• Skip to Content
    Contact Us
    Call Me Now Call Offline
    SAP can call you to discuss any questions you have.
    Chat Now Chat Offline
    Get live help and chat with an SAP representative.
    Contact Us
    E-mail us with comments, questions or feedback.
    SAP Trust Center
    A shield and a hand representing trust for SAP software

    Service Organization Control Reports

    SAP offers Service Organization Control (SOC) reports to provide assurance and detailed insight into the design and operating effectiveness of internal control systems implemented within cloud delivery units. SOC reports are industry independent and well-known. Cloud solutions from SAP are audited by our external auditor at least once a year.
    Previous Next

    SOC 1 Reports

    The auditor of our customer’s financial statements receives information about controls for cloud solutions from SAP that may be relevant to a customer’s internal control over financial reporting. The SOC 1 report follows the SSAE 18 and ISAE 3402 standards on auditing engagements and includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

    SOC 2 Reports

    Customers and prospects are given insights into the control system relevant to security, availability, processing integrity,? confidentiality, or privacy of the data. The SOC 2 report follows the ISAE 3000 and AT 101 auditing standards and is based on AICPA’s trust service principles. The report includes a detailed description of the design (type I/type II) and effectiveness (type II) of the controls audited.

    SOC 3 Reports

    Interested parties get a report on the control system implemented within cloud solutions from SAP that are relevant to security, availability, processing integrity, confidentiality, or privacy. The SOC 3 report is a short-form record that provides no description of controls testing and results. It also summarizes the results of respective SOC 2 audits.

    Other Certifications and Attestations

    Besides ISO standards and SOC reports, selected cloud solutions from SAP provide additional certifications and attestations.
    Previous Next

    Payment Card Industry Data Security Standard (PCI DSS)

    This global data security standard, also known as PCI DSS, is adopted by the payment card brands for all entities that process, store, or transmit cardholder data. It comprises common sense steps that mirror security best practices.

    Good Practice Quality Guidelines and Regulations (GxP)

    GxP is an acronym referring to the regulation and guidelines?applicable to life sciences organizations that make food and medical products. These requirements? ensure that food and medical products are safe?for consumers.

    Cloud Computing Compliance Controls Catalogue (C5)

    C5 has proven itself, due to its neutrality, scope, compactness and testability, as an attestation for a stable foundation for internal auditing and for information security management in regulated industries.

    Trusted Information Security Assessment Exchange (TISAX)

    TISAX enables mutual acceptance of?Information Security Assessments in the automotive industry and provides a?common assessment and exchange mechanism.

    Federal Service for Technical and Export Control (FSTEC)

    FSTEC enables Russia?license for activities in the field of technical protection of confidential?information.

    Cloud Security Alliance (CSA)

    CSA is a not-for-profit?organization with a mission to promote the use of best practices for providing?security assurance within Cloud Computing, as well as, provide education on the uses? and security of Cloud Computing.

    Product specific information

    See how SAP products can help deal with government and industry specific regulations.

    Get more access to SAP Trust Center

    Back to top