SAP Data Custodian SOC 2 (ISAE 3000) Audit Report 2022 H1

The scope of this SOC report includes the SAP Data Custodian as offered for the AWS data centers N. Virginia (US), Oregon (US), Frankfurt (Germany), Mumbai (India), Sydney (Australia), Tokyo (Japan), and Ontario (Canada), for the GCP data centers Mumbai (India), Frankfurt (Germany), and for the AZR data centers Washington (US).

SAP Data Custodian (SDC) is a multi-cloud SaaS application developed by SAP for deployment on cloud platforms such as Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure. This solution addresses global data protection regulations in order to provide enterprise customers with data monitoring across cloud environments.

SOC 2 reports fulfill various information and assurance needs of customers and aim to place trust in SAPs service organization systems, processes and controls. These narratives are related to the trust principles Security, Availability, Confidentiality Processing Integrity or Privacy which must be met to demonstrate a well-designed system. SOC 2 also contains details on performed tests and their results. SOC 2 Type 1 covers management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time, whereas a SOC 2 Type 2 also includes the operating effectiveness of controls for a dedicated period of time.

SAP Data Custodian has prepared SOC 2 Type 2 audit report by an independent 3rd party accountant. This version of the report covers the period 1. November 2021 to 31. March 2022, for the AWS data centers N. Virginia (US), Oregon (US), Frankfurt (Germany), Mumbai (India), Sydney (Australia), Tokyo (Japan), and Ontario (Canada), for the GCP data centers Mumbai (India), Frankfurt (Germany), and for the AZR data centers Washington (US).

The use of these reports is restricted. A copy of this report is available for all SAP customers and prospects with non-disclosure agreement in place.