1. What DAAP Really Is (Beyond the Marketing)
SAP launched the Digital Access Adoption Program (DAAP) in 2022, officially framed as an amnesty and transition framework. In reality, DAAP is a settlement offer dressed in customer-friendly language.
SAP's rationale was defensive: after the Diageo verdict in 2021 (a £50 million judgment against SAP for misrepresenting indirect access risk and inflating exposure claims), SAP faced enterprise skepticism about its audit methodology, measurement tools, and the legitimacy of digital access fees. DAAP was designed to:
Here's what DAAP actually offers:
And here's what you give up:
In essence, DAAP trades uncertainty and litigation risk for certainty and a SAP-favorable baseline. It's not an amnesty in the traditional sense; it's a settlement with amnesty-shaped marketing.
2. The Case FOR Joining DAAP
DAAP makes strategic sense in specific scenarios. Understanding when to say yes requires clarity on your own exposure and risk appetite.
Certainty and Predictability
If SAP has already issued a detailed audit report claiming indirect access exposure, and your own forensic review suggests the exposure is real (not methodology-inflated), then DAAP eliminates the uncertainty premium. You know what you'll pay for the next 3–5 years. That certainty has value: it simplifies planning, eliminates the risk of a larger claim in a future audit, and removes the emotional and organizational cost of ongoing dispute.
Want an Independent View of Your SAP Position?
Our advisors are former SAP insiders working exclusively for enterprise buyers. Book a free 30-minute discovery call.
Book a Free Consultation →Avoiding a Protracted Audit
If you're already deep in an audit cycle and SAP is escalating the claim, DAAP can end the process. Audits are expensive: they consume internal IT and legal resources, distract management, and create anxiety around compliance. For enterprises that cannot absorb the cost of a multi-year defense or prefer to close the matter, DAAP is a clean exit.
Weak Defense Posture
If your documentation of user access is weak—if you lack detailed logs, access reviews, or a clear technical demarcation between direct and indirect access—DAAP shifts the burden. Instead of SAP's measurement experts challenging your sparse records, you jointly establish a baseline. In weak-evidence scenarios, this can be cheaper than litigating a measurement dispute you're likely to lose.
Scope Limitation
DAAP baselines typically apply only to indirect access, not to core SAP user fees or other licensing categories. If you're concerned that an audit might expand into contract interpretation, pricing tiers, or other exposed areas, DAAP's narrow scope can reduce overall exposure surface. You're settling indirect access and leaving other claims off the table.
In these scenarios, DAAP is a rational decision: you trade negotiating power for peace and predictability.
3. The Case AGAINST DAAP (The Traps)
DAAP looks attractive until you examine the long-term cost and the rights you forfeit. Several structural traps deserve serious attention.
Admission of Liability and Future Precedent
Signing DAAP is a contractual admission that you have undisclosed or improperly licensed indirect access. SAP uses this admission in future audits, in negotiations with other business units, and potentially in regulatory or compliance contexts. If your organization emphasizes a clean compliance posture, this admission carries reputational cost internally and externally.
More critically, an admission in one company or region can become a template for claims elsewhere. If you settle on indirect access in your Europe division, SAP's account team will cite this settlement when approaching Asia-Pacific or North America: "You've already acknowledged exposure; this is the standard remediation path."
The Pricing Trap
SAP's per-user cost for indirect access under DAAP is non-negotiable—it's set by the programme, not by your contract position. Typical indirect access fees are 40–60% of core SAP Named User fees (often $500–$1200 per user annually, depending on your SAP footprint). For enterprises with 500+ indirect users, this translates into millions in annual recurring cost.
You rarely know, at the time of DAAP enrollment, how accurate the baseline is. SAP's initial count often inflates the true user population by 20–40%, but by the time you realize this, you've signed a 3–5 year commitment. The only remedy is demonstrating material business change (workforce reduction, system decommissioning), and SAP's definition of "material" is rigid.
Loss of Technical Defense
One of the strongest defenses against indirect access claims is methodological: SAP's measurement tools are incomplete, they overcounted users who never actually accessed the system, or they misclassified system administrators as end users. Once you sign DAAP, you lose this entire line of defense. Your forensic experts and legal team can no longer argue that the claim itself is technically unfounded.
This is particularly costly if you have strong evidence of flawed methodology. A competitor in your industry might have the same system setup, same access patterns, but because they fought and won, they pay nothing. You pay millions because you settled.
Lock-In and Future Renegotiation Friction
DAAP baselines become contractual fact. The only path to revision is demonstrating material change. SAP's interpretation of "material" typically requires 20%+ workforce reduction or formal system decommissioning—not cost optimization or user migration. As your business evolves, your baseline becomes increasingly outdated, yet you remain locked into paying for a user population that no longer exists in your systems.
Renegotiation friction also compounds over time. By year three of a DAAP commitment, SAP has locked in recurring revenue and moved on. Attempting to reopen the baseline becomes a contract interpretation dispute, not a collaborative discussion.
