Most procurement teams approaching an SAP audit response default to engaging with the substantive scope questions first — what systems, what users, what window — and treat the legal framework around confidentiality as an afterthought. The order is backwards. The confidentiality provisions in the master agreement, combined with the customer's standard NDA framework, set the boundary conditions for everything that follows. Used in the first response letter, they restrict the auditor's data access, limit which third parties can be involved, and force SAP to narrow the scope before the substantive work begins.
This guide walks through the two contract levers, the precise letter language we use to invoke them, the three SAP responses the customer should expect, and the case-by-case tradeoffs between invoking confidentiality early and reserving it for later in the engagement.
What the master agreement actually says
Every SAP master agreement contains a mutual confidentiality provision. The exact language varies by contract vintage, but the substantive position is consistent: information disclosed by either party in the course of the agreement is confidential to the disclosing party, the receiving party agrees to protect it, and any further disclosure requires written consent.
The provision applies symmetrically. SAP cannot share customer data — including audit findings, user lists, configuration extracts, and price exposure calculations — with third parties without the customer's consent. The customer cannot share SAP's contract terms, pricing, or commercial position with third parties without SAP's consent. The asymmetry of how the provision is actually used in practice is striking: SAP routinely engages third-party audit firms and shares customer audit data with them, while customers rarely invoke the symmetric right to control that disclosure.
The second relevant provision is the audit-rights clause itself. It typically contains a sub-clause requiring the auditor to be subject to confidentiality obligations equivalent to those in the master agreement. The customer's right to require the auditor's specific NDA before any data is disclosed flows from this sub-clause. See the broader timing analysis in our first-72-hours response timeline.
The third-party auditor question
SAP frequently engages KPMG, Deloitte, PwC, or specialist licensing firms to conduct the substantive audit work. The customer's contract entitles the customer to know which third party is being engaged, to receive that party's specific confidentiality undertaking before any customer data is shared with them, and to object to specific firms where there is a documented conflict of interest.
The most common conflict is that the proposed audit firm is also the customer's external auditor under a separate engagement, or has a current advisory mandate with the customer that creates an information barrier issue. Customers in regulated industries frequently have a documented restricted-supplier list for confidentiality-sensitive engagements; the SAP audit appointment should be tested against the same list.
The defensive position in the response letter is to acknowledge the audit right, request identification of the specific audit firm, request a copy of their NDA for review, and reserve the customer's right to object to the appointment on conflict-of-interest grounds. The letter language is short — three sentences in the response — and the operational effect is significant.
The data-protection overlap
Where the audit involves the export of personal data — user master records, HR records, named user logs containing email addresses or other identifiers — the confidentiality framework intersects with the customer's data protection obligations. The European GDPR framework, the UK Data Protection Act, and the various US state privacy regimes all impose constraints on the export of personal data to third parties, including third parties engaged by a contract counter-party.
The position the customer should adopt is that personal data is exported only under a documented data processing agreement, with named data fields, named recipients, and a defined retention period. SAP's audit framework normally accommodates this requirement, but the burden is on the customer to invoke it. The default audit extract requests data fields the customer has the contractual right to refuse. See the deeper analysis in our data protection grounds for refusal article.
The standard response letter language
The defensive language is short and specific. Three paragraphs in the first response letter cover the position.
The first paragraph acknowledges the audit notification and the contractual basis for the audit. It does not contest the underlying right.
The second paragraph invokes the confidentiality framework. The language reads, in substance: The Customer's response to the audit notification is provided subject to the confidentiality provisions of Section X of the Master Agreement. Any audit work performed by a third party on SAP's behalf is conditional on (a) prior identification of the specific firm, (b) the Customer's receipt and review of that firm's confidentiality undertaking, and (c) the Customer's right to object to the engagement on documented grounds of conflict of interest or competitive sensitivity.
The third paragraph addresses data scope. The language reads, in substance: The Customer notes that the audit data envelope may contain personal data within the meaning of applicable data protection law. Any export of such data to SAP or to SAP's third-party auditor will be conducted under a documented data processing agreement specifying the fields exported, the recipients, and the retention period. The Customer reserves the right to redact or anonymise specific fields where the contractual purpose can be achieved without identifying individuals.
The three paragraphs together typically reduce the operational scope of the audit by twenty to thirty per cent before the substantive work begins. The reduction comes from data fields that SAP withdraws rather than negotiating, third-party engagement that is delayed or substituted, and timelines that lengthen as the contractual mechanics are walked through.
When to invoke confidentiality early versus reserving it
The invocation has a tactical dimension. Used in the first response letter, it signals to SAP that the customer is represented and prepared, which normally moderates the auditor's opening posture. Used later, it signals that the customer is escalating, which can shift the relationship into a more adversarial mode.
The decision turns on three factors. First, the size of the expected exposure: low-six-figure audits rarely justify the additional friction; high-six-figure and seven-figure audits almost always do. Second, the customer's commercial leverage: customers approaching a renewal cycle have negotiating room that customers mid-term do not. Third, the prior audit history: customers with a documented record of compliant submissions have stronger ground to invoke the framework without being treated as obstructive.
The internal NDA framework
Alongside the SAP-side confidentiality position, the customer should have its own internal NDA framework in place for any external advisor engaged in the response. Independent advisors, external counsel, and internal stakeholders outside procurement and IT need to be brought under a specific engagement NDA before they touch the audit data. The NDA framework should mirror the master agreement's confidentiality provisions to prevent any inadvertent disclosure breach during the response.
The framework should also extend to the engagement letter with any independent advisor. The advisor's representation includes confirmation that they are not engaged by SAP or by any SAP-affiliated party on any concurrent matter, that they have no commercial interest in the audit outcome other than their agreed fee, and that they will deliver any work product directly to the customer rather than through SAP channels.
Three letter paragraphs that close the gap
The complete defensive language for a first-response letter, integrating all three threads, sits in the SAP Audit Defence Playbook chapter on first-response correspondence. The playbook also includes the scope-pushback language that pairs with the confidentiality invocation. See the audit topic page for the consolidated escalation framework.
For a worked case study of confidentiality invocation in a financial services audit see the financial services audit confidentiality defence matter, which documents the trajectory from first letter through closed settlement.