(Jana Subramanian serves as APJ Principal Cybersecurity Advisor for Cloud Security and a Fellow of Information Privacy (FIP), awarded by the International Association of Privacy Professionals (IAPP). In this role, Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)

Introduction

Data is the new currency and businesses need data to survive and thrive in the digital age. As enterprises embrace cloud technology to access, process, store and manage their data, they find themselves traversing a complex terrain of diverse data types, each presenting its unique attributes and security prerequisites. Understanding these data types and their implications for data security and regulatory compliance is paramount. SAP cloud services support wide range of cloud data types that help customers to manage their business and analyse the data.  This blog explores the diverse data types supported by SAP cloud services. This will help to navigate security, compliance, and regulatory requirements around handling various data types. It is important to note that while we will provide a high-level overview of these data types, the specific data types hosted in SAP cloud services may vary depending on an organization's unique business requirements,  integration landscape, and the ever-evolving dynamics of security and regulation.

Cloud Data Types

SAP cloud services host variert of data types in cloud environments, including personal data, sensitive data, business data, integration data, and configuration data. Each of the data types have cybersecurity requirements and regulatory implications. Personal data, encompassing any information relating to an identifiable individual, and sensitive data, which includes details like health information or biometric records, are heavily regulated under laws like Europe’s GDPR, India’s Digital Personal Data Protection Act and China’s PIPL, requiring strict consent, protection, and handling protocols. Business data, though less strictly personal, in general, associated with personal data, still requires safeguarding, as it may contain proprietary or confidential information. Integration data, used to connect various systems or applications, and configuration data, essential for system setup and preferences, might not be inherently sensitive but can become so depending on the specific content and context.

The following section provides a high-level overview of personal data, sensitive personal data, and business data stored in SAP cloud services. While the data types mentioned in this blog are just examples of cloud data types, they do not encompass details of every field that can be configured within the cloud services. Nonetheless, this information will assist in having a fundamental understanding of the types of data stored, thereby facilitating an assessment of security, compliance and regulatory requirements.

SAP Business Technology Platform

SAP BTP maintains more than 90+ services that can be used for many integrations, extension, database, analytics, and database management use cases. Organizations must carefully evaluate what data type is used, accessed, processed, and stored in SAP BTP to determine compliance with their respective regulations. Customers can create a sub-account with SAP BTP and host their service in a region of their choice.

The table below provides examples of cloud data types for most commonly used services in SAP BTP.

Service	Examples of Cloud Data Types
CPEA Services	User Credentials: Information used to verify the identities of users, typically including usernames and passwords. Application Metadata: Information about the applications running on the platform, including names, descriptions, and configuration details. Configuration Data: Settings that control the behaviour of applications and services on SAP BTP. SAML Metadata and certificates. Service Instances: Data related to instances of services that are created and used on the platform, such as databases or analytics tools. Access Logs: Records of user access to the platform's resources, used for security and monitoring purposes. Audit Logs: Detailed records of actions taken within the platform, critical for compliance, and security. Integration Flows: Data defining how different applications and services communicate and interact with each other. Security Policies: Rules and settings related to securing applications and data on the platform. Development Artifacts: Files and data related to the development of applications, such as source code, libraries, and dependencies. Database Records: Information stored in databases hosted on SAP BTP, which can include a wide variety of business data depending on the applications being used.
Integration Data	Messages processed on a runtime node often encompass business data related to an integration scenario and may include personal data. Monitoring Data: The processing log documents the various stages of an integration flow. Access to this data is exclusive to users assigned to this tenant who possess the requisite permissions. Data visible in the log file
SAP Identity Authentication Service	User Credentials User Profiles Authentication Tokens (including OAuth Tokens) Security Policies Access Logs Configuration Settings Consent Records Session Information SAML Assertions SAML Certificates SAML Endpoints SAML Configuration Service Provider Metadata Identity Provider Metadata Trust Relationships OAuth Client IDs and Secrets OAuth Redirect URIs OAuth Scopes OAuth Policies OAuth Grant Types
Identity Provisioning Service	User data: This includes information such as username, email address, employee ID, department, and job title. Group data: This includes information such as group name, description, and members. Role data: This includes information such as role name, description, and permissions. System data: This includes information about the systems that users and groups are provisioned to, such as system name, type, and connection information. SAP Identity provisioning services can also store custom data types, depending on the specific needs of the organization. For example, an organization might use SAP Identity provisioning services to manage access to custom applications or systems. In these cases, the organization can define custom data types to store information about these applications or systems. Application data: This could include information such as application name, type, and URL. System data: This could include information such as system name, type, and IP address. Attribute data: This could include information about user attributes, such as skills, certifications, or security clearances.
Destination	The data type stored in the SAP BTP Destination Service is a JSON object. This object contains information about the destination, such as: Name: The name of the destination. Type: The type of destination, such as HTTP, RFC, or TCP. URL: The URL of the destination. Proxy Type: The type of proxy server to use, if any. Authentication: The authentication method to use, if any. Additional Properties: Any additional properties that are needed to configure the destination. The SAP BTP Destination Service can be used to store destinations for a variety of different applications and systems, including: SAP applications, such as SAP S/4HANA and SAP ECC. Cloud-based applications, such as Salesforce and Workday. On-premises applications, such as ERP systems and CRM systems. The SAP BTP Destination Service is a key component of SAP BTP, as it allows applications to connect to the systems and data that they need.

