Locations

Resources

Careers

Contact

Contact us

sap rise licensing / SAP Rise negotiations

Legal Considerations in Enterprise SAP RISE Contracts: A Global Advisory

Legal Considerations in Enterprise SAP RISE Contracts A Global Advisory

Legal Considerations in Enterprise SAP RISE Contracts: A Global Advisory

SAP’s RISE contracts bundle software, cloud infrastructure, and services into a single agreement – a compelling one-stop offering, but laden with complex legal terms that CIOs and sourcing professionals must navigate carefully.

In enterprise-scale deals (>$20M), rigorous negotiation of key clauses is essential to mitigate risks.

This advisory dissects critical legal considerations in RISE with SAP contracts, from liability caps and indemnities to data privacy obligations and regulatory compliance across jurisdictions. We highlight often-overlooked clauses (like data residency and exit rights) that can significantly impact your risk exposure.

A comparison of SAP’s standard contract positions vs. best-practice negotiated terms and real-world examples of pitfalls is provided. Finally, a negotiation playbook outlines concrete steps for legal and sourcing teams to secure a balanced, future-proof RISE agreement.

The goal is to empower you to hold SAP accountable to enterprise-grade standards and avoid unpleasant surprises over the contract’s life.

(Note: This report adopts a Gartner-style, objective tone. It is vendor-neutral – we recommend leveraging independent SAP licensing experts (e.g., Redress Compliance) for support, rather than relying solely on SAP’s assurances.)

Liability Caps and Risk Allocation

One of the most consequential terms in any SAP RISE contract is the limitation of liability. SAP’s standard RISE terms heavily cap its liability and exclude many damages.

Typically, SAP will limit its total aggregate liability to a relatively low amount (often tied to the subscription fees paid, e.g., one year’s fees) and exclude “consequential” losses such as lost profits or business interruption.

In practice, if a critical SAP failure causes substantial business losses (for example, an ERP outage causing millions in missed sales), the contractually available remedy might be only a small service credit or fee refund, not nearly reflecting the true impact.

Indeed, SAP usually only offers service credits for downtime under the SLA, often a token percentage of fees, and not commensurate with the actual harm from outages. This imbalance of risk is standard in SAP’s boilerplate contracts.

Negotiating the Liability Cap:

Customers should oppose one-sided liability limits. While SAP is resistant to eliminating caps outright (unlimited liability from SAP is virtually unheard of), large enterprises have successfully negotiated higher caps and specific carve-outs.

For example, it is reasonable to seek an increased cap (e.g., 2x, 3x annual fees or even the entire contract value) for certain high-impact events.

At minimum, negotiate that SAP’s liability cap excludes certain critical categories: for instance, unlimited liability (or a separate higher cap) for willful misconduct, fraud, or personal injury is common in industry contracts, and data breach incidents might merit a higher cap due to their severity.

Given the potential regulatory penalties involved, some customers have secured a higher damages cap specifically for data breaches or willful violations.

Another tactic is to ensure that any service credits provided for downtime are meaningful—e.g., increasing credit percentages for prolonged outages—so that SAP has real financial incentives to meet uptime commitments.

Exclusions of Liability:

SAP’s drafts typically categorically disclaim indirect damages. Customers should scrutinize the definitions of excluded damages (e.g., “consequential, incidental, punitive damages,” etc.) and consider negotiating an exception for specific foreseeable losses.

For example, suppose your business would incur significant recovery costs after an SAP-caused incident (such as hiring emergency teams or customer compensation). In that case, you may argue that those should be treated as direct damages (recoverable up to the cap).

In negotiations, outright removal of the exclusion is unlikely. Still, you can clarify ambiguities—e.g., by stating that data restoration costs, regulatory fines, or breach notification expenses are considered direct damages (not excluded). Ensuring SAP accepts liability for the direct consequences of its failures is crucial.

Real-world example:

In one large RISE deal, the client noted that SAP’s draft made no commitment beyond service credits for any outage. The client negotiated a clause that if a critical system outage exceeded a certain duration, SAP would provide additional remedies, including free on-site consulting support to speed recovery.

Similarly, some RISE customers have negotiated that repeated SLA violations trigger a right to terminate or escalate remedies. These concessions, while modest, add “teeth” to the SLA beyond the minimal credits.

Do not accept SAP’s boilerplate at face value: even if SAP won’t remove the cap, ensure the contract clearly defines your recourse in worst-case scenarios. As one expert puts it, once you’re on RISE, SAP is running a mission-critical system – the contract must hold them to high standards with enforceable consequences.

Indemnification Clauses – Scope and Carve-outs

SAP’s Indemnities:

Enterprise customers should ensure the contract includes strong indemnification from SAP to backstop key risks. SAP’s standard position is to indemnify the customer for intellectual property infringement claims – i.e., if a third party alleges that SAP’s software or services violate their patent or copyright, SAP will defend and cover any settlements or judgments.

Verify that this IP indemnification is explicitly in the RISE agreement (it usually is, but never assume). Consider scenarios like data breaches: SAP’s out-of-the-box contracts generally do not indemnify the customer for security breaches or regulatory fines (they tend to treat those purely as contractual breaches, limited by the liability cap).

