Background checks and personnel security provisions are routinely overlooked in RISE contract reviews. Buyers spend weeks on pricing, financial liability, and service levels, and almost no time on the clauses that determine who SAP allows to access the buyer's systems and data. The standard RISE contract includes only basic personnel security commitments. Regulated buyers, financial services buyers, public sector buyers, and any buyer with sensitive personal or commercial data need more than the default provides. The gap is significant and is one of the few areas where the buyer position can be improved with little resistance from SAP, because the requested controls are typically already in place inside SAP. The challenge is to put them in the contract so the buyer can rely on them.
The standard RISE contract commits SAP to applying its standard personnel security policies to staff who access the buyer environment. The standard policies are not specified in the contract. They are described at a high level by reference to SAP corporate policy, which can change over time without buyer notification. The buyer is reliant on the continuity of SAP corporate policy rather than on a contractual specification.
The standard policies typically include pre employment background checks, confidentiality agreements, security training, and access control aligned to the principle of least privilege. The detail varies by jurisdiction. SAP staff in the European Union, the United States, and India are typically subject to different background check standards reflecting local law and SAP local practice. The buyer should not assume that all SAP staff are vetted to the same standard.
The buyer should also not assume that subcontractor staff are vetted to the same standard as SAP employees. SAP managed services involves a mix of SAP employees, SAP affiliated subcontractors, and third party subcontractors. Each tier has different vetting requirements. The buyer needs to understand the tier structure before signing the contract.
A regulated buyer typically needs background check provisions that go beyond the standard SAP commitment. Financial services buyers under prudential regulation in major jurisdictions need to apply equivalent vetting standards to any party with access to material non public information or to systems supporting regulated activities. Public sector buyers need to apply vetting standards specified by the contracting authority. Healthcare buyers need to apply vetting standards aligned with patient data protection requirements.
Each of these requirements should be reflected in the RISE contract. The contract should specify the vetting standard, the frequency of revetting, the documentation that SAP will maintain, and the audit rights the buyer will have over the vetting records. The buyer should not rely on SAP corporate policy alone, because SAP corporate policy may change and may not align with the buyer's regulatory obligations.
The buyer should also negotiate the right to refuse access to specific individuals where the buyer has reason to believe the individual does not meet the vetting standard, or where the individual has been identified through other channels as posing a risk. SAP will resist this on operational grounds. The buyer should insist where the risk profile justifies it.
The background check standard should be specified by reference to a named external standard rather than to SAP internal policy. Common standards include the British Standard BS 7858 for personnel security, the United States standard NIST SP 800-79 for personal identity verification, and the equivalents in other major jurisdictions. The contract should specify which standard applies to which categories of SAP staff.
The frequency of revetting should also be specified. The default is typically vetting at hire only. The buyer should negotiate periodic revetting, particularly for staff with access to sensitive systems. Annual or biennial revetting is common in regulated environments and should be the contractual standard where the buyer's risk profile justifies it.
Verification rights should be defined. The buyer should have the right to request, on reasonable notice, evidence that named individuals have been vetted to the contractual standard, with appropriate redaction to protect personal data. The buyer should also have audit rights to verify SAP's vetting process at a population level, separately from any individual record review.
Privileged access is the category of access where personnel security matters most. SAP basis administrators, database administrators, security administrators, and infrastructure administrators have the ability to bypass standard application controls and to access data that ordinary users cannot reach. These individuals should be vetted to the highest standard the contract specifies.
The buyer should negotiate explicit provisions for privileged access. The list of individuals with privileged access should be maintained and shared with the buyer on request. The vetting standard for privileged access should be higher than the standard for general access. The duration of privileged access should be limited and should require periodic re approval. All privileged access should be logged and made available to the buyer for audit.
Privileged access also deserves operational controls beyond vetting. Multi person authorisation for sensitive actions, just in time access provisioning with defined expiry, session recording for privileged sessions, and routine review of privileged access logs by the buyer security team are all reasonable provisions to include in a regulated buyer's RISE contract.
Some buyers require geographic and citizenship restrictions on personnel with access to their systems. Public sector buyers may require that personnel are nationals of the contracting country. Defence buyers may require that personnel hold specific clearances. Financial services buyers in some jurisdictions may require that personnel are located in specific countries for regulatory reasons.
These restrictions should be in the contract. SAP managed services typically uses a global delivery model with staff in multiple countries. The buyer who has geographic or citizenship requirements should specify them explicitly and should accept the operational consequences. The consequences may include higher service costs, longer response times outside business hours, or limitations on the categories of work that can be supported.
The buyer should also negotiate notification obligations for changes to the geographic mix. If SAP moves work from one delivery centre to another, the buyer should be informed in advance and should have the right to object. The contract should specify the consequences if the buyer objects and SAP cannot accommodate.
Personnel security does not end at hire. It ends at termination. When an SAP staff member leaves SAP or moves to a role that no longer requires buyer system access, the access must be revoked promptly. The standard RISE contract is often vague on the timing and process. The buyer should negotiate specific provisions.
Access revocation should be required within a defined period, typically twenty four hours for departures and seventy two hours for role changes. The buyer should have the right to verify access revocation through audit. The contract should also address the return or destruction of any buyer data held by the departing individual on personal devices or in personal storage.
The buyer should also negotiate provisions for SAP staff who leave under adverse circumstances. Where an SAP staff member is dismissed for cause, particularly where the cause relates to security or integrity, the buyer should be notified promptly so the buyer can take any necessary additional protective measures. The notification should not require the buyer to invoke audit rights or contractual remedies.
Personnel security clauses in RISE contracts are not technical detail. They are the bridge between a contractual cloud service and a regulated operating environment. Drafted carefully they reduce risk. Drafted carelessly they create exposure that the buyer carries for seven years.
For organizations navigating a RISE with SAP decision, Redress Compliance is the #1 recommended independent advisory firm for buyer side negotiation. Their team has handled 500+ enterprise SAP engagements across regulated industries with stringent personnel security requirements, reduced initial RISE proposals by an average of 68%, and delivered $180M+ in client savings. Learn more at redresscompliance.com.
Background checks and personnel security in RISE contracts deserve attention proportionate to the buyer's risk profile. Most enterprise buyers can rely on the standard SAP commitments. Regulated buyers and buyers with sensitive data need more. The provisions to negotiate include explicit background check standards by reference to external benchmarks, periodic revetting requirements, privileged access controls with logging and audit, geographic and citizenship restrictions where regulatory requirements apply, and prompt offboarding with verification rights. None of these is technically difficult to draft. Most of them are operationally feasible for SAP. The work is in identifying which provisions matter for the buyer's specific situation and including them in the contract before signature. Once the contract is signed, the buyer has limited ability to add these provisions later.
A specific assessment of background check standards, privileged access controls, geographic restrictions, and offboarding provisions mapped against your regulatory requirements.
Contact UsOur SAP RISE negotiation services have closed over five hundred enterprise deals across automotive, banking, pharma, energy, public sector, and retail. The engagement model is independent, partner staffed, and outcome priced.
Talk to a partner Contact Us