SAP BI Design Council Participation Agreement
This SAP BI Design Council Participation Agreement (“Agreement”) is entered into by and between SAP SE, a European Company (Societas Europaea, SE) established under the laws of Germany and the European Union, registered with the commercial register of the local court of Mannheim, Germany, under HRB 719915, with registered office in Walldorf, Germany, and business address at Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany ("SAP"), and the "Company".
SAP has invited Company to take part in the SAP BI Design Council. SAP would like to collect Feedback (as defined
below) from Company with regards to the following items provided by SAP during the SAP BI Design Council:
materials and information about SAP products and product planning, SAP blueprints, market needs identified during
the SAP BI Design Council, product specifications and certain SAP software made available by SAP. For testing SAP
software made available during the SAP BI Design Council, Company will nominate employees of Company
(“Company Tester(s)”) who will conduct the actual testing. After completion of the testing, SAP will collect Feedback
and may ask Company Tester to participate in a video testimonial. Company hereby agrees that the Company
Testers may participate in such video testimonial. SAP acknowledges that participation of a Company Tester in a
video testimonial is voluntary. If a Company Tester agrees to participate in a video testimonial, SAP will require such
Company Tester to sign a video testimonial release form as included with Attachment 1 to this Agreement.
Furthermore, Company Testers will be required to sign a C-User declaration (privacy and confidentiality statement)
as included with Attachment 2 prior to be able to access SAP software for testing.
2.1 During and in certain cases after the SAP BI Design Council, but for a maximum of ninety (90) days, Participant is granted a non-transferable and non-exclusive, limited license to remotely access and/or use certain SAP software (“Test Software”) exclusively for test and evaluation purposes in a non-productive environment without connection to Participant’s productive system(s) and in accordance with the this Agreement and the documentation for the Test Software. The aforementioned ninety (90) day period shall start on the date on which SAP makes the Test Software available.
The Test Software may either be a) made available at an SAP site, or b) accessed remotely, or c) made available for temporary installation on Participant hardware. SAP may supply under this Agreement additional materials, hardware and documentation related to the Test Software (“SAP Materials”).
Participant acknowledges that the Test Software is a preliminary version and not subject to any productive use license agreement or any other agreement with SAP. SAP has no obligation to offer the Test Software for productive use or any other use, be it remotely accessible or by any other form of access. In addition, SAP has no obligation to include or remove any functionality from the Test Software in any future version or in any SAP standard product. Participant and SAP mutually acknowledge and agree that it would be imprudent and unreasonable to rely upon the expectation of entering into a contract regarding the productive use of the Test Software
2.2 With regard to remote access of the Test Software, the following applies in addition: Use of the SAP systems is limited to access the Test Software for the purpose as permitted under this Agreement. SAP is not responsible for any data produced, used or inserted by Participant under this Agreement. Remote access to the Test Software is dependent upon availability of the SAP systems. SAP may suspend access to the SAP systems at any time, in its sole discretion. SAP shall endeavour to provide Participant with advance notice of any suspension if practicable. Remote access might also be subject to acceptance of separate terms. Remote access connectivity is the sole responsibility of the Participant. SAP is not responsible for any problems or interruptions with respect to connectivity to the SAP systems or Test Software under this Agreement.
3 Intellectual Property
3.1 Participant shall not remove notices and notations in the Test Software and the SAP Materials that refer to copyrights, trademark rights, patent rights and other intellectual property rights. Unless expressly agreed otherwise herein, any and all patent rights, copyrights, trademark rights and other rights in the Test Software and the SAP Materials, as well as any improvements, inventions, design contributions or derivative works conceived or created by either party in or to the Test Software and the SAP Materials, shall remain the exclusive property of SAP and/or its licensors. Except for the limited license rights expressly granted herein, this Agreement does not transfer any proprietary right or interest in the Test Software and the SAP Materials to Participant. Between Participant and SAP all title to and rights in the Test Software and the SAP Materials, operational know-how and business secrets related thereto vest exclusively in SAP and/or its licensors, notably copyright and rights of authorship, rights to inventions, and any other industrial and intellectual property rights. All license rights not expressly granted to Participant in this Agreement are reserved by SAP and its licensors. Participant shall not use the Test Software for any productive purposes nor shall Participant be entitled to provide access to or present the Test Software to third parties (including but not limited to subcontractors or customers or prospects). Participant does not acquire any rights to the source code of the Test Software.
