Introduction
SAP Concur commits to maintaining the confidentiality, integrity, and availability of customer data and the development of solutions through the adoption of the SAP global security policy and internationally recognised standards. This blog covers all SAP Concur solutions including Concur Travel, Concur Expense, and Concur Invoice.
SAP Concur Certifications and Compliance
The below certificates, reports, and attestations can be found in the SAP Trust Center:
| ISO 27001 | SAP Concur has had an ISO certified information security management system (ISMS) since 2004. |
| ISO 9001 | SAP has an ISO certified quality management system (QMS) for development. SAP Concur has been part of the SAP certification since 2019. |
| ISO 22301 | SAP Concur has had an ISO certified business continuity management system (BCMS) since 2021. |
| PCI DSS | SAP Concur is audited annually by a PCI qualified security assessor (QSA) for PCI DSS and is Visa level 1 compliant. |
| SOC1 type II | SAP Concur uses SSAE18 and ISAE3402 standards. Reports are made available twice annually. |
| SOC2 type II | SAP Concur makes a SOC 2 type II report available annually. |
SAP Trust Center - Compliance Documents
Hosting
SAP Concur has over a hundred micro-services running in AWS which comprise of application, customer data, and backup services. Services are distributed across multiple availability zones with no single point of failure.
Data Center Regions
Customer's choose a geo-graphical zone for the hosting of their data and can choose between the US or EMEA. See below for the AWS regions SAP Concur leverages within each geo-graphical zone:
| Data Center | Application, Data, Backup | Remote Backup |
| North America | AWS Oregon | AWS Ohio |
| EMEA | AWS Germany | AWS Ireland |
Data Center Listing for SAP Cloud Services
Shared Responsibility Model
Sets out the responsibilities shared between SAP, customers and third-parties providing services under the agreement:
Responsibilities
| SAP Security | SAP is responsible for the security of the cloud infrastructure. Overview of the Trust Model applicable to all SAP Cloud Services: SAP: Delivering Trusted Cloud Solutions |
| AWS Security | AWS as the hyper-scaler providing infrastructure-as-a-service is responsible for the physical security of the data centre. Overview of AWS physical and environmental controls specific to physical data centre and infrastructure services: AWS Data Centers - Security Controls |
| Security of customers | Responsible for securing the application and data within the cloud environment. SAP Concur publishes security best practices for customer's to follow: Protect Your SAP Concur Cloud |
RISE with SAP Blog
Read the following blog written by Jana Subramanian to learn more about how the shared responsibility model has been standardised and adopted across all of SAP Cloud Services:
Data Protection and Privacy
How SAP meets regulatory requirements
SAP cloud services offer enhanced DPP (data protection & privacy) protection to customers through robust security measures, data encryption, strict access controls, and compliance with global privacy regulations.
Measures
| BS 10012 | SAP Concur in conjunction with SAP SE was one of the first global organisations to attain the British Standard (BS 10012). A framework for managing personal information and ensuring compliance with international data protection regulations. |
| Data Processing Agreement (DPA) | The SAP Data Processing Agreement is standard across all SAP products and services and sets out the required terms for SAP Concur data processing. |
| Standard contractual clauses (SCCs) | Provides a reliable & legally recognised mechanism for the transfers of personal data outside the EEA. |
| Technical and organisational measures (TOMs) | Ensures adequate protections, legal compliance, risk management, transparency and provisions for accountability of data processing activity. |
| Sub processors | SAP-affiliated and third-party entities perform a crucial role in the delivery of the cloud service. Sub processors may provide infrastructure, operational or agreed & defined data processing services on behalf of SAP Concur. |
| Transfer impact assessments (TIAs) | Sub processor listings and transfer factsheets are maintained and published for customers via the SAP My Trust Center. Customers can subscribe for updates and get an email when a new version is available. |
SAP Trust Center - Privacy Page
Learn more about how SAP meets DPP requirements:
Disclaimer
© 2024 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.