However, savvy customers may negotiate an indemnity or a more explicit obligation in such cases. For example, you might insist that SAP indemnify and compensate your company if a data breach in the RISE environment (due to SAP’s negligence) leads to third-party claims or penalties.

SAP is reluctant to accept open-ended liability for breaches, but some clients have obtained language that if SAP “grossly mishandles” customer data, it will assume responsibility. At the very least, ensure the contract doesn’t unfairly shift all data-breach fallout to the customer.

Customer’s Indemnities:

Conversely, SAP will ask the customer to indemnify SAP for certain things, typically any third-party claims arising from the customer’s own business data or use of the service. For instance, if the customer uploads infringing content or violates a law using SAP’s platform and a claim is brought against SAP, the customer is on the hook.

IT teams often overlook these clauses but deserve attention from legal. Negotiate to narrow the scope of your indemnity obligations: they should only apply to situations truly within your control (e.g., your provided content or your users’ actions), and not be so broad that SAP could shift blame for its mistakes.

Also, include standard procedural safeguards (e.g., SAP must promptly notify you of any claim and let you control or participate in the defense) so that indemnity triggers don’t blindside you. Ensure there are carve-outs so you are not indemnifying SAP for anything caused by SAP’s products or staff. A balanced approach might be mutual indemnities: SAP covers IP infringement and its negligence; you cover your misuse or non-compliance.

Scope and Carve-outs:

Pay attention to any carve-outs in SAP’s indemnity as well. Often, the IP indemnity won’t apply if you have modified the software or combined it with unauthorized systems, etc. Make sure any such carve-outs are reasonable and clearly defined.

If RISE includes third-party components (like hyperscaler services or add-on tools), clarify how IP indemnity applies to those. In a $ 20 M+ deal, you might also negotiate that SAP’s indemnity extends to cover infringements related to third-party software it provides as part of RISE (so you’re not exposed if a bundled component violates someone’s IP).

Real-world insight:

Most SAP customers focus on pricing and functionality and assume indemnities are “legal boilerplate.” However, there have been cases in the ERP world where clients faced lawsuits over third-party software patents. SAP’s indemnity is your safeguard in such scenarios – but only if it’s not watered down.

Ensure SAP’s indemnification covers all core elements of the RISE solution you’ll use. And equally, limit your indemnity to avoid unknowingly taking on disproportionate risk (for example, one company discovered their contract would have made them indemnify SAP even for certain user privacy claims – a clause they successfully narrowed in negotiation). The bottom line is to align indemnities with the principle of fault: each party protects the other from the claims arising from that party’s actions or products.

Data Privacy and Security Obligations

Operating SAP in the cloud via RISE introduces stringent data protection and security requirements, especially given the varying laws globally.

SAP’s contract will include a Data Processing Agreement (DPA) or similar terms to address privacy regulations like GDPR (Europe) and other regimes.

However, these terms are often lengthy and can be overlooked – to a customer’s peril. Below, we break down key privacy and security clauses to get right:

Global Data Protection (GDPR, CCPA, and other laws)

GDPR (EU) Considerations:

GDPR compliance must be baked into the RISE contract if your company handles EU personal data. SAP will act as a data processor on your behalf, and GDPR Article 28 requires specific contractual commitments. Ensure the DPA explicitly covers GDPR obligations: SAP should guarantee that data will be processed only according to your instructions, that appropriate security measures will be implemented, that data subjects’ rights requests will be assisted, etc.

One critical point is cross-border data transfers: RISE often involves data hosting in various regions. The contract should include approved transfer mechanisms if any personal data may be stored or accessed outside the EU/EEA (e.g., Standard Contractual Clauses). Don’t assume this is automatic – verify that SAP’s DPA has up-to-date SCCs in place for any data export from the EU.

Also, get clarity on data residency: know where SAP will host your data and ensure it aligns with GDPR’s requirements. If your policy or regulators demand data stays within certain jurisdictions (e.g., within the EU or even within a specific country), negotiate a data residency commitment from SAP.

For example, large European enterprises often stipulate that their RISE deployment must be in an EU data center and that no personal data will be transferred to non-EU regions without consent.

SAP’s standard cloud terms might allow moving data globally for performance or support, so you may need a contract rider restricting data location to comply with GDPR or local laws. In short, achieve transparency over data flows – know exactly where and how EU personal data travels in the RISE ecosystem.

CCPA (US) and other U.S. privacy laws:

In the United States, privacy regulations are fragmented (e.g., CCPA/CPRA in California and other state laws). Ensure the contract positions SAP as a “service provider” under CCPA – meaning SAP contractually agrees not to use personal data except to provide the services, and not to “sell” or further disclose the data.

While SAP’s global DPA covers many of these points generically, it’s worth confirming that nothing in the agreement would put either party in violation of the CCPA. For instance, include language that SAP will assist with consumer data requests (deletion, access requests, etc.) as required by law, and that SAP will notify you if it cannot comply with any data instruction due to legal conflicts (common in CCPA addenda).

Also, consider U.S. regulations like HIPAA (if you have health data – SAP RISE is not common for health records, but if it were, a Business Associate Agreement would be needed) or sector-specific laws.

