It sometimes seems that every week brings another serious cybersecurity breach, with massive implications for the organization involved and its customers and stakeholders. Colonial Pipeline is just the latest example.
That’s why independent, provable security standards are so important – especially for Software as a Service (SaaS) vendors and particularly in business process analysis and automation, which takes a deep look inside a customer’s internal operations. For customers to really trust a SaaS partner, they need to know that they meet the highest available standard for security.
That’s exactly what System and Organization Controls (SOC) 2® provides. It is the security compliance gold standard for SaaS companies in the U.S. - a comprehensive reporting framework established by the AICPA, the American Institute of Certified Public Accountants, the world’s largest member association representing the accounting profession. SOC 2 provides large enterprise customers with reassurance that their valuable business data is safe.
Celonis and SOC 2
What SOC 2 offers is a standard for the assessment and testing of controls related to system architecture, data flow and processes. It has two parts. Back in August last year we published a blog post on how Celonis had achieved SOC 2 Type 1 attestation. The Type 1 audit assesses the design of our controls and provides objective proof that Celonis has established processes to safeguard customers’ valuable business data. That’s massively important because data is the catalyst for digital transformation and optimizing your business processes is the key to unlock the value from this data.
I’m super-excited to announce that we have now also successfully completed SOC 2 Type 2 examination for our Execution Management System (EMS). The Type 2 evaluation is the practical dimension. It assesses if the design of the controls specified in the Type 1 audit operate effectively throughout the audit period. By successfully demonstrating this, Celonis becomes the first process mining vendor to achieve SOC 2 Type 2 compliance.
I can’t stress enough how valuable this is for our customers. Because we deeply integrate, in real-time, with source systems and provide actions on top of this broad system landscape, Type 2 certification now becomes a "must-have" for enterprise customers. Having internal security controls that operate effectively gives exactly the assurance our customers need when using our deeply integrated data extractions and action flows. This is a key requirement for our customers, who - with SOC 2 Type 2 compliance - now get complete peace of mind without having to conduct their own evaluations.
A continuing dedication to quality and security
Security is built into every layer of our EMS platform, allowing customers to customize security controls to meet their exact needs and standards. At the heart of our approach is the Celonis Security & Trust Center. This defines how we have built in security and privacy to everything we do.
Getting to SOC 2 Type 2 attestation is a massive milestone on this security journey for us and our customers. It has involved continuous investment by Celonis and a lot of hard work by a lot of our Celonauts and I want to thank them - publicly - here. However, this is not a once-and-done story. Quality certification is – and always have been - a top priority for Celonis. Celonis is now not only ISO 27001 certified but now also SOC 2 Type 2 audited. To date we’ve achieved ISO 27001:2015 (information security management), ISO 27701:2019 (Privacy Information Management), Cloud Security Alliance CSA-STAR Level 1, ISO 9001:2015 (quality management), SOC 2 (secure data management), GDPR (data processing) and the automotive industry Trusted Information Security Assessment Exchange (TISAX).
That’s a lot of acronyms to take in all at once! But the key point is this: we take the quality and security of our customers’ data and systems extremely seriously. In fact, you cannot partner with a process mining vendor that has higher security standards than Celonis.