SAP Analytics Cloud

Data modelling in SAP Analytics Cloud allows users to refine their data for analysis by bulk editing, categorizing, forming hierarchies, and creating custom calculations. The business intelligence segment of SAP Analytics Cloud consists of two main components: models and stories.

• 'Models' serve as the foundation for data analysis, involving the cleaning and organization of data. This includes defining the metrics and dimensions, arranging data hierarchies, configuring units and currencies, and introducing formulas to enrich the data.


• 'Stories' are the visualization aspect, where data is transformed into charts and graphs for enhanced understanding and insights.

Services	Examples of Cloud Data Types
Planning, Business Intelligence, Predictive Analytics, Modelling	On-premises data sources (may contain metadata and some personal data). Query Data may contain personal and sensitive personal data. Name Address Contact Number Financial Data ERP Data (S/4HANA) Accounting Human Resources (SF Integration)

SAP SuccessFactors

SAP SuccessFactors is a cloud-based human capital management (HCM) software suite that helps organizations manage their workforce. It includes a wide range of modules for core HR, talent management, payroll, and analytics. The types of cloud data that are stored in SAP SuccessFactors are generally considered to be personal and sensitive data. This includes information such as employee names, email addresses, employee IDs, departments, job titles, salaries, benefits, performance reviews, goals, development plans, compensation data, payroll data, and analytics data.

Service	Cloud Data Types
Employee Central (EC)	First Name/Last Name Date of Birth Passport Number Nationality Address line IBAN Phone-Type Email Marital Status Business Information: To-dos & Approvals Recruiting workflows Organizational Chart Manager Onboarding Manager Team View Cost center name Cost Center ID Cost Center Validity Cost Center Status Cost Center Descriptions Reporting Line Cost Distributions Job Information Organizational Data
Payroll	Family Members/dependents Off-cycle Payments Absences Bank Details Employee – Renumeration Information Address Information Email
Recruiting	First Name/Middle/Last Name Primary Phone Address Line Email Resume CV Gender Email
Learning	Gender Date of Birth Hire Date ZIP Code Interest License ID Knowledge Rating Email
Performance	(Competency) Rating (Performance_ Rating (Potential) Rating First/Middle/Last Name 360 Feedback Report Email
On-Boarding	First Name/ Middle/ Last Name Date of Birth Gender Mobile Phone Area Code and Number Emergency Contact Email
Workforce Analytics	Date of Birth Gender Nationality Time in Service (Performance) Rating Knowledge Rating Email
Compensation	Employee Name Performance Rating Final Annual Salary Payout Bonus Stock Email
Integration	Integration Dependent Personal Data