3.2 If any proprietary rights described in Section 3.1 of this Agreement vest in Participant or any Participant Tester, Participant shall ensure that Participant and/or Participant Tester take any steps necessary to assign such rights to SAP and/or its licensors.
3.3 With regards to temporary installation Participant hardware, the following shall apply: The designated use of the Test Software and the SAP Materials is limited to copying instructions and data by means of loading the Test Software into the main storage of Participants non-productive environment and/or hardware in order to process such instructions and data for purposes of testing and evaluating as authorized by this Agreement.
3.4 Participant shall not be entitled to license, sell, lease, rent, outsource or otherwise transfer or make available or otherwise give access to the Test Software and the SAP Materials to third parties.
3.5 Participant shall not be entitled to duplicate, translate, de-compile, reverse-engineer or otherwise modify any parts of the Test Software and the SAP Materials provided however that Participant may (i) make back-up copies of the Test Software and (ii) duplicate the Test Software to the extent necessary for the permitted use under this Agreement. No development activities are allowed or supported under this Agreement. If any developments are made by Participant with the Test Software such developments shall be owned by SAP. If required and necessary, Participant will assign or transfer free of charge all intellectual property rights in such developments to SAP.
4. Services and Support by SAP
4.1 Under this Agreement SAP does not provide any support services for the Test Software. SAP may, in its sole discretion, provide Participant with installation guidelines for testing and evaluation purposes.
4.2 Any Test Software errors or other problems shall be documented by Participant as advised by the SAP Test supervisor.
4.3 Any services by SAP, in particular assistance and consulting with respect to the use of the Test Software for individual business needs of Participant, are not subject to this Agreement and will be charged by SAP according to its then current terms and generally applicable rates. SAP strongly recommends that Participant obtains support from SAP or from another expert source in connection with the installation and use of the Test Software.
5. Obligations of Participant
5.1 If SAP allows Participant to install the Test Software on its premises or on its hardware, Participant shall store the Test Software separate from other materials and prevent through appropriate measures any unauthorized access. Participant shall inform SAP immediately in case of loss of the Test Software or any part of it or upon suspicion of unauthorized use.
5.2 Participant acknowledges that use of the Test Software requires a separate test installation and that each data transfer to or from a productive installation shall be avoided. Participant shall have no right to transfer the Test Software to a live environment.
5.3 If SAP allows Participant to install the Test Software on its premises or on its hardware, Participant shall provide the necessary hardware required for the use of the Test Software in accordance with the relevant SAP Materials. Upon request, Participant shall provide SAP access to its systems to allow SAP to fulfill its obligations arising out of this Agreement, if any. In particular, this includes the grant of access to the Participant system and Test Software by means of remote login and the exchange of information through electronic mail.
5.4 The Participant shall give comments on how the test runs, documenting related problems in a system based on Participant test supervisor direction unless Participant is provided with another contact by SAP and when returning and/or removing the Test Software shall also provide SAP with a final written assessment of the testing.
5.5 Participant shall be fully responsible for any data uploaded or stored in the Test Software during testing. Participant acknowledges that – in case the Test Software is not provided to Participant for on-site testing – SAP will delete such data after the testing.