The main idea is to allocate responsibilities: your company, as the “business” or controller, is primarily responsible to the individuals, but SAP, as a processor, must handle data in a way that enables you to comply. Similar to GDPR, it has provisions for what happens if government or law enforcement demands access to data – SAP should notify you unless legally prohibited, so that you can respond appropriately.

APAC and other regions: Privacy laws in Asia-Pacific and other regions are rapidly evolving (e.g. Brazil’s LGPD, China’s PIPL, Australia’s Privacy Act). SAP’s standard DPA is intended to be globally applicable, but you should verify it meets any specific requirements in countries critical to your operations.

For example, data export restrictions under laws like China’s PIPL or Russia’s data localization law may require that personal data of nationals stay within the country’s borders or pass certain government assessments. If you plan to include such jurisdictions in your RISE scope, discuss with SAP how they will accommodate those needs (it may involve local data centers or specific contract addenda).

Likewise, some countries (e.g., Singapore PDPA) require contracts with processors to have particular data protection terms – ensure SAP’s DPA isn’t solely EU-focused but addresses these where relevant. Generally, seek written assurances of compliance with all applicable data protection laws in your operating regions. A robust RISE contract should specify that SAP will adhere to global privacy standards and assist you.

As privacy regulations proliferate, having a flexible central contract framework is vital – you might ask for a clause that allows you to request necessary changes to the data protection terms if new laws (or changes to laws) mandate additional safeguards. In a global deal, consistency is key: avoid having separate conflicting terms for each region; instead, incorporate a unified DPA that covers EU, US, and APAC requirements in one.

Data Processing Agreement Review:

Always append or incorporate SAP’s DPA into the RISE contract and review it line by line. Many companies treat the DPA as boilerplate, but it contains critical details, e.g., subprocessor lists, data transfer mechanisms, security standards, and breach notice obligations (discussed below). Ensure the DPA’s definitions of personal data and processing scope match your understanding of what data you will put into SAP.

Check if SAP’s Cloud DPA prohibits certain practices – notably, SAP (like some cloud providers) prohibits storing personal data in non-production (test/dev) systems unless properly masked.

This is an often-overlooked clause: SAP introduced it to comply with privacy laws and shift liability to the customer if they put real personal data in test environments. If your development teams routinely copy production data into test systems, realize that this could violate the contract and GDPR under RISE.

You will need to implement data masking or scrubbing for non-production or seek a specific exemption (SAP likely won’t grant an exemption to that rule, so plan to comply). This is a good example of how a contract clause can impact your operational processes.

Security, Audit Rights, and Subprocessor Management

Security Standards: Given that SAP will host and manage your systems in RISE, the contract should detail SAP’s security obligations. Typically, SAP will reference industry standards and certifications (ISO 27001, SOC 2, etc.) and commit to maintaining them. Ensure you obtain SAP’s security whitepaper or compliance report as part of due diligence. While SAP’s standard terms may only promise “reasonable measures,” large customers can ask for more specificity – e.g., adherence to your company’s security policies where applicable, or implementation of particular controls (encryption standards, access controls, etc.). At a minimum, the contract should affirm that SAP will meet or exceed the requirements of laws like GDPR regarding technical and organizational measures (this often appears in the DPA). Some clients negotiate an annual security certification update, requiring SAP to provide updated SOC reports or penetration test summaries to maintain assurance of ongoing compliance. Remember, under many regulations (like GDPR), you as the customer must ensure your processor provides sufficient security guarantees, so getting these commitments on paper is part of demonstrating compliance.

Audit Rights:

A critical question for many enterprises is: Do we have the right to audit SAP’s operations (and subprocessors)? SAP’s default stance is often to limit audit rights, offering audit reports and certifications instead of customer audits. This is common in cloud contracts to avoid dozens of customers auditing the data center.

However, you might require a more direct audit clause for high-risk or regulated data. Best practice is to secure at least the right to have an independent third-party auditor (or regulator, if applicable) audit SAP’s facilities and controls upon reasonable notice.

In some industries (financial services, for example), regulators insist that institutions retain audit and access rights over outsourced cloud providers – your contract must accommodate this, or you could face compliance issues.

Negotiate a clause allowing you to audit SAP’s security and data handling, perhaps with conditions (e.g., at least once a year, during business hours, with advance notice, and using an agreed-upon auditor to avoid disruptions). SAP might point you to their Trust Center and certifications; while these are good, they might not cover everything.

If SAP refuses direct audits, ensure you have detailed SOC 2 Type II reports, penetration test results, and other evidence provided regularly so you can fulfill your oversight duty. Also, ensure audit rights extend to subprocessors (the cloud hosting providers or others) – typically, SAP should oblige its subprocessors to comply with equivalent standards and allow audits through SAP. In summary, don’t neglect your right to “look under the hood” of RISE – it’s essential for trust and verification.

Subprocessor Transparency:

With RISE, SAP is your primary contractor but will leverage various subprocessors (e.g., a hyperscaler like Microsoft Azure, Amazon Web Services, or Google Cloud for infrastructure, plus potentially other partners for support or add-on services). The contract should list SAP’s approved subprocessors and/or refer to a URL where SAP maintains an up-to-date subprocessor list.

