Secure Platform

The Celonis Intelligent Business Cloud adheres to the highest information security standards in order to protect your data.

Architecture

Multi-tenant architecture

The IBC is running on a multi-tenant architecture where each team in the IBC is one tenant. Tenant separation follows a meta data driven approach and applies industry best in class standards. Application data as well as Analytics data is separated between all tenants.

Encryption

Data in transit

All data transferred to the IBC is always encrypted via HTTPS using TLS 1.2 or higher.

Data in rest

Customer data is encrypted at-rest with AES-256 Encryption

Hosting provider

Shared responsibility

Celonis does not host own physical datacenters at the time. As our solution architecture is not bound to provider-specific technologies, we continuously evaluate cloud providers to ensure we use cloud providers which are industry leaders in security.

The hosting providers are responsible for protecting the infrastructure that runs all of the services offered in the cloud.
This infrastructure is composed of the hardware, software, networking, and facilities that run cloud services.

Hosting provider compliance

The hosting providers comply with security standards, controls and requirements as set out such as ISO 27001, ISO 27018, PCI, CSA, SOC, C5 among others.

The hosting providers service organization are SOC compliant. The audits for those reports are conducted in accordance with the SSAE 16 and the ISAE 3402 professional standards. Furthermore the datacenters in use are compliant to ISO/IEC 27018:2014.

Download our Secure Platform whitepaper

Organizational Information Security

Celonis itself is dedicated to high security across all aspects of the organization. We are using the ISO 27002 best practices as Celonis is ISO27001 certified and has successfully implemented an Information Security Management System (ISMS) according to ISO 27001 Standard.

Organizational Security

Celonis is dedicated to keeping the entire technology stack up to date. Security updates are triggered by the suppliers of the individual systems and a regular security review ensures all systems are kept up do date. Celonis follows the recommendations of third party providers such as Microsoft for the underlying OS layer as well as Oracle for Java environment and adopts the criticality level.

Patch timeframes

• Patches and hotfixes are applied immediately
• Minor updates are applied 2-weekly

External testing Audits

There is a dedicated audit program in place which requires quarterly, internal audits by the Information Security Management as well as internal audits conducted by external advisors in prior to the annual surveillance audit of the certification body.

Penetration testing

Penetration testing on application and network is performed every six months. This half-yearly penetration test is performed by a third-party provider.

As an addition, Celonis executes own internal penetration testing once a quarter for application and cloud service infrastructure.

Celonis monitors security on the platform with a dedicated IT security team and works with certified third-party auditors to validate the scope and effectiveness of implemented controls.

Vendor management

Celonis has defined rules for relationships with suppliers and partners. This is specified in the Celonis Supplier Security Policy which is applied to monitor all suppliers and partners who have the ability to influence confidentiality, integrity and availability of Celonis sensitive information.

Download our whitepaper on how Celonis ensures organization information security

GDPR Compliance

The access through the Intelligent Business Cloud is protected via encryption and secure passwords. Sensitive data can be anonymized, and it is possible to individually assign a user specific data access by defining authorization objects.

Data deletion

Celonis has implemented robust deletion concepts and timeliness which ensure a consistent approach to data deletion. As part of our privacy by design setup of the IBC, data deletion can be performed at any time by the customer or Celonis (upon instruction by customer).

Security of data processing activities

Celonis itself is dedicated to high security across all aspects of the organization. We are using the ISO 27002 best practices as Celonis goes through the full ISO 27001 certification and has successfully implemented an Information Security Management System (ISMS) according to ISO 27001 Standards.

Pseudonymization and anonymization

As part of its privacy by design software setup, Celonis offers different levels which can be adjusted according to Customer Choices:

• Option 1: Data is pseudonymized directly during extraction. All personal data and other sensitive information like vendor names can be pseudonymized before leaving the customer’s network. Pseudonymized data cannot be restored by Celonis.

• Option 2: All personalized data will be pseudonymized in the database, making it available in the analyses only pseudonymized.

Download our whitepaper on how Celonis supports you with GDPR compliance

Report a vulnerability

Security has the highest priority for Celonis. Therefore, we are continuously improving our technology in order to always provide you with the best solution.. We follow international security standards as defined by leading tech companies and security communities.
If you think you may have found a security vulnerability in scope of our bug bounty program, we would really appreciate it if you would report it to us. This way, we can further improve security and reliability.
Please include the following information in your report:

• Title
• Product and endpoints under test
• Description
• Technical details
• Impact
• Reproduction steps
• Setup
• Steps

And send via E-Mail to
security-bugs@celonis.com

Please use this PGP key to encrypt the information.