Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
SAP Commerce Cloud is an enterprise B2B and B2C commerce platform from SAP that hosts product catalogues, checkout and order management in the cloud, with EU hosting available on Microsoft Azure.
SAP Commerce Cloud is the enterprise B2B and B2C commerce platform of SAP SE, the German software vendor headquartered in Walldorf. It runs on Microsoft Azure with EU regions available for European customers. Large retailers, manufacturers and wholesalers use it for catalogues, checkout, order management, B2B contracts and omnichannel experiences.
On the storefront, SAP Commerce Cloud sets JSESSIONID for the shopping session, an anonymous cart identifier and CSRF tokens. These are strictly necessary. Marketing, recommendation and personalisation modules add additional cookies that require consent.
The session and order data are processed under Article 6(1)(b) GDPR (performance of a contract). Marketing personalisation, behavioural recommendations and email tracking pixels require consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
You do not need consent for the strictly necessary cookies, but the marketing and personalisation features must be gated behind a consent management platform that records valid consent before activation. The newsletter, push notifications and product recommendation cookies must default to off.
With Azure EU regions, customer data stays within the European Union by default. Sub processors should be reviewed: SAP support, Azure global support and any extension marketplace partner can introduce US access that needs SCCs and a transfer impact assessment.
Pin the deployment to an Azure EU region, enable role based access control, integrate a CMP that blocks marketing scripts before consent, run a DPIA for personalisation modules, document SAP and Azure sub processors, and align checkout messages with the right consent or contract basis.
Websites using SAP Commerce Cloud must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for the marketing personalisation and recommendation modules and for any integration that processes special categories of data or large volumes of payment information. EU hosting on Azure simplifies the third country analysis.
Sample consent text
Our online store is powered by SAP Commerce Cloud, operated by SAP SE (Germany). Personal data needed to process your order is hosted on EU infrastructure on Microsoft Azure. Marketing and personalisation cookies are activated only with your prior consent.
Third-party domains contacted
cx.eu.commerce.ondemand.comapi.eu.commerce.ondemand.comlaunchpad.support.sap.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| JSESSIONID | first_party | Session | Maintains the visitor session with the SAP Commerce Cloud application server (strictly necessary). |
| anonymous-cart | first_party | 30 days | Stores the anonymous cart identifier so the visitor can resume shopping (strictly necessary). |
| XSRF-TOKEN | first_party | Session | CSRF protection token for secure checkout requests. |
SAP Commerce Cloud uses cookies for user preferences — inform visitors with a consent banner.
Strictly necessary cookies for the session (JSESSIONID), the anonymous cart and CSRF tokens. Marketing, recommendation and personalisation modules add consent based cookies.
Not for the core checkout cookies, which are necessary to perform the contract. Yes for the marketing, recommendation and personalisation modules.
Article 6(1)(b) GDPR for order processing, Article 6(1)(a) GDPR and Article 5(3) ePrivacy for marketing cookies and personalisation.
In standard EU configuration, no. Customer data stays in the chosen Azure EU region. Watch for sub processors (SAP support, Azure global support, marketplace extensions) that may introduce US access.
Recommended for personalisation, recommendation and any module processing special categories of data or large volumes of payment information.
Pin to an Azure EU region, integrate a CMP, gate marketing and personalisation behind consent, run a DPIA for new modules, document SAP and Azure sub processors.
Adobe Commerce (Magento), Salesforce Commerce Cloud, commercetools, Spryker, Shopify Plus and BigCommerce. EU based options simplify the third country analysis.
Run a scanner monthly across staging and production, document strictly necessary versus consent based cookies separately, and version the policy in your CMS.