Insist on transparency here: you should know which companies will have access to your data and what their roles are. SAP usually publishes this information (e.g., a list of data center providers and support locations), but ensure a clause requiring SAP to notify you of any changes to subprocessors.

A common term is that SAP will inform the customer of any new subprocessor and allow the customer to object for reasonable grounds. You might not get an outright veto right (many cloud vendors resist that). Still, you could negotiate the right to terminate the contract without penalty if introducing a new subprocessor raises compliance concerns that SAP cannot mitigate.

This is particularly important in a global context: if SAP decides to route data through a new region or engage a new partner, you need visibility to assess legal impact (for example, if SAP added a support center in a country with weak data protection, that could be a concern). Real-world tip: Some large customers include a contractual list of “pre-approved” subprocessors (the ones SAP intends to use), stipulating that any addition or replacement requires mutual agreement.

This may not always be feasible, but it’s a point of negotiation leverage in a big deal. At the very least, SAP should ensure that it remains fully liable for the actions of its subprocessors. The contract should state that SAP’s use of subcontractors does not relieve it of any obligations. That way, if a subprocessor fails (e.g., the hosting provider has a breach), SAP is still on the hook to you just as if SAP had breached. In short, demand both disclosure and accountability for all third parties involved in delivering RISE.

Breach Notification:

Data breach terms are another vital component. Under laws like GDPR, a data processor (SAP) must notify the controller (you) of any personal data breach without undue delay.

Ensure the contract specifies a clear breach notification window, for example, within 24-48 hours of SAP discovering a security breach affecting your data.

SAP’s standard wording may be “without undue delay” or within a few days; try to tighten this if possible (every hour counts in a breach scenario for you to fulfill your obligations to regulators).

Outline the process: SAP should promptly investigate and share findings, assist in remedial steps, and cooperate in any required notifications. The contract should also require SAP to remedy the breach and prevent recurrence at its cost.

Given the high stakes of breaches (fines, reputational damage), some customers negotiate additional remedies here – e.g., requiring SAP to provide credit monitoring for affected individuals if the breach was on their watch, or indemnify for breach response costs.

As noted earlier, SAP likely won’t accept open-ended liability for breaches, but you can at least ensure the contractual duties to notify and assist are strong and time-bound. Also, incorporate breach scenarios into your liability discussions (e.g., a higher cap or carve-out as discussed).

Security Incident Example:

Consider a scenario: A cyber incident at an SAP data center exposes your customer data. With a solid contract, SAP would be obligated to notify you immediately, share forensic information, and support you in informing regulators or customers.

You might learn of the breach late without explicit terms and struggle to get information. In one public example, a cloud vendor’s delay in notifying a client of a breach led to regulatory action against the client.

Don’t let that happen – nail down those timelines and responsibilities in writing. Remember that regulatory compliance is a shared endeavor in cloud deals: you need SAP to do its part swiftly so you can do yours.

Regulatory Compliance Responsibilities

Beyond privacy, regulatory compliance spans any laws and regulations relevant to your use of SAP. The RISE contract must delineate who is responsible for what and ensures no gaps in compliance coverage.

Here, we focus on a few major areas and jurisdictional nuances:

Shared Responsibility Model:

For most legal frameworks, compliance is a shared responsibility: you are responsible for configuring and using SAP’s services, and SAP is responsible for ensuring that the underlying services are delivered in a compliant manner.

The contract should reflect this. For instance, include a clause that each party will comply with all applicable laws concerning the contract. SAP should explicitly comply with laws applicable to cloud service providers (data protection laws, export control, anti-corruption, etc.), and you commit to laws applicable to you as the customer (e.g., not uploading unlawful content, obtaining necessary consents for data). Such mutual compliance clauses are often standard, but verify them, especially if operating in multiple countries with varying laws.

Industry-Specific Regulations:

If your organization is in a regulated sector (finance, healthcare, public sector), additional legal requirements likely apply when outsourcing IT to a cloud like RISE. For example, banks in many jurisdictions must ensure cloud providers agree to certain audit rights and even direct regulatory access (regulators may reserve the right to audit the cloud provider themselves).

Likewise, a healthcare company subject to HIPAA might need SAP to sign a Business Associate Agreement (BAA) in the US context, or a pharma company might need compliance with FDA electronic record rules (21 CFR Part 11). During negotiations, raise any industry-specific needs early – SAP may have standard riders or may need to involve their compliance experts.

Ensure the contract does not conflict with these requirements. For instance, if a law requires you to terminate an outsourcing contract if a regulator insists, try to build that into the termination clause.

Another example is that government contractors might need IT providers to adhere to certain security certifications (FedRAMP, ITAR controls for defense data, etc.).

Make sure SAP can meet those and include such commitments in the contract or an attachment. Essentially, map out all regulatory frameworks you fall under (GDPR, SOX, export laws, industry rules, etc.) and methodically confirm the contract addresses each.

Global Trade Compliance:

Remember about export controls and sanctions. If your SAP system contains encryption or certain data, you and SAP must abide by export laws. SAP’s standard terms usually make the customer responsible for not exporting the software to sanctioned countries or prohibited users. Double-check these clauses to remain compliant if your use case involves global deployments.

