SAP SuccessFactors EU Alternative 2026: German Parent, US Subsidiary, and the CLOUD Act Payroll Gap

Post #964 in the sota.io EU Compliance Series

SAP SuccessFactors is widely assumed to be a safe choice for EU enterprises handling payroll data. The reasoning is intuitive: SAP SE is headquartered in Walldorf, Germany. It is listed on the Frankfurt Stock Exchange. It employs over 100,000 people across Europe. Surely a German corporation does not create the same GDPR risk as an American company?

The assumption is wrong in a specific and consequential way. SAP SE is European. SAP SuccessFactors is not.

SAP SuccessFactors was SuccessFactors Inc. — a California corporation headquartered in San Mateo — until SAP acquired it in 2012 for $3.4 billion. The product has grown substantially since then, but the underlying corporate and technical structure inherited from that acquisition has never been fully Europeanised. The result is a product operated significantly through US corporate entities, using US cloud hyperscalers, with data flows that create measurable CLOUD Act exposure — regardless of the German parent's nationality.

This distinction matters acutely in 2026 because the EU Pay Transparency Directive (2023/970/EU) requires all EU member states to implement salary reporting and gender pay gap disclosure requirements by 7 June 2026 — under four weeks from the date of this analysis. The integrity and sovereignty of payroll data stored within enterprise HCM platforms has become a compliance question, not merely a procurement preference.

Who SAP SE Is — And Who SAP SuccessFactors Is

SAP SE (Systeme, Anwendungen und Produkte in der Datenverarbeitung) was founded in 1972 by five former IBM engineers in Weinheim, Germany. It is incorporated as a Societas Europaea (SE) — a European public company — and headquartered in Walldorf, Baden-Württemberg. SAP SE is not a Delaware corporation. It is not incorporated in any US state. Its primary listing is on the Frankfurt Stock Exchange (XETRA) under the ticker SAP.

SAP SE does trade on the New York Stock Exchange (NYSE) under the ticker SAP — but as American Depositary Receipts (ADRs). ADRs represent a beneficial ownership interest in shares held by a US depositary bank; they are a US financial instrument, not a change of corporate domicile. SAP SE's incorporation jurisdiction remains Germany. Being NYSE-listed does not subject SAP SE to the CLOUD Act, which applies to US persons (meaning US-incorporated or US-domiciled entities).

This is the correct part of the assumption: SAP SE is genuinely European.

SAP SuccessFactors is different. The product originates from SuccessFactors Inc., incorporated in California and Delaware, founded in 2001 in San Mateo. After SAP's acquisition in 2012, SuccessFactors Inc. became a wholly-owned subsidiary within the SAP group. SAP subsequently reorganised some SuccessFactors entities — but the product continues to be operated through SAP America Inc. and related US subsidiaries for significant portions of its engineering, infrastructure, and customer operations.

The key entity for European customers is SAP SE and its EU subsidiaries (including SAP Deutschland SE & Co. KG and various national subsidiaries), which hold European customer contracts. But the SuccessFactors product stack — the software, its cloud infrastructure, and the operational teams that maintain it — sits substantially within US corporate entities reporting into SAP SE through the standard parent-subsidiary chain.

The SuccessFactors Infrastructure Stack

SAP SuccessFactors does not run on SAP-owned data centres in the traditional sense. The product's cloud infrastructure has been progressively migrated to major public cloud providers as part of SAP's RISE with SAP and BTP (Business Technology Platform) transformation:

Primary cloud providers for SuccessFactors:

• Amazon Web Services (AWS): SAP has a deep strategic partnership with AWS. SuccessFactors workloads run on AWS infrastructure in multiple regions. EU customers can be provisioned to AWS EU regions (Frankfurt, Ireland).
• Microsoft Azure: SAP and Microsoft have a longstanding partnership, and Azure hosts significant portions of SAP's cloud portfolio. Azure EU regions are available.
• SAP BTP (Business Technology Platform): SAP's proprietary integration and extension platform, which itself runs on top of AWS, Azure, and Google Cloud in a multi-cloud architecture.

The critical insight is that AWS and Microsoft Azure are US corporations incorporated in Delaware and Washington state respectively. Both are subject to the CLOUD Act (18 U.S.C. § 2713). A CLOUD Act order directed at AWS or Azure can compel production of data stored on their infrastructure — including EU customer data — regardless of which EU region it physically resides in.

