Compliance documents

Data protection

Data protection and data privacy become more and more important in our connected world. At Software AG customers can trust that their personal data is processed in compliance with data protection / data privacy requirements.

See our FAQ for how we manage the processing of our customers’ personal data and how we ensure that customers can use our products and services in compliance with applicable stipulations.

What measures have been implemented to achieve data protection compliant products and services? 

All products offered by Software AG have been analyzed in respect to their functionality of processing personal data regarding the applicable data protection principles. For future functionalities, a release task to check for data protection compliance has been integrated into the product release cycle. 

How are accountability and governance requirements addressed?

Software AG has set up a Data Protection Management System (DPMS) which defines clear processes for relevant data protection aspects including data breach handling, data subject rights, records of processing activities and notification obligations to the relevant supervisory authorities and / or data subjects. As part of the scope of Software AG’s ISO 9001 certification, the established DPMS processes are subject to regular external audits. Additionally, Software AG has implemented a data protection policy, which applies to all employees. The objective of this policy is to regulate the legally compliant handling of personal data within Software AG and its affiliates.

Does Software AG have a Data Protection Officer?

Software AG has assigned a Corporate Data Protection Officer (CDPO). The CDPO monitors compliance with applicable data protection law and advises about processing of personal data at Software AG.

Are employees trained about data protection requirements?

A data protection training mandatory to all staff of Software AG was established. It addresses the requirements on compliant processing of personal data as well as adherence to sufficient technical and or organizational measures and must be refreshed on a regular basis. Non-performance of this training is monitored and may be enforced. 

How is Software AG processing personal data on behalf of customers?

When Software AG processes personal data on behalf of its customers or when access to personal data cannot be ruled out in line with service provision, a Data Processing Agreement (DPA) is concluded as a standard process. It addresses in particular the following aspects:

  • Customer’s instructions: The DPA obliges Software AG to process personal data only as instructed by the customer and in compliance with data protection law applicable to the customer.
  • Sub-processors: Software AG’s mission is to provide for high support services availability. This requires Software AG to include its affiliates all around the world as well as carefully selected external service providers into its support process. These organizations act as sub-processors to our customers. Also, for providing cloud and consulting services, sub-processors are used to provide the highest possible standard of quality, performance and flexibility to our customers.
  • Data transfer: As mentioned above, for service provision, a transfer of personal data to other Software AG entities or external service providers is usually necessary. For any data transfers from EEA to countries without an adequate level of data protection, EU Standard Contractual Clauses are in place. This ensures the necessary safeguards to protect customers’ personal data in accordance with data protection regulations.
  • Data subject requests: Software AG’s customers as the data controllers might be required due to applicable data protection law to provide information upon a data subject’s request. To the extent the request was addressed to Software AG by a data subject directly, we will notify the respective customer and will respond to the data subject in accordance with the customer’s instructions. Additionally, we will support our customers using appropriate technical and organizational measures to respond to data subjects’ requests themselves.
  • Data breach notification: In case of a data breach, Software AG’s customers as the data controllers might be obliged to fulfill certain notification obligations towards the affected data subjects and / or the supervisory authority. Software AG will inform its customers without undue delay in case we have documented reason to believe that a data breach at Software AG or our sub-processors has occurred. Software AG has implemented a data breach handling process that aligns with these notification requirements, which is in the scope of the Data Protection Management System (DPMS).

How does Software AG comply with changes in data protection requirements?

As data protection requirements can constantly change or expand due to legal amendments or decisions by the responsible supervisory authorities, Software AG regularly reviews the processes being part of our DPMS and technical and organizational measures regarding any new requirements and adapt them accordingly. Additionally, our processes are subject to regular external audits in line with ISO 9001 certification.