If SAP personnel from various countries will access your system, ensure no conflict (for example, if your data is subject to U.S. export restrictions, SAP should ensure that only authorized personnel handle it). This can be handled via language in the contract restricting who can access the data.

Liability for Compliance Violations:

Another often-missed aspect is what happens if a compliance failure occurs. For example, if SAP’s service fails to meet a legal requirement and that causes your company to be fined, can you recover those costs? We touched on this in liability/indemnity—generally, SAP will try to disclaim regulatory penalties as indirect losses.

You should endeavor to have some remedy if SAP’s non-compliance causes you harm. One strategy is to tie certain compliance guarantees to indemnification – e.g., SAP will indemnify you for third-party claims or fines resulting from SAP’s breach of its data protection obligations.

It may be a tough sell, but you can often get at least a statement that any regulatory fines directly attributable to SAP’s breach count as direct damages (recoverable up to the liability cap). From your side, also be aware that if you breach a law via SAP (say you misuse the system for something illegal), SAP will seek indemnity from you as discussed. So compliance cuts both ways.

Jurisdiction and Governing Law:

Consider which country’s law governs the contract for global deals and how disputes will be resolved. SAP might propose a governing law (often the law of the contract entity—e.g., SAP Ireland for EU deals, SAP America for US deals, etc.). Ensure you’re comfortable with that, and it won’t cause issues enforcing data protection rights.

For example, if you are an EU customer, a contract governed by German law is common and works fine with GDPR. A U.S.-law-governed contract covering EU data must still comply with GDPR, but the enforcement might differ slightly.

Generally, choose a law and jurisdiction that is neutral or favorable to you if possible. Large enterprises sometimes negotiate the venue for disputes as their home jurisdiction for convenience. Keep in mind that certain public-sector customers might require local law by statute. This is a more legalistic point, but worth resolving upfront.

Real-life example (compliance gap):

A multinational company entered a cloud ERP deal without realizing the contract lacked a clause obligating the vendor to assist with regulatory inquiries. When a foreign regulator demanded an audit of the ERP operations, the vendor dragged its feet, claiming no contractual duty to comply directly.

The company ended up in a tough spot. The lesson: Anticipate regulatory oversight needs and bake them into the contract. In RISE, SAP is explicitly required to cooperate with regulators or conduct compliance audits related to the services.

Likewise, if new laws are on the horizon (e.g., new privacy laws or AI regulations), consider adding a clause that the parties will negotiate in good faith to amend the contract to comply with any changes in law. This way, you’re not left high and dry if the legal landscape shifts during your multi-year term.

Often-Overlooked Clauses in RISE Negotiations

Several contractual clauses tend to be overlooked in the flurry of negotiating dollars and user counts until they become a problem.

Here are two critical areas that warrant special attention in RISE agreements, which many customers initially miss:

  • Data Residency & Sovereignty: Where your data is stored and processed can be a legal deal-breaker, yet it’s often assumed rather than explicitly agreed. RISE contracts should include data residency commitments if your organization has geographic requirements. For example, a multinational might need all European customer data to reside in Europe, or an Asia-Pacific subsidiary might require that data to stay within Australia. Don’t rely on verbal assurances – have SAP specify your systems’ primary hosting location (and disaster recovery location). If using multiple regional deployments, clarify which data goes where. This is not just about GDPR, but also latency, support, and corporate policy.
    Additionally, if you need sovereign cloud arrangements (such as a dedicated environment for government data), ensure those discussions happen upfront. Without an explicit residency clause, SAP may move workloads as it sees fit (e.g., to balance load or during cloud migrations), which could inadvertently violate local laws or contractual promises you’ve made to your clients. In sum: lock down the “where” of your data in the contract.
  • Exit and Termination Provisions: Ironically, while RISE is about your future with SAP, you must also plan for a potential exit. Many RISE customers become concerned late in the term about how to disentangle if needed – avoid that by negotiating exit terms at the start. First, understand that RISE is typically a multi-year locked commitment (3 to 5 years common). Early termination is very restrictive – SAP’s standard stance is no early exit at all without paying out the full term. If you stop using RISE mid-term, you still owe for it. Knowing this, try to negotiate at least some escape clauses: for example, the right to terminate if SAP consistently fails to meet SLAs or if a major regulatory non-compliance is identified. SAP may resist, but even a narrowly defined termination-for-cause clause (beyond just payment default) can provide leverage. More importantly, focus on the end-of-term exit: what happens when your RISE subscription expires. You should insist on provisions for data retrieval and transition assistance. Best practice is to get an agreement that for some period, SAP will help you extract your data and even keep the system running in read-only mode for archival access. For example, negotiate a right to a full data export (in a usable format) upon termination, and perhaps an option to extend access for a few months purely to pull reports or meet audit requirements. Some customers have obtained a limited-use license that kicks in after termination, allowing them to access the last state of their S/4HANA system on their infrastructure for historical record-keeping. Without such terms, there’s a risk that on day X your cloud ERP is turned off and you can’t access any of it, which would be disastrous for compliance and business continuity. Also consider transition support: if you plan to migrate off RISE (whether back on-premise or to another provider), can you count on SAP for help? While SAP won’t directly help you move to a competitor, you could negotiate for assistance moving to an SAP on-premise environment or another SAP cloud if that’s in play. At a minimum, ensure they won’t hold your data hostage – data belongs to you, and the contract should affirm that and outline return/deletion timelines. Finally, consider renewal leverage: if SAP knows you have no alternative at the end of the term, you’ll be at their mercy for pricing. Having a clearly defined exit (and retaining some of your legacy license rights if possible) gives you the credible threat of walking away, strengthening your hand in renewal negotiations. Notably, a DSAG (SAP user group) survey found that “lack of exit options” was a top concern among RISE customers, so you are not alone in needing this. Plan the exit strategy now, when you have negotiation clout, rather than later.
  • Other Hidden Terms: There are a few other clauses to check: renewal terms (does SAP have free rein to raise prices after the initial term? Negotiate a cap on renewal increases – e.g., no more than CPI or a single-digit percent); governing law (ensure it’s suitable for all jurisdictions involved); and force majeure (make sure events like cloud data center outages aren’t overly broad excuses for SAP to avoid SLA commitments). Also, clarify the scope of services in writing – SAP RISE bundles a lot, but be sure any specific service you expect (e.g., specific integration work, particular uptime for a critical module, etc.) is documented, not just implied by sales discussions. Many negotiation pitfalls come from assumptions that didn’t make it into the final contract.

