Security overview

Weโ€™re committed to empowering your transformation with data-driven insights and actions.
Keeping all data safe and reliable is at the core of our service offering and our team is relentless when it comes to preventing possible points of failure.

We continuously look for ways to improve product and platform performance and protect the privacy of your data and your customersโ€™ data and preventing it from unauthorized access at all time. Our compliance program is here to help meet your organizationโ€™s compliance needs and we rely on industry best practices to get you there.

In order to achieve this, we regularly review and update security policies, provide security training, perform application and network security testing, monitor compliance with security policies and conduct internal and external risk assessments.


Key security offerings

ISO27001 certified

SAML and OpenID based SSO

Secure Software Development Life Cycle (SDL)

Third party audits and penetration testing

Password policy and built-in 2-Factor Authentication

Data encryption in transit and at rest

Security practices

Secure Platform

The Celonis Intelligent Business Cloud adheres to the highest information security standards in order to protect your data.


Multi-tenant architecture

The IBC is running on a multi-tenant architecture where each team in the IBC is one tenant. Tenant separation follows a meta data driven approach and applies industry best in class standards. Application data as well as Analytics data is separated between all tenants.


Data in transit

All data transferred to the IBC is always encrypted via HTTPS using TLS 1.2 or higher.

Data in rest

Customer data is encrypted at-rest with AES-256 Encryption

Hosting provider

Shared responsibility

Celonis does not host own physical datacenters at the time. As our solution architecture is not bound to provider-specific technologies, we continuously evaluate cloud providers to ensure we use cloud providers which are industry leaders in security.

The hosting providers are responsible for protecting the infrastructure that runs all of the services offered in the cloud.

This infrastructure is composed of the hardware, software, networking, and facilities that run cloud services.

Hosting provider compliance

The hosting providers comply with security standards, controls and requirements as set out such as ISO 27001, ISO 27018, PCI, CSA, SOC, C5 among others.

The hosting providers service organization are SOC compliant. The audits for those reports are conducted in accordance with the SSAE 18 and the ISAE 3402 professional standards. Furthermore the datacenters in use are compliant to ISO/IEC 27018:2014.

Download our Secure Platform whitepaper

Organizational Information Security

Celonis itself is dedicated to high security across all aspects of the organization. We are using the ISO 27002 best practices as Celonis is ISO27001 certified and has successfully implemented an Information Security Management System (ISMS) according to ISO 27001 Standard.

Organizational Security

Celonis is dedicated to keeping the entire technology stack up to date. Security updates are triggered by the suppliers of the individual systems and a regular security review ensures all systems are kept up do date. Celonis follows the recommendations of third party providers such as Microsoft for the underlying OS layer as well as Oracle for Java environment and adopts the criticality level.

Patch timeframes

  • Patches and hotfixes are applied immediately

  • Minor updates are applied 2-weekly

External testing Audits

There is a dedicated audit program in place which requires several internal and external audits of the Information Security Management System each year. Audits ensure conformance to our existing information security controls and uphold existing Celonis certifications. Audits are performed by qualified and independent bodies.

Penetration testing

Third party penetration testing

External studies will take place at least two times annually conducted by a third party penetration testing providers to determine if potential vulnerabilities are exploitable using a gray or white box approach and the scope may be internal or external testing.

In-house penetration testing

In-house penetration testing will take place at least four times annually (once a quarter) conducted by Celonis security operation team to determine if potential vulnerabilities are exploitable using gray or white box approach and the scope may be internal or external testing.

Celonis monitors security on the platform with a dedicated IT security team and works with certified third-party auditors to validate the scope and effectiveness of implemented controls.

Security Incident and Event Notification

In case of security breaches, the defined key contact person of the customer will be informed. In order to provide information relevant to security incidents or other security-related issues, we offer to notify you via email. In order to receive such emails, you are required to provide us with the contact details (email address and telephone number) of the contact person best suited for this matter. To provide the contact details you can send an email with the information to the following email address:

Vendor management

Celonis has defined rules for relationships with suppliers and partners. This is specified in the Celonis Supplier Security Policy which is applied to monitor all suppliers and partners who have the ability to influence confidentiality, integrity and availability of Celonis sensitive information.

Download our whitepaper on how Celonis ensures organization information security

GDPR Compliance

The access through the Intelligent Business Cloud is protected via encryption and secure passwords. Sensitive data can be anonymized, and it is possible to individually assign a user specific data access by defining authorization objects.

Data deletion

Celonis has implemented robust deletion concepts and timeliness which ensure a consistent approach to data deletion. As part of our privacy by design setup of the IBC, data deletion can be performed at any time by the customer or Celonis (upon instruction by customer).

Security of data processing activities

As a German company, Celonis SE follows the General Data Protection Regulation (GDPR). We implemented and are maintaining comprehensive technical and organizational measures (TOMs) as by Industry best practice having our ISMS ISO27001 certified by a third party on an annual basis. These TOMs include but are not limited to: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control to keep all data safe at any given point in time.

Pseudonymization and anonymization

As part of its privacy by design software setup, Celonis offers different levels which can be adjusted according to Customer Choices:

  • Option 1: Data is pseudonymized directly during extraction. All personal data and other sensitive information like vendor names can be pseudonymized before leaving the customerโ€™s network. Pseudonymized data cannot be restored by Celonis.

  • Option 2: All personalized data will be pseudonymized in the database, making it available in the analyses only pseudonymized.

Download our whitepaper on how Celonis supports you with GDPR compliance

Report a vulnerability

Security has the highest priority for Celonis. Therefore, we are continuously improving our technology in order to always provide you with the best solution. We follow international security standards as defined by leading tech companies and security communities.

If you think you may have found a security vulnerability in scope of our bug bounty program, we would really appreciate it if you would report it to us. This way, we can further improve security and reliability.

Please include the following information in your report:

  • Title

  • Product and endpoints under test

  • Description

  • Technical details

  • Impact

  • Reproduction steps

  • Setup

And send via E-Mail to

Please use this PGP key to encrypt the information.


Insights to inbox - Monthly newsletter

We've received your submission
Please fill in all the fields

By submitting this form, you confirm that you agree to the storing and processing of your personal data by Celonis as described in our Privacy Policy
Dear visitor, you're using an outdated browser. Parts of this website will not work correctly. For a better experience, update or change your browser.