SAP Ariba

SAP Ariba allows customers to provide Personal Data for user creation within the solution, stores transaction documents that may contain Personal Data of signatories or business contacts, and maintains contact information related to Trading Partners. Consequently, the typical range of Personal Data processed includes an individual's name, business email address, and business phone number. Additionally, buyers have the option to include users' home addresses for delivery of items purchased through the platform. Furthermore, some solutions within SAP Ariba give buyers the capability to create custom fields specifically for collecting additional Personal Data. SAP Ariba processes only non-security-classified information, such as vendor masters, purchase orders, purchase requisitions etc. In a typical hybrid integration scenario, copies of most transactional data reside in the customer's ERP system.

SAP Ariba prohibits the processing of sensitive personal data through the solutions, such as a creating custom fields unless SAP has expressly authorized it for a specific purpose of the solution. In such cases, customers must submit the data strictly in compliance with both the privacy statement and contractual agreement.

Services	Examples of Cloud Data Types
SAP Ariba - Business Contact Information	Name E-mail address Employee number Employee name Business phone Business fax Alternate e-mail addresses Business postal address
Ariba Strategic Sourcing Suite – Business Data	Supplier Data Supplier Company Name Supplier Primary Contact (Name) Supplier Email Address Supplier Company Location & Locale Supplier Phone & Fax Number Supplier Location Remittance Information (Optional) Supplier Bank Payment Locations (Optional) Supplier Registration Details, Supplier Qualification Details, Supplier Certificates (Optional) Sourcing Project ID & Title Sourcing Project Details (e.g. RFx content & submissions) Contract Workspace ID & Title Contract Workspace Details (e.g. terms, clauses, communications) Master Data Company Codes Purchase Groups Purchasing Organizations Plant Plant to Purchasing Organization Material Groups Material Master Payment Terms Incoterms Item Categories
SAP Ariba Supply Chain Collaboration	Supplier Company Name Supplier Primary Contact (Name) Supplier Email Address Supplier Company Location & Locale Supplier Phone & Fax Number Supplier Payment Terms
SAP Ariba Commerce Automation	Supplier Company Name Supplier Primary Contact (Name) Supplier Email Address Supplier Company Location & Locale Supplier Phone & Fax Number Supplier Payment Terms Bill To Address Ship To Address Remit To Address Transaction Details (line-item details, qty, price, tax, handling costs, shipping costs)

SAP Concur

SAP Concur stores a wide variety of data, including:

• Expense data: This includes information such as the date, time, location, and amount of each expense, as well as the vendor’s name, expense type, and payment method.


• Travel data: This includes information such as the dates and times of travel, the origin and destination, the mode of transportation, and the accommodations.


• Invoice data: This includes information about invoices received from vendors, such as the vendor’s name, invoice number, invoice date, and invoice amount.


• Payment data: This includes information about payments made to vendors, such as the date, amount, and payment method.


• Employee data: This includes information such as the employee’s name, email address, employee ID, department, and job title.


• Company data: This includes information such as the company name, address, and tax ID number.

In addition to this standard data, SAP Concur can also store custom data types, depending on the specific needs of the organization. For example, an organization might use SAP Concur to manage travel policies, approvals, or reimbursements. In these cases, the organization can define custom data types to store information about these policies and processes.

Services

Cloud Data Types

Expense and Travel

Passwords  (not stored in SAP Concur when using SSO) User Sessions Credit Card Number Credit Card Expiration Bank Account Number Passport Number Medical Alerts Frequent Travel Number Contact Information Visa Date of Birth Medical Alerts TSA Pre-check / Known Traveller Number TSA Redress Number Driver’s License National Identification Number Loyalty Card ID APIS document number Handicap – Wheelchair Handicap – Blind Frequent Traveller Number Frequent Traveller Account Password Contact information (phone, address, etc.) Batch feeds with credit card numbers Batch feeds with bank account numbers Batch payment feeds sent to banks. Transactions between Concur and Global Distribution Systems (GDSs)

SAP S/4HANA

SAP S/4HANA Cloud, private edition, is a privately managed solution that can handle large amounts of data, including personal and sensitive data. The types of data stored will vary depending on the company's operations, the modules they use, and the privacy regulations they operate under.