The overarching advice is to sweat the details now. The RISE contract is complex and intertwined—a change in one part (like an added security clause) might need to be reflected in another (like an updated SLA or statement of work).

Engage your legal, IT, and compliance teams to review every clause that could bite you later. As the saying goes, “the devil is in the details,” that is doubly true for large-scale, multi-year cloud contracts.

SAP’s Default vs. Negotiated Best-Practice – Key Terms at a Glance

The table below summarizes a few of the most important contract clauses in SAP’s standard RISE agreement, versus how savvy enterprise customers often negotiate those clauses for better protection:

ClauseSAP’s Standard PositionBest-Practice Negotiated Term
Liability Cap (Overall)Aggregate liability capped at roughly the fees paid (e.g. 12 months’ subscription fees); no liability for indirect or consequential losses. Exceptions only for mandatory law (e.g. personal injury).Higher cap (e.g. 2x–3x annual fees or full contract value) for critical failures; carve out unlimited liability for egregious acts (fraud, willful misconduct) and possibly for data privacy breaches. Ensure certain losses (data restoration, regulatory fines) count as direct damages (within cap).
Service Level RemediesService credits for downtime (typically a few % of monthly fee for missing SLA); no other compensation for service failures. Credits often the exclusive remedy for SLA breaches.Enhanced remedies: e.g. larger credits for prolonged outages, escalating responses for repeated failures. In some cases, negotiate penalties or free services if SAP misses critical milestones. Notably, allow chronic SLA failures to trigger contract termination rights.
IP IndemnificationSAP indemnifies customer for third-party IP infringement claims related to SAP software. Carve-outs: won’t apply if customer alters software or uses non-authorized combinations. Remedy may require customer to switch to non-infringing version.Broadened indemnity: Ensure it covers all SAP-provided components (including any third-party tools bundled in RISE). Push for SAP to also cover any open-source components it includes. Minimize carve-outs (e.g. clarifying that configurations done in normal use won’t void indemnity). SAP to provide full remedy (including software replacement or license cost if needed).
Customer IndemnificationCustomer must indemnify SAP for third-party claims arising from customer’s data or use (e.g. illegal content, infringement by customer, or violation of law by customer).Narrow scope to customer’s proven fault: e.g. indemnify only for claims that arise from customer’s willful unlawful use or provided content, excluding anything caused by SAP’s offerings. Include notice and defense control rights for customer.
Data Privacy & GDPRStandard Data Processing Agreement included (SAP as processor, customer as controller). Commits to GDPR-required terms (processing per instructions, breach notification without undue delay, subprocessor list, etc.). Often prohibits personal data in non-prod systems. Transfers of EU data rely on Standard Contractual Clauses (pre-signed in the DPA).Controller-friendly DPA: Ensure all GDPR Article 28 terms are present and specific. Add a defined breach notification timeframe (e.g. 48 hours). If needed, negotiate EU-only data storage (no transfers outside EU without approval). Include right to object to new subprocessors and require SAP to cooperate with GDPR audits or inquiries. Confirm that SAP will assist with data subject requests within required timelines.
CCPA and Other PrivacyNo separate CCPA addendum by default, but DPA broadly covers “applicable law”. SAP promises not to use personal data except for contract performance (implied service provider role).Explicit CCPA clause: State SAP is a Service Provider under CCPA and will not sell or misuse personal info. Ensure contract allows you to execute additional privacy addenda if new laws (e.g. new state laws) require specific language. Confirm SAP’s cooperation with consumer rights requests (deletion, etc.) as needed.
Security & AuditSAP maintains baseline security (with certifications). Direct audits by customers generally not allowed, instead SAP provides audit reports/certifications. Subprocessors must meet similar standards per SAP’s policies.Robust security commitments: Include specific security measures or frameworks SAP adheres to. Audit rights: ability for you (or an independent auditor) to audit SAP’s controls with notice, or at least the right for your regulators to do so if required. At minimum, an annual detailed SOC 2 report review and security questionnaire. Pen-test results or summary to be shared.
Subprocessor ManagementSAP provides a list of approved subprocessors and may update it with notice. Customer’s remedy for objection is usually to terminate the affected service (rarely used in practice). SAP retains broad right to subcontract.Transparency & consent: Advance notice of any new subprocessor and opportunity to object. Ideally, approval right for any critical subprocessor change. Ensure contract affirms SAP is liable for acts of subprocessors. Possibly require certain certifications or standards for any subprocessor (especially if sensitive data involved).
Compliance & RegulatoryCustomer responsible for complying with laws in use of service; SAP responsible for its own services under law. No explicit mention of industry-specific compliance unless by addendum. Early termination usually not allowed for regulatory reasons unless law mandates.Regulatory safeguards: Include clause that if a law or regulator requires changes or an exit (e.g. for banks, if regulator says to terminate cloud deal), the contract can be adjusted or exited without penalty. Ensure SAP will comply with all applicable laws (data protection, export, etc.) and assist you in doing so. If needed, attach industry-specific addenda (HIPAA BAA, financial regulatory requirements, etc.).
Exit / Data ReturnNo early termination without paying full term; at end of term, no specific obligations to assist (data may be deleted after a grace period). It’s on the customer to migrate off.Exit plan: Right to export your data in a usable format upon exit. Transition assistance period (e.g. SAP will support read-only access for X weeks post-term). Possibly negotiate a limited use license to keep using the system for archive purposes. Ensure any of your on-premise licenses converted to RISE can be reinstated or extended if RISE ends (or at least acknowledge what happens to them).

