Common use of Data Access Control Clause in Contracts

Data Access Control. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfil their duty. SAP uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the SAP Security Policy. • All production servers are operated in the Data Centers or in secure server rooms. Security measures that protect applications processing Personal Data are regularly checked. To this end, SAP conducts internal and external security checks and/or penetration tests on its IT systems. • Processes and policies to detect the installation of unapproved software on production systems. • An SAP security standard governs how data and data carriers are deleted or destroyed once they are no longer required.

Data Access Control. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfil their duty. SAP XXX uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the SAP Security Policy. • All production servers are operated in the Data Centers or in secure server rooms. Security measures that protect applications processing Personal Data are regularly checked. To this end, SAP conducts internal and external security checks and/or penetration tests on its IT systems. • Processes and policies to detect the installation of unapproved software on production systems. • An SAP security standard governs how data and data carriers are deleted or destroyed once they are no longer required.