6. Limitation on Warranties and Liabilities
THE SOFTWARE AND ANY SAP MATERIALS ARE LICENSED TO PARTICIPANT “AS IS”, WITHOUT ANY WARRANTY, ESCROW, TRAINING, MAINTENANCE, OR SERVICE OBLIGATIONS WHATSOEVER ON THE PART OF SAP. SAP MAKES NO EXPRESS OR IMPLIED WARRANTIES OF ANY TYPE WHATSOEVER, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND OF FITNESS FOR A PARTICULAR PURPOSE. PARTICIPANT ASSUMES ALL RISKS ASSOCIATED WITH ITS USE OF THE SOFTWARE AND THE SAP MATERIALS, INCLUDING WITHOUT LIMITATION RISKS RELATING TO QUALITY, PERFORMANCE, DATA LOSS, AND UTILITY IN A PRODUCTION ENVIRONMENT. IN NO EVENT SHALL SAP BE LIABLE TO PARTICIPANT OR TO ANY THIRD PARTY FOR ANY DAMAGES ARISING IN CONNECTION WITH PARTICIPANT’S USE OF OR INABILITY TO USE THE SOFTWARE OR THE SAP
Participant Agreement April 2013 page 3 of 10
MATERIALS IN CONNECTION WITH SAP’S PROVISION OF OR FAILURE TO PROVIDE SERVICES PERTAINING TO THE SOFTWARE OR THE SAP MATERIALS, OR AS A RESULT OF ANY DEFECT IN THE SOFTWARE OR THE SAP MATERIALS. THIS DISCLAIMER OF LIABILITY SHALL APPLY REGARDLESS OF THE FORM OF ACTION THAT MAY BE BROUGHT AGAINST SAP, WHETHER IN CONTRACT OR TORT, INCLUDING WITHOUT LIMITATION ANY ACTION FOR NEGLIGENCE. PARTICIPANT’S SOLE REMEDY IN THE EVENT OF BREACH OF THIS AGRREEMENT BY SAP OR FOR ANY OTHER CLAIM RELATED TO THE SOFTWARE OR SAP MATERIALS SHALL BE TERMINATION OF THIS AGREEMENT.
7. Data Protection and Confidentiality
7.1 Each Party shall comply with applicable data protection laws and regulations. No personal data are collected, processed, stored or transmitted under this Agreement. In case of contractual data processing or transfer of personal data outside the EU, the Parties agree to execute a written agreement containing adequate regulations to protect the individuals’ privacy and comply with EU data protection laws. Subject to Section 6.3, Participant agrees to take care for any data protection on his own in case it enters data into the system.
7.2 Participant shall treat as confidential all confidential information and trade secrets of SAP and its licensors acquired in connection with the performance of this Agreement that are expressly identified as confidential or proprietary or that are reasonably identifiable as confidential or proprietary based on the circumstances of their disclosure or by their nature ("Confidential Information") and to use such Confidential Information only to perform this Agreement. SAP’s Confidential Information shall include all of, but are not limited to the Test Software (in object and source code), SAP Materials, verbally shared information, programming techniques and concepts, processing methods, system designs embedded in the Test Software, inventions, techniques, concepts, designs, flow charts, documentation, product specifications, application programming interface specifications, techniques and processes that relate to the Test Software or the SAP Materials, information on SAP customers and business partners and information about deployed third-party software and any access credentials used to access the SAP system, including, but not limited to password or account information. The terms and conditions of this Agreement shall also be treated confidential. In particular, Participant must not provide information about the Test Software to any third party, including but not limited to customers or prospects.
7.3 The foregoing obligation shall not apply to the extent that Participant shows that the information (i) was public knowledge at the time it was disclosed to SAP and had not become public knowledge through an act or omission by Participant or Participant’s employee or agent in breach of contract, or (ii) was in the possession of or known to Participant before Participant received it from SAP, or (iii) had been lawfully disclosed to Participant by another person entitled to do so, or (iv) had been independently developed by Participant without reference to SAP’s information.
7.4 Confidential Information may be provided to third parties only upon prior written consent from SAP. These third parties must be subject to a written non-disclosure obligation. The term “third party“ as used this Section 7.4 does not apply to employees of Participant whose proper performance under this Agreement reasonably requires access to such information and who have executed corresponding non-disclosure agreements.
7.5 Participant agrees to be named to other Participants and publicly referenced as a participant in the SAP BI Design Council.
7.6 To Feedback provided by Participant during the term of this Agreement and during a period of up to six (6) months thereafter, Participant grants to SAP a license in the Feedback that is non-exclusive, perpetual, irrevocable, worldwide, royalty-free, and sub-licensable under all relevant intellectual property rights. SAP may do whatever it wishes with the Feedback, including (1) use, (2) publish, (3) disclose, (4) display, (5) perform, (6) copy, (7) make or have made, or (8) sell it. SAP does not have to identify Participant as the Feedback´s source. SAP owes Participant no money or anything else in exchange for the Feedback and SAP is not obligated to do anything with the Feedback. “Feedback” means information and materials provided by Participant under this Agreement which relate directly to the design and performance of the Test Software and/or other SAP Materials and information provided by SAP to Participant during the SAP BI Design Council.
