, SAP must grant its employee access to customer instances as needed for maintenance purposes and troubleshooting. For this there are dedicated terminal servers, for which the employees have individual accounts. All access is temporally limited. All support processes are only approved on application and are provided with a special password.
How is adherence to data security checked?
Data security is certified several times a year via external audits. You can request these certificates and test reports – in some cases, only by signing a confidentiality agreement. On request, customer-specific on-site audits that exceed this are also possible.
What should you be aware of when you use software from the cloud?
Access via mobile devices requires special safety measures. For its cloud solution, SAP offers appropriate quality and security, including the central management of mobile end user devices and access rights. However, the greatest security factor is employees themselves. It is important that they handle their passwords carefully and always lock devices when they are not in use. Naturally this affects not only the users, but also the supplier's employees. SAP provides its employees with extensive security training and regular checks in order to sensitize them about this topic.
Where can I get additional information?
For more Information we recommend the SAP Datacenter.