We’re committed to empowering your transformation with data-driven insights and actions.
Keeping all data safe and reliable is at the core of our service offering and our team is relentless when it comes to preventing possible points of failure.
We continuously look for ways to improve product and platform performance and protect the privacy of your data and your customers’ data and preventing it from unauthorized access at all time. Our compliance program is here to help meet your organization’s compliance needs and we rely on industry best practices to get you there.
In order to achieve this, we regularly review and update security policies, provide security training, perform application and network security testing, monitor compliance with security policies and conduct internal and external risk assessments.
The Celonis Intelligent Business Cloud adheres to the highest information security standards in order to protect your data.
The IBC is running on a multi-tenant architecture where each team in the IBC is one tenant. Tenant separation follows a meta data driven approach and applies industry best in class standards. Application data as well as Analytics data is separated between all tenants.
Data in transit
All data transferred to the IBC is always encrypted via HTTPS using TLS 1.2 or higher.
Data in rest
Customer data is encrypted at-rest with AES-256 Encryption
Celonis does not host own physical datacenters at the time. As our solution architecture is not bound to provider-specific technologies, we continuously evaluate cloud providers to ensure we use cloud providers which are industry leaders in security.
The hosting providers are responsible for protecting the infrastructure that runs all of the services offered in the cloud.
This infrastructure is composed of the hardware, software, networking, and facilities that run cloud services.
Hosting provider compliance
The hosting providers comply with security standards, controls and requirements as set out such as ISO 27001, ISO 27018, PCI, CSA, SOC, C5 among others.
The hosting providers service organization are SOC compliant. The audits for those reports are conducted in accordance with the SSAE 18 and the ISAE 3402 professional standards. Furthermore the datacenters in use are compliant to ISO/IEC 27018:2014.
Celonis itself is dedicated to high security across all aspects of the organization. We are using the ISO 27002 best practices as Celonis is ISO27001 certified and has successfully implemented an Information Security Management System (ISMS) according to ISO 27001 Standard.
Celonis is dedicated to keeping the entire technology stack up to date. Security updates are triggered by the suppliers of the individual systems and a regular security review ensures all systems are kept up do date. Celonis follows the recommendations of third party providers such as Microsoft for the underlying OS layer as well as Oracle for Java environment and adopts the criticality level.
Patches and hotfixes are applied immediately
Minor updates are applied 2-weekly
There is a dedicated audit program in place which requires several internal and external audits of the Information Security Management System each year. Audits ensure conformance to our existing information security controls and uphold existing Celonis certifications. Audits are performed by qualified and independent bodies.
Third party penetration testing
External studies will take place at least two times annually conducted by a third party penetration testing providers to determine if potential vulnerabilities are exploitable using a gray or white box approach and the scope may be internal or external testing.
In-house penetration testing
In-house penetration testing will take place at least four times annually (once a quarter) conducted by Celonis security operation team to determine if potential vulnerabilities are exploitable using gray or white box approach and the scope may be internal or external testing.
Celonis monitors security on the platform with a dedicated IT security team and works with certified third-party auditors to validate the scope and effectiveness of implemented controls.
In case of security breaches, the defined key contact person of the customer will be informed. In order to provide information relevant to security incidents or other security-related issues, we offer to notify you via email. In order to receive such emails, you are required to provide us with the contact details (email address and telephone number) of the contact person best suited for this matter. To provide the contact details you can send an email with the information to the following email address: email@example.com
Celonis has defined rules for relationships with suppliers and partners. This is specified in the Celonis Supplier Security Policy which is applied to monitor all suppliers and partners who have the ability to influence confidentiality, integrity and availability of Celonis sensitive information.
The access through the Intelligent Business Cloud is protected via encryption and secure passwords. Sensitive data can be anonymized, and it is possible to individually assign a user specific data access by defining authorization objects.
Celonis has implemented robust deletion concepts and timeliness which ensure a consistent approach to data deletion. As part of our privacy by design setup of the IBC, data deletion can be performed at any time by the customer or Celonis (upon instruction by customer).
As a German company, Celonis SE follows the General Data Protection Regulation (GDPR). We implemented and are maintaining comprehensive technical and organizational measures (TOMs) as by Industry best practice having our ISMS ISO27001 certified by a third party on an annual basis. These TOMs include but are not limited to: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control to keep all data safe at any given point in time.
As part of its privacy by design software setup, Celonis offers different levels which can be adjusted according to Customer Choices:
Option 1: Data is pseudonymized directly during extraction. All personal data and other sensitive information like vendor names can be pseudonymized before leaving the customer’s network. Pseudonymized data cannot be restored by Celonis.
Option 2: All personalized data will be pseudonymized in the database, making it available in the analyses only pseudonymized.
Security has the highest priority for Celonis. Therefore, we are continuously improving our technology in order to always provide you with the best solution. We follow international security standards as defined by leading tech companies and security communities.
If you think you may have found a security vulnerability in scope of our bug bounty program, we would really appreciate it if you would report it to us. This way, we can further improve security and reliability.
Please include the following information in your report:
Product and endpoints under test
And send via E-Mail to
Please use this PGP key to encrypt the information.