Services

Cloud Data Types

SAP S/4HANA

Employee Data: The Human Resources module stores data including employee names, addresses, social security numbers, employment history, salaries, benefits information, performance assessments, among others. Customer Data: The Sales & Distribution and Customer Service modules contain customer-related data, such as names, contact details, purchase histories, billing and shipping information, credit data, interaction histories, and customer preferences. Vendor Data: Data related to vendors is stored primarily in the Procurement module, including names, contact information, bank details, tax information, payment terms, and performance histories. Partner Data: Businesses working with various partners, including suppliers, distributors, or resellers, will find relevant personal data in the system, including contact details, agreement terms, transaction histories, and performance data. Financial Data: For individuals involved in financial transactions, such as customers or employees, the system can store information like bank account details, payment histories, credit reports, and other financial data. Health & Safety Data: In specific instances, particularly regarding employee health and safety (within the HR module) or product safety (in Quality Management), the system may store health data, incident reports, and other sensitive personal data. Master Data, Organisational Data, Analytics and Reporting Data, Compliance and Regulatory Data.

Cybersecurity and Data Protection in SAP Cloud Services

While customers retain ownership of their data, SAP maintains its obligations as a data processor by protecting this data through various technical and organizational measures. SAP safeguards customer data using data encryption both at rest and in transit. SAP cloud services offer tools for authentication, role-based access control, and security audit logs, including read access logs and change audit logs. SAP maintains confidentiality, integrity, and availability controls to maintain robust protection of customer data. SAP provides contractual assurances regarding personal data protection through data processing agreements that address compliance issues related to cross-border data transfers.

Cloud customers are given a variety of tools to manage security and data privacy in relation to their application & data hosted in SAP cloud services. Some procedures are specific to individual SAP cloud services, and it is up to the customer to use these tools effectively to improve security and maintain data privacy.

For instance, customers have the option to utilize features like UI Masking and Logging within SAP S/4HANA environment (for an additional license), enhancing data security. UI Masking helps in obscuring sensitive data fields from users who don't need to see them, adding an extra layer of confidentiality. Similiarly, Logging provides a transparent audit trail of user interactions with the system, contributing significantly to data integrity and accountability. These tools, when used effectively, further stregthen the cybersecurity posture of businesses using SAP Cloud Services. For customers facing strict regulatory requirements, SAP Data Custodian's Transparency and Control services offer complete visibility into where data is accessed and stored. Furthermore, customers can take advantage of the Bring Your Own Key (BYOK) capabilities provided by SAP Data Custodian's Key Management Service (KMS) for SAP S/4HANA Cloud, private edition, enhancing data security and control.

References

S.No	Description
1	SAP Trust Center
2	Essential Data Privacy and Security Controls in SAP Business Technology Platform
3	Safeguarding Your Crown Jewel: UI Data Protection
4	Safeguarding SAP Landscapes: Unleashing the Power of SAP Enterprise Threat Detection (ETD) – An Intr...
5	SAP Solutions for Cyber Security and Data Protection
6	SAP Data Custodian
7	SAP Information Lifecycle Management
8	Define project scope for data protection and compliance projects (DPP) with SAP Information Lifecycl...

Conclusion

In conclusion, it is paramount to perform due diligence and navigate the intricacies of cloud data types and security within SAP Cloud Services. While SAP cloud services support a diverse array of data types, including personal and business data, customers must be aware of the specific characteristics and sensitivity of the data they host, as well as the regulatory requirements that govern data hosted in SAP cloud services. SAP is committed to enforcing stringent cybersecurity and data privacy measures to safeguard data hosted in cloud services. However, the effectiveness of data security and compliance depends on a collaborative shared security and governance model, recognizing that safeguarding data is a joint endeavour between SAP and its customers.

Disclaimer

© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.