Security overview
Weโre committed to empowering your transformation with data-driven insights and actions.
Keeping all data safe and reliable is at the core of our service offering and our team is relentless when it comes to preventing possible points of failure.
We continuously look for ways to improve product and platform performance and protect the privacy of your data and your customersโ data and preventing it from unauthorized access at all time. Our compliance program is here to help meet your organizationโs compliance needs and we rely on industry best practices to get you there.
In order to achieve this, we regularly review and update security policies, provide security training, perform application and network security testing, monitor compliance with security policies and conduct internal and external risk assessments.
Key security offerings
ISO27001 certified
SAML and OpenID based SSO
Secure Software Development Life Cycle (SDL)
Third party audits and penetration testing
Password policy and built-in 2-Factor Authentication
Data encryption in transit and at rest
Security practices
Secure Platform
The Celonis Intelligent Business Cloud adheres to the highest information security standards in order to protect your data.
Architecture
Multi-tenant architecture
The IBC is running on a multi-tenant architecture where each team in the IBC is one tenant. Tenant separation follows a meta data driven approach and applies industry best in class standards. Application data as well as Analytics data is separated between all tenants.
Encryption
Data in transit
All data transferred to the IBC is always encrypted via HTTPS using TLS 1.2 or higher.
Data in rest
Customer data is encrypted at-rest with AES-256 Encryption
Hosting provider
Shared responsibility
Celonis does not host own physical datacenters at the time. As our solution architecture is not bound to provider-specific technologies, we continuously evaluate cloud providers to ensure we use cloud providers which are industry leaders in security.
The hosting providers are responsible for protecting the infrastructure that runs all of the services offered in the cloud.
This infrastructure is composed of the hardware, software, networking, and facilities that run cloud services.
Hosting provider compliance
The hosting providers comply with security standards, controls and requirements as set out such as ISO 27001, ISO 27018, PCI, CSA, SOC, C5 among others.
The hosting providers service organization are SOC compliant. The audits for those reports are conducted in accordance with the SSAE 18 and the ISAE 3402 professional standards. Furthermore the datacenters in use are compliant to ISO/IEC 27018:2014.
Download our Secure Platform whitepaper
Organizational Information Security
Celonis itself is dedicated to high security across all aspects of the organization. We are using the ISO 27002 best practices as Celonis is ISO27001 certified and has successfully implemented an Information Security Management System (ISMS) according to ISO 27001 Standard.
Organizational Security
Celonis is dedicated to keeping the entire technology stack up to date. Security updates are triggered by the suppliers of the individual systems and a regular security review ensures all systems are kept up do date. Celonis follows the recommendations of third party providers such as Microsoft for the underlying OS layer as well as Oracle for Java environment and adopts the criticality level.
Patch timeframes
- Patches and hotfixes are applied immediately
- Minor updates are applied 2-weekly
External testing Audits
There is a dedicated audit program in place which requires quarterly, internal audits by the Information Security Management as well as internal audits conducted by external advisors in prior to the annual surveillance audit of the certification body.
Penetration testing
Third party penetration testing
External studies will take place at least two times annually conducted by a third party penetration testing providers to determine if potential vulnerabilities are exploitable using a gray or white box approach and the scope may be internal or external testing.
In-house penetration testing
In-house penetration testing will take place at least four times annually (once a quarter) conducted by Celonis security operation team to determine if potential vulnerabilities are exploitable using gray or white box approach and the scope may be internal or external testing.
Celonis monitors security on the platform with a dedicated IT security team and works with certified third-party auditors to validate the scope and effectiveness of implemented controls.
Vendor management
Celonis has defined rules for relationships with suppliers and partners. This is specified in the Celonis Supplier Security Policy which is applied to monitor all suppliers and partners who have the ability to influence confidentiality, integrity and availability of Celonis sensitive information.
Download our whitepaper on how Celonis ensures organization information security
GDPR Compliance
The access through the Intelligent Business Cloud is protected via encryption and secure passwords. Sensitive data can be anonymized, and it is possible to individually assign a user specific data access by defining authorization objects.
Data deletion
Celonis has implemented robust deletion concepts and timeliness which ensure a consistent approach to data deletion. As part of our privacy by design setup of the IBC, data deletion can be performed at any time by the customer or Celonis (upon instruction by customer).
Security of data processing activities
As a German company, Celonis SE follows the General Data Protection Regulation (GDPR). We implemented and are maintaining comprehensive technical and organizational measures (TOMs) as by Industry best practice having our ISMS ISO27001 certified by a third party on an annual basis. These TOMs include but are not limited to: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control to keep all data safe at any given point in time.
Pseudonymization and anonymization
As part of its privacy by design software setup, Celonis offers different levels which can be adjusted according to Customer Choices:
- Option 1: Data is pseudonymized directly during extraction. All personal data and other sensitive information like vendor names can be pseudonymized before leaving the customerโs network. Pseudonymized data cannot be restored by Celonis.
- Option 2: All personalized data will be pseudonymized in the database, making it available in the analyses only pseudonymized.
Download our whitepaper on how Celonis supports you with GDPR compliance
Report a vulnerability
Security has the highest priority for Celonis. Therefore, we are continuously improving our technology in order to always provide you with the best solution. We follow international security standards as defined by leading tech companies and security communities.
If you think you may have found a security vulnerability in scope of our bug bounty program, we would really appreciate it if you would report it to us. This way, we can further improve security and reliability.
Please include the following information in your report:
- Title
- Product and endpoints under test
- Description
- Technical details
- Impact
- Reproduction steps
- Setup
And send via E-Mail to
Please use this PGP key to encrypt the information.