Data Lifecycle & Deletion

Data used in AI scenarios is part of a broader data lifecycle, which includes:

• Data input and processing
• Model interaction and response generation
• Logging and monitoring
• Retention and eventual deletion

SAP’s approach to AI aligns with this lifecycle perspective, ensuring that data is managed, governed, and controlled across all stages.

This is consistent with SAP’s AI governance approach, where AI systems are designed, deployed, and monitored throughout their lifecycle, with appropriate controls applied at each phase.

When a user interacts with an AI feature, data is processed to generate a response. In many AI scenarios, the following principles apply:

• Data is processed only to fulfill the specific request.
• Processing can be transient, meaning it is not persistently stored as part of the model.
• SAP applies contractual and technical controls to govern how customer data is processed and handled according to defined service agreements and policies

These principles help ensure that data is handled in a limited and purpose-specific way, aligned with privacy and governance requirements.

For more details on secure data processing and inference patterns, see: Secure Data Flow for AI Inference on SAP BTP.

In many AI scenarios, input data is processed for the request itself and is not retained beyond the defined processing context. However, retention depends on the specific service, configuration, and operational requirements. This can include:

• Audit logs (for traceability and compliance)
• Usage and monitoring data (for system performance and reliability)
• Configuration and deployment metadata

These data elements support critical functions such as:

• System monitoring and troubleshooting
• Compliance with regulatory requirements
• Auditability and transparency

Learn more about SAP’s data protection and privacy practices: SAP Trust Center - Data Privacy.

Data retention and deletion are governed by policies, contracts, and applicable regulations. In SAP cloud services:

• Customers can access and export their data at any time.
• Upon termination of a service, personal data may be deleted within a defined period (for example, up to six months), unless legal requirements mandate longer retention.

It is important to note:

• Retention periods can vary depending on the service and regulatory context.
• Deletion processes are governed through data processing agreements and compliance frameworks.

These mechanisms help ensure that data is not retained longer than necessary and is handled in accordance with applicable privacy laws.

For more details on data processing agreements and data deletion, see: SAP Trust Center - Agreements.

In most SAP cloud scenarios, the responsibility for data is shared between the customer and SAP:

Customer (Data Controller)

The customer decides how and why data is processed and defines the retention and governance requirements.

SAP (Data Processor)

SAP processes data on behalf of the customer according to contractual agreements and implements technical and organizational measures to protect the data.

This shared responsibility model ensures that data lifecycle management is clearly defined and governed.

Data in AI scenarios is managed across a full lifecycle, from input and processing to retention and deletion. SAP supports this through:

• Controlled and purpose-specific data processing.
• Limited persistence of input data in some AI scenarios.
• Storage of logs and metadata for auditability and operations.
• Governed data retention and deletion processes.
• Clearly defined roles between customers (controllers) and SAP (processor).

Together, these mechanisms help ensure that data is handled in a controlled, transparent, and compliant way throughout its lifecycle.