7.7 SAP may store Participant personal data to further invite Participant to other activities related to the SAP BI Design Council. .
8. Term and Termination
8.1 This Agreement enters into force upon the Effective Date (as defined below) and remains effective for a period of one (1) year thereafter. It ceases automatically upon expiration of this period without requiring any notice of termination. Any test and evaluation licenses granted under this Agreement shall expire contemporaneously with this Agreement even if the ninety (90) day period mentioned in Section 2.1 above has not expired as of the date of expiration of this Agreement. Sections 3, 6, 7, 8 and 10 shall survive termination of this Agreement.
8.2 Either party may terminate this Agreement at any time with immediate effect during the term of this Agreement.
8.3 Either party may terminate this Agreement with immediate effect in the event the other party breaches an obligation under this Agreement, including but not limited to a breach of Sections 3, 7 and 9.
8.4 Upon expiration or termination of this Agreement Participant shall return to SAP and/or destroy any of the SAP Materials and the Test Software provided by SAP under this Agreement. Participants access to the SAP system, Test Software and SAP Materials shall be terminated. To the extent applicable, Participant shall return to SAP and/or destroy any of the SAP Materials and the Test Software provided by SAP under this Agreement. Any further use of the SAP system, Test Software and SAP Materials is not allowed and all parts of the Test Software, if any must be removed in its entirety from Participant’s hardware.
9. Database, Third Party Test Software
With regards to temporary installation on Participant hardware the following shall apply: The Test Software licensed hereunder may require a third party database product. Each third party database product is subject to its respective third party vendor license agreement. This Agreement does not contain a license to use an integrated third party database product or other 3rd party products. This Agreement shall only become effective provided that the Participant signs a valid agreement for the necessary database software. If the Participant does not enter into such an agreement with SAP, it must provide SAP with written evidence that it has concluded such an agreement with any third party. For the avoidance of doubt, SAP MaxDB is not a third party database product as set forth in this Section 9.
10.1 The parties shall bear their own costs with regards to this Agreement.
10.2 This Agreement constitutes the complete and exclusive statement of the agreement between SAP and Participant related to the subject matter hereof, and supersedes all prior written and oral contracts, proposals and other communications between the parties relating to the subject matter. Oral agreements do not exist.
10.3 Any changes to this Agreement must be in writing. This also applies to any waiver of this written form requirement.
10.4 All notices or reports which are required or may be given pursuant to this Agreement shall be in writing and shall be deemed duly given when delivered to the respective addresses specified by either party.
10.5 Participant may not assign or otherwise transfer any of its rights under this Agreement without SAP’s prior written consent.
10.6 If any provision of this Agreement proves to be invalid, this will not affect any other provision of this Agreement.
10.7 This Agreement does not entitle either party to use the other party’s name, trademark or trade designation for purposes of advertising and marketing without prior written consent of this party, unless provided otherwise herein.
10.8 This Agreement shall be governed by and construed under the Commonwealth of Pennsylvania law without reference to its conflicts of law principles. In the event of any conflicts between foreign law, rules, and regulations, and United States of America law, rules, and regulations, United States of America law, rules, and regulations shall prevail and govern. The United Nations Convention on Contracts for the International Sale of Goods shall not apply to this agreement. The Uniform Computer Information Transactions Act as enacted shall not apply.
10.9 The waiver by either party of any of its rights hereunder shall not be construed as a waiver of any subsequent breach.
VIDEO TESTIMONIAL RELEASE FORM
The Participant (the “Participant Tester”) has voluntarily agreed to participate in testimonial interviews regarding either their association with SAP AG or SAP America, Inc. or their purchase, use or other involvement with any product or service provided by SAP AG or SAP America, Inc. Such interviews may be video, audio or otherwise recorded (“recordings”). The Participant Tester grants the perpetual, unrestricted and royalty-free rights to use, reproduce, broadcast and exhibit the recordings of the Participant Tester, Participant Tester’s likeness and Participant Tester’s name and company affiliation, in any medium or format to SAP AG and SAP America, Inc., its affiliates, subsidiaries, successors, agents, licensees, and assignees (collectively SAP). Participant Tester acknowledges that it shall have no ownership, authorship or moral rights in the recordings or any part thereof or, to the extent that Participant Tester does, Participant Tester assigns such rights to SAP to the extent allowable by law.