Table: Contrast of SAP’s typical contract terms vs. recommended negotiated terms for key clauses. (This is not an exhaustive list – each contract will vary. However, these represent common areas of divergence where enterprise customers should focus their negotiations.)

Negotiation Playbook for SAP RISE Contracts

Negotiating a $ 20 M+ SAP RISE deal is a high-stakes exercise that requires preparation, cross-functional teamwork, and a strategic approach.

Below is a step-by-step playbook that CIOs, sourcing professionals, and IT legal teams can use to drive a successful negotiation:

  1. Assemble a Cross-Functional Team: Gather stakeholders from IT, legal, procurement, security, compliance, and finance early in the process. Ensure everyone understands the RISE offering and your company’s goals. This team will identify requirements and red lines from all perspectives—from uptime needs to compliance must-haves. A united front prevents SAP from exploiting internal misalignment and ensures you cover all angles (technical, legal, commercial) in the contract.
  2. Baseline Your Current State and Objectives: Document your current SAP landscape (licenses, infrastructure, contracts) and what RISE is supposed to achieve (cost savings, agility, new capabilities). Identify potential gaps or needs: e.g., “We must have 99.9% uptime due to our retail cycle,” or “Our customer data cannot leave Canada.” These become negotiation points. Also, determine your risk tolerance – know which legal terms you can live with and which are deal-breakers. Review SAP’s proposal and terms in detail, mapping each clause to a responsible team member for analysis (security team reviews security clause, etc.). Being well-informed about your starting point is crucial.
  3. Research and Benchmark: Leverage external expertise and benchmarks to strengthen your position. Engage independent SAP contract advisors (such as Redress Compliance or similar licensing experts) with experience in RISE deals. They can provide insight into what discounts and concessions other enterprises have obtained, which clauses SAP has modified in other negotiations, and market-standard practices. Gather intelligence: for instance, if you know a peer company negotiated a 15% discount and a 2-year price lock, you can aim for similar terms. Likewise, consult industry research (Gartner, user groups) about common RISE challenges – e.g., DSAG user surveys indicating concerns about exit flexibility. This data arms you with credible arguments: “Customers in our industry typically get X, we expect the same.” It also signals to SAP that you are an informed buyer.
  4. Prioritize Key Negotiation Topics: Not everything can be heavily negotiated, so pick your battles. Prioritize the critical clauses that pose the most risk or value impact for you. Based on the analysis above, typical priorities are: liability cap, indemnities, SLA terms, price protections (renewal cap), data privacy/DPA terms, security/audit rights, subprocessor and residency, and exit provisions. Rank them. Know your “must-haves” vs “nice-to-haves.” This helps in trade-off discussions – you might concede a less critical point to win a critical one. For each priority area, have a clear ask (e.g., “cap liability at 2x fees, not 1x” or “include clause allowing 60-day read-only access after termination”) and a fallback if possible. Also, prepare your justification for each ask (e.g., regulatory requirement, internal policy, precedent from another vendor, fairness due to deal size, etc.).
  5. Leverage Timing and Competition: Use any leverage available. If this is a competitive situation (you evaluating Oracle or others), let SAP know – competitive pressure can yield better terms. If not, use time and quarter-end pressure: SAP sales teams have targets, so negotiating near SAP’s quarter or year-end can improve your bargaining power (they may be more flexible on terms to close the deal). However, beware of last-minute rush – give yourself enough time to review contract drafts thoroughly; don’t let a sales deadline force you into a quick sign without due diligence. Internally, set a realistic timeline for negotiation and involve your executive sponsors to back the negotiation team’s stance if needed (e.g., the CIO or CFO may need to reinforce to SAP that certain risks won’t be accepted).
  6. Draft and Counter-Draft: Instead of redlining SAP’s paper, consider providing your term sheet or amendments for critical clauses. For example, you might draft an “Addendum” with your preferred language on data protection, SLAs, and exit terms, and present it to SAP. This proactive approach can frame the negotiation on your turf. Of course, legal counsel should drive this, but ensure it’s in business-friendly language for SAP’s negotiators to understand the intent. Go clause by clause and don’t shy away from tough topics – explicitly ask, “What is SAP’s rationale for X? Here is why we need Y.” Often, SAP’s negotiator will have standard fallbacks they can offer once you push. Document all verbal assurances – if SAP says, “We normally never do X, but in your case we will,” immediately work to get that in writing (either in the contract or at least in an email). Keep a log of all open issues and who on SAP’s side is responsible for responding.
