SAP Concur commits to maintaining the confidentiality, integrity, and availability of customer data and the development of solutions through the adoption of the SAP global security policy and internationally recognised standards.
This blog covers all SAP Concur solutions including Concur Travel, Concur Expense, and Concur Invoice.
SAP Concur Compliance
The below certificates, reports, and attestations (for SAP Concur) can be found in the SAP Trust Center:
|
ISO 27001 International framework for information security. SAP Concur has had a certified ISMS since 2004. |
ISO 9001 International Standard for Quality Management. SAP Concur is included in the SAP QMS for development of solutions since 2019. |
ISO 22301 Business continuity management framework. SAP Concur has had a certified BCMS since 2021. |
|
PCI DSS Payment Card Industry data security standard. SAP Concur is audited annually by a PCI Qualified Security Assessor (QSA). |
SOC 1 Type II SAP Concur transitioned to the SSAE18 and ISAE3402 standards in 2010. Reports are made available every 6 months. |
SOC 2 Type II SAP Concur added a SOC2 security audit report, beginning in 2017. Reports are made available annually. |
SAP Trust Center – Compliance Documents
Video: SAP Concur Data Security and Compliance
SAP Concur has over a hundred micro-services running in AWS which comprise of application, customer data, and backup services. Services are distributed across multiple availability zones with no single point of failure.
Data Center Regions
Customer’s choose a geo-graphical zone for the hosting of their data and can choose between the US or EMEA. See below for the AWS regions SAP Concur leverages within each geo-graphical zone:
| Services | North America Zone | EMEA Zone |
| Application, Data, Backup | AWS Oregon | AWS Germany |
| Remote Backup | AWS Ohio | AWS Ireland |
Data Center Listing for SAP Cloud Services
Note – The remote backup region is not listed in this document.
Security and compliance responsibilities between SAP, customers and third-parties providing services under the agreement.
- SAP is responsible for the security of the cloud infrastructure.
- AWS as the hyper-scaler providing infrastructure-as-a-service is responsible for the physical security of the data center
- Customers are responsible for securing their applications and data within the cloud environment.
SAP Security
SAP provides an overview of it’s data security trust model which applies to all SAP Cloud Services (including SAP Concur), here:
AWS Security
AWS provides an overview of it’s data centre physical and environmental controls, here:
SAP Concur: Security Best Practices for Customers
SAP Concur makes a product security guide available to customers advocating data security best practices, here:
Video: SAP Concur Shared Responsibility Model Overview
RISE with SAP Blog
Read the following blog written by Jana Subramanian to learn more about how the shared responsibility model has been standardised and adopted across all of SAP Cloud Services:
How SAP meets regulatory requirements
SAP cloud services offer enhanced DPP (data protection & privacy) protection to customers through robust security measures, data encryption, strict access controls, and compliance with global privacy regulations. Such measures ensure customer data remains both secure and confidential.
|
BS 10012 British Standard framework for managing personal information and ensuring data protection. SAP Concur in conjunction with SAP SE was one of the first global organisations to attain the BS 10012. |
Data Processing Agreement (DPA) Attached to customer agreements via the order form. |
Standard contractual clauses (SCCs) Provide a reliable & legally recognised mechanism for transferring personal data outside the EEA. Ensures an adequate level of data protection and assists in: Compliance with data protection regulations, protecting data subject rights, and establishes responsibilities + obligations for data processing. |
|
Technical and organisational measures (TOMs) Help protect personal data, ensure legal compliance, manage risks, and promote transparency and accountability for data processing activity. |
Sub processors SAP-affiliated and third-party entities perform a crucial role in the delivery of the cloud service. Sub processors may provide infrastructure, operational or agreed & defined data processing services on behalf of SAP Concur. |
Transfer impact assessments (TIAs) Sub processor listings and transfer factsheets are maintained and published for customers via the SAP My Trust Center. Customers can subscribe for updates and get an email when a new version is available. |
SAP Trust Center – Privacy Page
Learn more about how SAP meets DPP requirements:
如有侵权请联系:admin#unsafe.sh