The Participant Tester releases and discharges SAP from any and all claims resulting directly or indirectly from any use, reproduction, broadcast or exhibition of the recordings. The Participant Tester also waives any right it may have to inspect or approve of the recordings.
The Participant Tester, at its sole discretion, has the right to terminate this release upon thirty (30) days written notice to SAP. Within a reasonable time following its receipt of such notice, SAP shall verify to the Participant Tester in writing that it has discontinued all use and exhibition of the recording.
The Participant represents and warrants that he/she is signing this release as an individual and is authorized to sign this release on behalf of their company.
CONFIDENTIALITY AND PRIVACY STATEMENT
You undertake not to disclose any Confidential Information. Confidential Information shall mean all information and sensitive data which the Disclosing Party protects against unrestricted disclosure to others or which is identified as “Confidential” or “Proprietary” or would otherwise ordinarily be expected to be confidential or proprietary regardless of the manner in which it is furnished, including but not limited to, any trade and business secrets of SAP, SAP customers, SAP partners and/or other third parties, about which you obtain knowledge during the course of your activities for SAP. You shall keep all Confidential Information confidential and not disclose any Confidential Information to any person other than SAP personnel on a need to know basis and only for the purpose of fulfilling your duties. You undertake to disclose Confidential Information to third parties only with prior approval by SAP. This obligation shall remain in force even after termination of your access to SAP confidential information.
You also acknowledge that you are obliged to the terms and conditions of SAP’s Security Policy and the related standards, including but not limited to the SAP Security Guideline for Externals (Appendix II) or any amendment or new version thereof.
2. TRADE SECRETS AND COPYRIGHTS OF OTHER COMPANIES
You undertake to respect the rights, especially the copyrights, of third parties. Unless the copyright holder has given its express consent in writing and SAP has given its approval for the respective use, third party software or materials shall not be used or modified in any way.
You acknowledge that SAP has no interest whatsoever in Confidential Information of other companies. You undertake not to disclose any Confidential Information or copyright protected materials of third parties to SAP. In addition you shall not keep or store any such information in SAP premises or on SAP systems. Any disclosure is subject to a written non-disclosure agreement to be concluded between SAP and the respective third party before such disclosure.
3. OBLIGATION TO OBSERVE DATA SECRECY
Subject to Section 5 Bundesdatenschutzgesetz (German Federal Data Protection Act), you are prohibited to process, publish, disclose or otherwise use personal data without authorization.
Your obligation, to observe confidentiality regarding any personal data you may have access to, shall remain in force after termination of your access to such data. This obligation also comprises not to disclose or use any personal data from SAP customers, SAP partners and/or any other third party.
Any violation of privacy can lead to a fine or imprisonment in accordance with Section 43 Bundesdatenschutzgesetz (German Federal Data Protection Act) and other applicable statutory provisions.
APPENDIX I – Wording of Bundesdatenschutzgesetz (unofficial translation)
Section 5 Confidentiality
Persons employed in data processing shall not collect, process or use personal data without authorisation (confidentiality). On taking up their duties such persons, in so far as they work for private bodies, shall be required to give an undertaking to maintain such confidentiality. This undertaking shall continue to be valid after termination of their activity.