  7. Address Often-Neglected Terms: As you negotiate, double-check that those “little” clauses aren’t missed. Use a checklist (covering all topics in this advisory, for instance) to review the entire draft. Ensure nothing is left ambiguous – e.g., if the sales proposal said “includes 2 free sandbox systems,” make sure the contract states that. Common overlooked items: data return process, post-contract assistance, how updates/upgrades are delivered, performance guarantees, and definitions of key terms (what constitutes a data breach, for example). Resolve ambiguities now, because any gap will be interpreted in SAP’s favor later (since they wrote the base contract). It’s worth having a secondary review by fresh eyes (someone from a different department or an external lawyer) before finalizing, as they might catch issues the core team missed.
  8. Simulate Scenarios (Stress Test the Contract): A useful technique is to run through “what-if” scenarios to see if the contract adequately protects you. For example, what if a major outage occurs? (Check SLA, remedies, and liability. Are we covered?) What if a data breach happens? (Check DPA, notification, liability.) What if we need to divest a division using SAP? (Check assignment rights or if you can transfer part of the service.) What if a new privacy law requires a change? (Check modification clause.) Run these by SAP as well – ask how the contract would handle these situations. This flushes out any need for additional clauses or adjustments while you still have negotiation leverage.
  9. Engage Executive Support and Escalation: If negotiations hit a wall on a critical point, consider escalating to higher management on both sides. A friendly call between your CIO and the SAP account executive can sometimes break a stalemate on contract terms, especially for a big deal. Executives can weigh the long-term partnership and may agree to exceptions for your account. Use this sparingly for the truly non-negotiable items, and be sure your executive understands why it’s important. Additionally, bringing in an independent expert or legal advisor to articulate why a certain term is industry-standard can pressure SAP to concede (for example, your outside counsel can cite how other vendors or even SAP’s competitors handle a clause more fairly).
  10. Finalize in Writing and Review Thoroughly: Once agreement is reached on all points, ensure the final contract drafts (including all exhibits, DPAs, service descriptions, SLAs, etc.) are updated accurately. It’s common for last-minute changes to one document not to propagate to others (e.g., you negotiated a special data protection clause, but the DPA attachment was not updated – fix that!). Do a line-by-line final review with your legal team. Confirm that all negotiated concessions are captured. Check that the contract language is internally consistent after all the edits. Before signing, also prepare an internal summary of obligations – a document for your future contract management, listing key dates, responsibilities, notice periods, etc. This will be invaluable when operational teams later have to abide by the contract.
  11. Post-Signature Management: Although beyond negotiation, it’s worth noting: plan for ongoing contract management. Assign owners to monitor compliance (e.g., someone to track if SAP publishes new subprocessor info and someone to ensure SLA reports are received). Keep that internal summary handy and maybe hold a handover meeting with operations and IT security teams so they know the promises SAP made (and the promises you made, like not putting data in dev systems!). Many issues in long-term contracts arise simply because people forget what was agreed. Avoid that by treating the contract as a living document – set reminders for renewal notice dates, audit rights windows, etc., so you don’t miss opportunities later.

Following this playbook, your team will approach SAP RISE negotiations with a structured, strategic mindset. Remember that knowledge and preparation are your allies. In mega-deals, SAP expects an informed customer and will respect one who knows their requirements and boundaries.

Negotiating RISE is as much about the relationship as the document – you are setting the tone for how the partnership will run for years.

A fair, clear contract is the foundation for success on RISE, whereas a lopsided or vague contract is a recipe for future disputes. Invest the time and effort now to get it right. As Gartner might say, enterprises that execute a disciplined negotiation strategy will reduce risk and total cost over the life of the SAP RISE engagement.

Author

  • Fredrik Filipsson

    Fredrik Filipsson brings two decades of Oracle license management experience, including a nine-year tenure at Oracle and 11 years in Oracle license consulting. His expertise extends across leading IT corporations like IBM, enriching his profile with a broad spectrum of software and cloud projects. Filipsson's proficiency encompasses IBM, SAP, Microsoft, and Salesforce platforms, alongside significant involvement in Microsoft Copilot and AI initiatives, improving organizational efficiency.

    View all posts