This creates a two-layer CLOUD Act exposure for SAP SuccessFactors EU customers:

1. Direct exposure through SAP America Inc. and US SuccessFactors entities: US government orders directed at US SAP subsidiaries could compel production of customer data those entities process or control.
2. Infrastructure-level exposure through AWS/Azure: Even if SAP's own entities are not compelled, US government orders to AWS or Azure could reach EU payroll data stored on their infrastructure.

For enterprises choosing SAP SuccessFactors specifically because SAP SE is German, neither exposure is resolved by the parent company's nationality.

CLOUD Act Mechanics — How US Government Access Works

The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713) requires US persons — defined to include corporations organised under US law — to produce records stored or controlled by them anywhere in the world in response to a lawful US government order. This applies to:

• Companies incorporated in any US state (Delaware, California, Washington, etc.)
• US subsidiaries of foreign corporations, for data those subsidiaries store or control

The operative question for SAP SuccessFactors is not whether SAP SE (the German parent) is subject to CLOUD Act — it is not. The operative questions are:

1. Do US-incorporated SAP entities (SAP America Inc., SuccessFactors Inc.) process or control EU customer payroll data? If yes, CLOUD Act orders can compel those entities to produce it.
2. Is EU customer data stored on AWS or Azure infrastructure? If yes, those US providers are independently subject to CLOUD Act orders.

On both questions, the answer for most SAP SuccessFactors deployments is plausibly yes. SAP America Inc. provides support, development, and operational services that typically require access to customer environments. AWS and Azure explicitly host SuccessFactors workloads in EU regions.

It is important to distinguish CLOUD Act exposure from active CLOUD Act requests. The Act does not mean that US authorities are routinely or frequently accessing EU payroll data. It means the legal mechanism for compelled access exists and cannot be contractually removed by SCCs, data processing agreements, or GDPR compliance claims.

SAP SuccessFactors and GDPR Article 9

Payroll processing necessarily involves GDPR Article 9 special-category data for most EU employee populations. SAP SuccessFactors processes:

Directly:

• Sick pay records — revealing health status (Article 9(1): health data)
• Parental leave data — revealing pregnancy and family status
• Disability-related pay adjustments — revealing disability status (Article 9(1))
• Occupational pension scheme elections — which may reveal trade union membership when scheme type is linked to collective bargaining agreements

Indirectly through analytics:

• Gender pay gap analysis (EU Pay Transparency Directive) processes salary data segmented by gender
• Workforce diversity analytics process protected characteristics alongside pay data

Article 9 data requires a specific legal basis beyond the Article 6 bases applicable to ordinary personal data. Critically, these bases do not override international transfer rules. If Article 9 data is transferred to a country where surveillance law undermines SCC protections, the lawfulness of the transfer is doubtful — regardless of which Article 9 basis applies.

Standard Contractual Clauses and the DPF: What They Do and Do Not Resolve

SAP SuccessFactors for EU customers deploys Standard Contractual Clauses (SCCs) as the transfer mechanism for personal data flowing from EU to US operations. SAP SE participates in the EU-US Data Privacy Framework (DPF), the successor to Privacy Shield that has been certified since 2023.

SCCs and DPF certification establish that SAP will process EU personal data with GDPR-equivalent safeguards. What they do not and cannot establish:

• Exemption from CLOUD Act: SCCs are a contractual instrument. The CLOUD Act is a statutory instrument. When a US government order is served, US law takes precedence over the data protection commitments in an SCC. This was the core reasoning of the European Court of Justice in Schrems II (C-311/18, 2020).
• Immunity from infrastructure-level access: SCCs between SAP and its EU customers do not bind AWS or Azure.
• Permanence of DPF: The DPF replaced Privacy Shield following Schrems II. NOYB and other civil society organisations have pending legal challenges to DPF. A third Schrems decision could invalidate the DPF, immediately rendering SCC-backed transfers legally uncertain.

For EU enterprises processing payroll data for 10,000+ employees, a DPF invalidation scenario is a business continuity risk, not merely a legal theory.

The EU Pay Transparency Directive and Payroll Data Sovereignty

Directive 2023/970/EU of 10 May 2023 is the most significant change to EU employment law in a generation. Member states must transpose implementing legislation by 7 June 2026.

For SAP SuccessFactors customers specifically, the Directive creates several data-sensitive compliance obligations:

Article 7 — Individual pay transparency: Employees may request information about their individual pay level and average pay levels for comparable categories of workers, broken down by sex.

Article 9 — Reporting obligations: Employers with 100+ employees must report gender pay gap data to national authorities. Starting from 2027 for employers with 250+ employees (and 2031 for 100–249 employees). The data for these reports is drawn from payroll records maintained in HR systems like SAP SuccessFactors.