Section 43 Administrative offences
(1) An administrative offence shall be deemed to have been committed by anyone who, whether intentionally or through negligence,
1. contrary to Section 4d(1), also in conjunction with the second sentence of section 4e of this Act, fails to submit a notification, fails to do so within the prescribed time limit or fails to provide complete particulars,
2. contrary to the first or second sentence of Section 4f(1) of this Act, fails to appoint a data protection official or fails to do so within the prescribed time limit or in the prescribed manner,
3. contrary to the second sentence of Section 28(4) of this Act, fails to notify the data subject, or fails to do so within the prescribed time limit or in the prescribed manner, or fails to ensure that the data subject is able to obtain due knowledge,
4. transfers or uses personal data contrary to the second sentence of Section 28(5) of this Act,
5. contrary to the third or fourth sentence of Section 29(2) of this Act, fails to record the reasons described there or the means of credibly presenting them,
6. incorporates personal data into electronic or printed address, telephone number, classified or similar directories contrary to the first sentence of Section 29(3) of this Act,
7. contrary to the second sentence of Section 29(3) of this Act, fails to ensure the adoption of labels,
8. contrary to Section 33(1) of this Act, fails to notify the data subject or fails to do so correctly or completely,
9. contrary to the third sentence of section 35(5) of this Act, transfers data without a counterstatement,
10. contrary to the first sentence of Section 38(3) of this Act, fails to provide information or fails to do so correctly, completely or within the prescribed time limit or fails to permit a measure,
11. fails to comply with an executable instruction under the first sentence of Section 38(5) of this Act.
(2) An administrative offence shall be deemed to have been committed by anyone who, whether intentionally or through negligence,
1. collects or processes personal data which are not generally accessible without authorisation,
2. holds personal data which are not generally accessible ready fro retrieval by means of an automated procedure without authorisation,
3. retrieves personal data which are not generally accessible or obtains such data for themselves or another from automated processing operations without authorisation,
4. obtains by means of incorrect information the transfer of personal data which are not generally accessible,
5. contrary to the first sentence of Section 16(4) and the first sentence of Section 28(5) of this Act, also in conjunction with Section 29(4), the first sentence of Section 39(1) or Section 40(1) of this Act, uses data for other purposes by transmitting them to third parties,
6. contrary to the second sentence of Section 30(1) of this Act, combines the characteristics mentioned in the first sentence of Section 30(1) with the information or, contrary to the third sentence of Section 40(2), combines the characteristics mentioned in the second sentence of Section 40(2) with the information.
(3) Administrative offences shall be punishable by a fine of up to € 25,000 in case of sub-section 1 above, and by a fine of up to € 250,000 in the cases under subsection 2 above.
Section 44 Criminal offences
(1) Anyone wilfully committing an offence specified in Section 43(2) of this Act in exchange for payment or with the intention of enriching himself or another person of harming another person shall be liable to imprisonment for up to two years or to a fine.
(2) Such offences shall be prosecuted only if a complaint is filed. Complaints may be filed by the data subject, the Federal Commissioner for Data Protection and the supervisory authority.
APPENDIX II – Security at SAP, SAP Security Guideline for Externals V1.1
SAP Security Standards short form (Version from Jan 01, 2006)
This document summarizes the most important points of the SAP Security Standards and should be used as a short reference guide for security-conscious behaviour. This condensed document provides an overview of the regulations in the SAP Security Standards. The original form as stated in each Security Standard is binding. You can find all Standards in SAP Service Marketplace, Quick Link: /securitypolicy
You are forbidden to obtain access to information that you are not authorized to access. This particularly refers to technical methods for circumventing access restrictions and to obtaining access rights without being authorized to do so. Persons who are responsible for issuing access and system rights must work on a need-to-know basis, that is, they must give the minimum privileges required for a person to do his or her job. For business-critical processes, tasks should be shared in accordance with the dual control principle.
Your desk must be organized in such a way that unauthorized persons cannot get hold of confidential documents and data. In addition, valuables (especially laptops, PDAs, and mobile phones) must be protected against misuse and theft. Lock your PC when you leave your desk and ensure that confidential documents do not fall into the wrong hands when you print them. Also ensure that you do not leave confidential materials in meeting rooms (wipe the whiteboard and take flipchart paper with you). Use secure methods to destroy data carriers that contain confidential information.
When using an SAP e-mail account, you seem to be a SAP employee. When communicating using e-mail, ensure that documents and information are not passed on to unauthorized parties; for example, check distribution list members before sending confidential documents. You are obliged to protect your SAP voice mail box using a PIN. The same applies to your SAP mobile phone. Always coordinate contact with the press, public authorities, and other external bodies with SAP Corporate Communications.