4. DAAP as a Sales Tactic: How SAP Uses Indirect Access Claims to Drive Adoption
SAP's account teams explicitly use indirect access claims as a negotiating lever. The sequence is familiar to enterprises who have lived through it:
This sequencing is not accidental. SAP learned from Diageo that explicit measurement defense was weak; the answer was to avoid litigation over methodology and instead create a process that feels collaborative but anchors enterprises to SAP's number.
The Negotiation Asymmetry
DAAP appears negotiable—your team can push back on the baseline, propose lower numbers, engage with SAP's technical experts. In reality, SAP's starting position is already inflated by 30–50% to create negotiating room. You might negotiate down from 600 to 450 users and feel like you've won. What you've actually done is paid for indirect access exposure that may not exist, because the original number included methodological inflation.
SAP also uses DAAP adoption as a lever for other deals. If you're negotiating RISE with SAP, RISE pricing, or support cost reductions, SAP's first move is often: "Let's settle indirect access through DAAP first, then we can discuss other items." This sequencing ensures you're already committed to one SAP framework before you negotiate the next. Once DAAP is signed, you have less negotiating power on the next deal because indirect access is no longer a variable.
Timing Pressure and Urgency Manufacture
SAP frequently imposes artificial deadlines on DAAP offers: "This amnesty period expires in 60 days," or "This pricing is only available if you enroll before Q2." These deadlines are manufactured to create decision urgency. In reality, your enterprise can legally and practically challenge the claim for months or years beyond the deadline. The deadline is pressure, not a legal constraint.
Enterprises that negotiate past the deadline often find that DAAP remains available—just at slightly less favorable terms. The initial deadline was a sales tactic, not a hard legal cutoff.
5. The Legal and Technical Grounds for Challenging Indirect Access Claims
Before accepting DAAP, it's worth understanding what you could argue if you chose to defend. Several methodological and contractual defenses are available—and they've held up in litigation.
Methodological Flaws in SAP's Measurement Tools
SAP's primary tool for identifying indirect access is automated log analysis: it scans user activity logs and classifies any non-named-user access as "indirect." This approach has documented flaws:
Contractual Ambiguity: What Is "Indirect Access"?
Your SAP contract defines indirect access, but the definitions vary—and they're often vague enough to support multiple interpretations. For example:
"Indirect Access means access to the SAP system by a non-named user through any means" is the broadest definition. Under this, even read-only portal access by a supply chain partner could count. But contracts often carve out portal users, data integration users, or third-party integrations from indirect access fees.
If your contract includes carve-outs or exceptions—for example, "Indirect Access excludes automated system integrations or API-only access"—then SAP's claim must respect those carve-outs. Many enterprises have successfully argued that SAP overstated the claim because it failed to apply contractual exclusions.
Technical Impossibility and Business Reasonableness
If SAP claims you have 2000 indirect users in a division with 800 total employees, that's a defense: the claim is technically impossible. Similarly, if SAP identifies indirect access to modules that aren't deployed in your landscape (e.g., SAP SuccessFactors users in a system that doesn't have SuccessFactors), the claim is invalid on its face.
Business reasonableness is a subtler defense: if SAP's identified indirect users include read-only access to financial modules by a dozen HR staff, and your company's controls strictly prohibit HR personnel from accessing financial systems, then SAP's identification process failed to account for documented access controls. The claim is implausible given your actual security posture.
These defenses have been tested. The Diageo judgment explicitly rejected SAP's measurement methodology on several grounds, including incomplete data and misclassification of service accounts. Enterprises with similar technical evidence can build a credible defense.
Audit Process Defects
SAP's audits must follow procedural norms: they must be conducted by SAP or SAP-authorized partners, the methodology must be disclosed, and the enterprise must have opportunity to review and rebut findings. If SAP's audit violated these norms—for example, if key findings were made without IT team participation, or if logs were analyzed off-site without transparency—those defects undermine the audit's credibility.
Defending enterprises have also challenged whether SAP had contractual right to audit indirect access at all. Some legacy contracts require 60 days' notice, on-site audits, or restrictions on the scope. If SAP's audit didn't comply with these provisions, the entire claim may be procedurally defective.
6. The 6-Question Decision Framework
Deciding whether to join DAAP or defend is not a binary choice with a universal answer. Your decision should turn on six specific questions that map to your actual risk, cost, and strength of position.
Question 1: Do you have strong evidence that SAP's measurement is inflated?
Why it matters: If your own forensic analysis shows that SAP's claimed indirect users include service accounts, one-time users, or contractually excluded categories, you have a defensible position. If your records are sparse and don't contradict SAP's methodology, your defense is weak.
Scoring: Strong evidence (system logs clearly distinguish service accounts, historical access reviews, documented user categories) = Defense case; Weak or absent evidence = DAAP favored.
Question 2: What's the true user population, based on your own count?
Why it matters: If SAP claims 600 indirect users and your forensic review identifies 150 credible users, the gap is defensible. If your count is 500, the gap narrows and DAAP becomes more reasonable.
Scoring: Gap > 50% of SAP's claim = Defense; Gap < 20% = DAAP.
Question 3: What's the annual cost difference between SAP's baseline and your count?