Article 10 — Joint pay assessment: Where pay reports reveal a gender pay gap exceeding 5% that cannot be justified by objective gender-neutral factors, employers must conduct a joint pay assessment with worker representatives.

Article 18 — Burden of proof: If an employer cannot demonstrate pay equity compliance, the burden of proof shifts to the employer in any subsequent litigation.

A practical concern: if a trade union representing EU employees challenges pay equity and the relevant payroll records have been produced to US authorities under a CLOUD Act order, the confidentiality of the employer's compensation strategy may already be compromised.

SAP SuccessFactors' EU Data Residency Options

SAP has invested significantly in EU data residency capabilities:

• EU data centre provisioning: EU customers can be hosted on AWS Frankfurt (eu-central-1), AWS Ireland (eu-west-1), Azure West Europe (Netherlands), or Azure North Europe (Ireland). All EU customer data at rest is stored within EU regions under standard terms.
• SAP Employee Central Payroll: can be configured to keep payroll calculations within EU infrastructure.
• Data residency attestation: SAP provides contractual commitments in its Data Processing Addendum specifying EU data residency for core HR and payroll data.

These measures address the question of where data is stored at rest. They do not fully address:

1. Whether US SAP entities have operational access to EU production environments for support, maintenance, or debugging purposes.
2. Whether EU-resident data on AWS or Azure EU regions is accessible to those providers' US parent entities under CLOUD Act orders.
3. Whether SAP's US-based security operations, threat intelligence, or compliance teams process any EU customer data.

The gap between "data stored in EU" and "data accessible only within EU jurisdiction" is the central challenge of EU data sovereignty for US-infrastructure cloud products.

NIS2, DORA, and Sector-Specific Requirements

DORA (Digital Operational Resilience Act, 2022/2554/EU): Financial institutions must maintain detailed ICT service provider registers and assess concentration risk. The nationality of the service provider group's ultimate parent is a factor in DORA risk assessments, but the infrastructure-level CLOUD Act exposure remains.

NIS2 (Directive 2022/2555/EU): Essential and important entities must assess supply chain security, including ICT service providers handling sensitive operational data.

EU AI Act (2024/1689/EU): SAP SuccessFactors embeds AI for pay equity analysis, workforce planning, and candidate screening — applications that may fall under the EU AI Act's high-risk category (employment and workers management, Title III). High-risk AI systems require EU-assessable conformity documentation that is harder to demonstrate when the AI developer is a US corporation subject to CLOUD Act.

Four EU-Native Payroll Alternatives

SD Worx (Antwerp, Belgium)

Corporate structure: SD Worx NV is incorporated in Belgium and headquartered in Antwerp. Founded in 1945 as a Belgian social secretariat, SD Worx is a cooperative group owned by its member companies. It operates across 28 European countries with over 70,000 client organisations and processes payroll for approximately 5 million employees monthly across Europe. SD Worx has no US parent company and no NYSE listing.

Infrastructure: SD Worx operates its own data centres in Belgium and the Netherlands, with EU-owned infrastructure throughout. SD Worx explicitly markets its non-US data supply chain as a competitive differentiator.

GDPR position: As a Belgian cooperative with EU-only infrastructure and no US parent, SD Worx has no inherent CLOUD Act exposure. Belgian DPA (APD/GBA) is the lead supervisory authority.

Best for: Large EU enterprises in financial services, manufacturing, and public sector requiring multi-country EU payroll with full data sovereignty.

Limitation: Less developed HCM functionality than SAP SuccessFactors for talent management, performance, and succession planning.

PayFit (Paris, France)

Corporate structure: PayFit SAS is incorporated in France and headquartered in Paris. Founded in 2015. Investors include Eurazeo Growth, Bpifrance (French public investment bank), and Accel. No US public markets listing. Bpifrance participation makes PayFit explicitly EU-strategic.

Infrastructure: PayFit operates on AWS EU infrastructure (Ireland and Paris). As a French company using EU regions, the contractual chain does not include a US parent entity. However, AWS EU infrastructure is still subject to CLOUD Act orders directed at Amazon Web Services, Inc.

GDPR position: French company, CNIL supervision. SCCs apply only for AWS infrastructure layer.

Best for: Mid-market EU companies (50–500 employees) primarily in France, Germany, Spain, UK, and Belgium requiring automated payroll with local compliance built in.

Limitation: Not an enterprise HCM platform — payroll-focused without the depth of talent management or global payroll coverage.