All business processes at SAP are bound by regulations to protect personal data. If data is transferred to non-European Union states, appropriate measures must be taken to protect the data subject's right to privacy and to ensure that the level of security is sufficient. In general, the data may only be used for the purpose for which it is intended and must be erased once the purpose has been completed or when the storage period, whether legally defined or defined by SAP, has expired. The data protection officer must be involved in good time in the definite planning and preparation of new procedures for processing personal data. Persons who access personal data during the course of their work must read and understand the additional information contained in the appropriate Security Standard, available in the SAP Service Marketplace under the Quick Link /dataprotection, from the data protection officer, or from the SAP legal department.
Documents at SAP are classified according to the following five categories: public, customer, internal, confidential, and strictly confidential. These globally valid categories are to be used in English. In addition, the category can be translated into other languages as appropriate. All documents must be classified. They must be processed and protected in accordance with their category and the Standard. Documents that have not been classified must be treated at least as internal.
Facility Access Card
Note: This section applies only to SAP buildings with card-based access systems. Each person needs a valid security card to access SAP buildings. This must display the employee’s or external party’s name and photograph. Generic visitor cards are available for short-term visitors only. You are not permitted to give your security card to third parties. If you lose your security card, you must immediately inform the office that issued the card or SAP Security in Walldorf (+49 62277 42400).
This standard applies to the operation of IT systems. It describes the fundamentals of rights of ownership, access to systems, and network connections, as well as secure configuration and security-relevant topics such as virus protection and security checks. Everyone at SAP should pay particularly close attention to the topics of liability and data backup, as well as to the use of personal IT systems and the use of servers. If the system is maintained by SAP IT, it can be assumed that the requirements of the Security Standard have been met.
Security-relevant requirements for all SAP products are described in the Security Standard for SAP Solution Production. These security requirements also apply to the development of internal applications. The most up-to-date version of the Security Standard is available in the SAP Service Marketplace under the Quick Link: /securitystandard
Managing Access of External Parties at SAP
This standard describes the procedure for giving access rights to external users. It therefore predominantly affects all persons involved in assigning and administrating access rights for external parties.
The goal of this standard is to protect mobile devices that are not defined as laptops, such as PDAs, mobile phones, and portable storage media. Remember that the information stored on the devices may be considerably more valuable than the device itself, and that devices should therefore be handled with great care. The use of private mobile devices should always be avoided. The use of protective measures such as passwords or encryption is always recommended. For data that is classified confidential or higher, a password is compulsory. If you use such devices, please make sure you have read and understood the information in the standard.
No one likes them, but the fact is that the best security technology is no use if intruders can sneak into the system by automatically guessing passwords. The system now asks you to change your SAP_ALL password every six months, and the system will only accept passwords that pose a minimal security risk. For other systems, you are also obliged to use secure passwords. Secure means it must contain at least six characters from three of the four character categories (Latin upper and lower case, Arabic numbers, symbols). For tips on generating secure passwords, refer to the standard.
To log on to systems, authentication using passwords or PINs is generally required. When using means of authentication, it is important that you note the following: Choose a secure password (see respective standard). Do not pass it on to third parties, do not write it down, and ensure that no one is watching you when you enter it. If you suspect that your password is no longer secure, change it as soon as possible and/or inform the department responsible, this is usually SAP IT.
Third Party Systems
Every non-SAP system is a point of entry to the SAP network and is thus vulnerable to viruses or attempted access from outside. A non-SAP system should therefore be connected to the SAP network only if a particular and definite business interest exists. SAP owned devices that can be provided by Global IT should always be first choice. A non-SAP system should be connected to the network only if the desired tasks cannot be performed using SAP devices.
It is forbidden to deactivate virus protection on SAP PCs. If there are compatibility problems between antivirus software and other applications, please contact IT Support. Check at regular intervals that your PC has an up-to-date version of the virus signatures. Always check data carriers from third parties for viruses before you open files. Persons whose SAP-PCs are not constantly connected to the SAP network are additionally obliged to dial in or connect to the SAP network regularly to ensure that the security configuration is up-to-date. If necessary, contact IT Support to do this.
Usage of Infrastructure
When using the SAP communication infrastructure it is strictly forbidden to transmit immoral, racist or illegal content. The use of SAP Infrastructure including e-mail-account and internets is allowed only for business usage. If there are indications of misuse SAP is allowed to control and monitor the usage.