Trust in Privacy
Stay informed about where your data is located, how it is used and how we protect and defend your data.
SAS cares about your individual privacy rights. As a global company with operations in over 50 countries, we collect personal data from our customers, prospects, partners, suppliers, applicants and employees. International privacy and data protection laws apply to that personal data. These privacy laws range from sector-specific regulations in the United States, such as the Health Insurance Portability and Accountability Act (HIPAA), to comprehensive data protection regulations such as GDPR in the European Union and other similar laws throughout the world.
As of 12 October 2023, SAS is certified to the EU-US, Swiss-US Data Privacy Framework with UK Extension (the DPF). On 17 July 2023, the EU granted adequacy status to US companies who certify to the DPF. SAS’ DPF certification has been validated by our independent assessor, TRUSTe (TrustArc).
What’s the difference between ‘SAS as a controller’ and ‘SAS as a processor’ – and how does it affect your data privacy?
SAS as a controller:
Data we collect from you
When you interact with us online or offline, we respect your individual privacy rights and will use your data only in compliance with our Privacy Statement. Learn more about how SAS processes your data and for what purposes.
SAS as a processor:
Data you collect and share with us
We are aware that your data is your business asset. When you use our services and we process data you provide to us on your behalf, we will provide full transparency on our processing activities and process such data only in accordance with agreed terms. Learn more about how we process, protect, and defend your data.
Data Processing Agreements (DPA)
Technical & Organizational Measures (TOMs)
When SAS uses sub-processors (subcontractors to provide services who must access your data), we ensure that these sub-processors act in full compliance with our privacy commitment we give to you. SAS carefully evaluates the security, privacy, and confidentiality practices of a sub-processor prior to engagement. All SAS sub-processors enter into a contract with SAS that includes data privacy and security terms reflecting our privacy commitments we give to you. SAS also provides lists of our deployed sub-processors for each individual service. These lists include details on the location and country of each sub-processor per service.
International Access & Transfer of Personal Data: EU Transfer Requirements
At SAS, we know that your data is your business asset. It is of utmost importance for us to foster a relationship with you as a customer and partner based on trust and transparency -- in particular when we process your data. We are committed to enabling you to use our services in compliance with global data protection laws, including the European Union´s data protection regulations, rulings, and recommendations.
SAS understands that our customers are required to comply with the Schrems II judgment of the Court of Justice of the European Union (CJEU) and the subsequent final recommendations released by the European Data Protection Board (EDPB). We’ve taken necessary steps and implemented appropriate supplemental measures that enable our customers to use our services which, in some cases, involve transfers (remote access) from the United States.
This site provides further information on the latest changes due to the Schrems II ruling, additional measures we have implemented, and answers to frequently asked questions from our customers. SAS has also updated our privacy practices and DPA to implement new standards and contractual clauses (SCCs) as published by the European Commission following the Schrems II decision.
Defending your Data: SAS defends your data through clearly defined response policies and processes, strong contractual commitments, and if necessary, the courts. SAS believes all government requests for your data should be directed to you. SAS does not provide any government with direct or unfettered access to customer data.
Government and Law enforcement requests: Twice a year we will publish the number of legal demands for customer data that we receive from government and law enforcement agencies around the world. As of November 2023, we have not received any such requests.