DATEV eG (Nuremberg, Germany)

Corporate structure: DATEV eG is a German cooperative headquartered in Nuremberg. Founded in 1966, DATEV is owned by approximately 40,000 member tax advisors and accounting firms in Germany. It is explicitly non-commercial — a cooperative cannot be acquired, cannot be NYSE-listed, and has no US shareholders or parent entities. DATEV processes payroll for approximately 12.5 million German employees annually via tax advisor intermediaries.

Infrastructure: DATEV operates its own data centres in Germany — specifically in Nuremberg — with no public cloud dependency for core payroll processing. DATEV's ownership model and infrastructure eliminates the corporate chain that creates CLOUD Act exposure for multinational SaaS vendors.

GDPR position: German cooperative, BayLDA supervision, German BDSG-compliant by design. No international data transfers in the standard payroll delivery chain. Likely the highest level of jurisdictional certainty in the EU payroll market.

Best for: German SMEs and mid-market companies working with tax advisors for payroll outsourcing. Also directly accessible for larger German companies operating primarily in Germany.

Limitation: Primarily Germany-focused. Not an HCM platform — pure payroll and accounting. Requires supplemental providers for multi-country EU payroll.

Personio Payroll (Munich, Germany)

Corporate structure: Personio GmbH is incorporated in Germany and headquartered in Munich. Founded in 2015, Personio has raised over €600 million from investors including Greenoaks Capital, Index Ventures, and Accel. Personio operates as a standalone German GmbH — no US parent company, no NYSE listing, no Delaware incorporation. Regulatory oversight: BayLDA.

Infrastructure: Personio operates on AWS EU infrastructure (Frankfurt). As noted, AWS EU infrastructure carries AWS CLOUD Act exposure at the infrastructure layer, but no US parent corporate entity has access to Personio customer data in the normal service delivery chain.

GDPR position: German GmbH, BayLDA supervision. SCCs apply only for AWS infrastructure layer. Personio's own corporate structure creates no US data access route.

Best for: EU mid-market companies (50–2,000 employees) primarily in the DACH region, Netherlands, Spain, and UK seeking an integrated HCM+payroll platform.

Limitation: Not yet enterprise-grade for 10,000+ employee organisations. Limited global payroll coverage compared to SAP SuccessFactors' 90+ country reach.

Head-to-Head Comparison

What EU Enterprises Should Ask SAP SuccessFactors Before Signing

For procurement teams evaluating SAP SuccessFactors renewal or initial deployment, the following questions address the specific CLOUD Act and GDPR gap:

1. Which SAP corporate entities have administrative or support access to EU production environments? Specifically, do SAP America Inc. or any US-incorporated SAP entities have access to EU customer payroll data in any operational role?

2. What is the contractual data controller / data processor designation for SuccessFactors Inc. relative to EU customer data? Is SuccessFactors Inc. a sub-processor? If so, under what legal transfer mechanism is data shared with it?

3. Does SAP's DPA include a binding commitment that no US-incorporated SAP entity will access EU customer data without prior EU customer consent?

4. For AWS and Azure infrastructure in EU regions: does SAP's customer contract include a binding commitment that hyperscaler access to EU customer data will comply with GDPR?

5. What is SAP's response plan if the EU-US Data Privacy Framework is invalidated?

6. For EU Pay Transparency Directive compliance: has SAP obtained a legal opinion that payroll data used in gender pay gap analysis is processed under a valid Article 9(2) basis?

Conclusion

SAP SuccessFactors occupies a distinctive position in the EU payroll market: marketed by a German corporation, subject to German supervisory authority at the parent level, and widely perceived as a European product. The corporate structure reality is more complicated. US-incorporated SAP entities participate in the operational delivery of SuccessFactors. AWS and Azure — both US corporations — host EU customer workloads. These structural facts create CLOUD Act exposure that the German nationality of SAP SE does not resolve.

For EU enterprises that require payroll data sovereignty without US corporate exposure — particularly in regulated sectors (DORA, NIS2) or ahead of the EU Pay Transparency Directive's 7 June 2026 transposition deadline — the comparison with SD Worx (Belgian cooperative, own EU data centres) and DATEV (German cooperative, own German data centres) is instructive. Both eliminate the corporate chain to US entities entirely.

The choice is not binary between SAP SuccessFactors and full sovereignty. Mid-market EU organisations can achieve substantially higher data sovereignty with Personio (German GmbH) or PayFit (French SAS) while maintaining a modern cloud HCM experience.

The German parent does not make SuccessFactors German. It makes SAP's procurement team German.

This analysis is current as of 10 May 2026. Corporate structures, DPF status, and CLOUD Act case law evolve. Consult qualified EU data protection counsel before making procurement decisions based on jurisdictional analysis.