Why it matters: If the cost difference is $50K annually over 5 years ($250K total), the defense cost (external counsel, forensic experts) may exceed the savings. If the difference is $5M over 5 years, defense is economically rational.
Scoring: Cost difference > $3M over 5 years = Consider defense; < $1M = DAAP.
Question 4: How much internal resource will defense consume?
Why it matters: Defense requires IT participation (log analysis, access control review), legal review, and ongoing management attention. If your IT team is already stretched or your organization has low tolerance for dispute, the internal cost (in morale and focus) can exceed the financial benefit.
Scoring: IT under-resourced or organization risk-averse = DAAP; Strong IT team, litigation-experienced leadership = Consider defense.
Question 5: Does your contract include relevant carve-outs or limitations on indirect access?
Why it matters: If your contract excludes portal users, API-only access, or third-party integrations from indirect access fees, SAP's claim must respect those exclusions. Contract-based carve-outs are often overlooked by SAP's audit teams and represent strong defense opportunities.
Scoring: Clear carve-outs in contract = Strong defense; Vague or absent carve-outs = DAAP.
Question 6: What's your risk appetite and timeline preference?
Why it matters: Defense is uncertain and slow: 12–24 months to resolution. DAAP closes the matter in months. If your organization prefers certainty and swift closure, DAAP is the right answer even if defense is technically defensible.
Scoring: High certainty preference, short timeline = DAAP; Tolerance for 18+ month dispute, preference for best outcome = Consider defense.
Framework Synthesis
Score each question: questions with answers favoring defense should outnumber those favoring DAAP for defense to be rational. If most questions point to DAAP, join. If most point to defense, and costs justify it, contest the claim.
The framework also identifies hybrid strategies: if questions 1–3 suggest defense is possible but questions 4–5 suggest high friction, then negotiated DAAP (discussed below) is the middle path.
7. Negotiating DAAP Terms Instead of Accepting as Offered
Many enterprises assume DAAP is a take-it-or-leave-it offer. This is partially true: the per-user pricing and amnesty scope are fixed. But the baseline user count is negotiable, and that's where real value lies.
The Negotiation Window
DAAP enrollment typically includes a technical validation phase: SAP works with your IT team to review the proposed baseline, reconcile user lists, and identify any misclassifications. This is your opportunity to negotiate down. The baseline is not final until it's documented and signed.
During validation, your team should:
Successful negotiations typically reduce SAP's initial proposed baseline by 20–30%, which compounds to significant savings over the DAAP term.
Securing Renegotiation Clauses
DAAP baselines become contractual fact, but you can negotiate a renegotiation trigger into your DAAP addendum. Typical triggers include:
These clauses won't resolve the baseline lock-in entirely, but they create a path to renegotiation if your business materially changes. Without them, you're locked in for the full DAAP term regardless of organizational evolution.
Tiering and Exclusions
Some enterprises successfully negotiate tiered baselines: a higher baseline for core business users, a lower baseline for occasional or seasonal users, and exclusions for known service accounts or third-party access. Tiering adds complexity but can yield 15–25% cost reduction by reflecting actual usage patterns more accurately.
8. Fight and Lose vs. Join DAAP: Comparing Worst-Case Outcomes
The hardest decision scenarios are when the outcome is genuinely uncertain. A comparison of worst-case and best-case outcomes can clarify risk tolerance.
The Real Decision: Expected Value
Calculate the expected value of fighting vs. joining DAAP:
Expected Value of Defense:
(Probability of Win × Cost Savings) − (Probability of Lose × Total Defense Cost + Audit Costs)
Example: SAP claims 600 indirect users (vs. your count of 200). At $800/user/year, the exposure is $320K/year × 5 = $1.6M.
• If you win: save $1.6M
• If you lose: pay $1.6M + defense costs ($400K) + audit recovery costs ($200K) = $2.2M
• Assume 40% win probability
• Expected value of defense: (0.4 × $1.6M) − (0.6 × $2.2M) = $640K − $1.32M = −$680K (defense is economically negative)
Expected Value of DAAP: Pay $1.6M (SAP's baseline cost) − $400K (successful negotiation to 450 users) = $1.2M
In this scenario, DAAP (even without negotiation) is superior to the expected cost of defense. But if you can negotiate down to 350 users, DAAP cost becomes $700K, and defense becomes rational if you have > 60% confidence in your case.
This is not a perfect calculation—it requires estimating win probability, which is inherently uncertain—but it grounds the decision in financial logic rather than emotion or organizational politics.
Need Expert Guidance on Your Indirect Access Situation?
We've advised on 80+ indirect access disputes, DAAP enrollments, and contract defenses. Our forensic analysis identifies weaknesses in SAP's claims and strengthens your negotiating position—whether you choose to fight, negotiate DAAP terms, or settle.
Key Takeaways
Related Resources
Deepen your understanding of indirect access, DAAP, and audit defense:
Independent SAP Licensing Advisory
Our advisory services cover audit defence, contract negotiation, licence optimisation, RISE advisory, and S/4HANA migration — all buyer-side, no SAP affiliation.
Book a Free Consultation →