cancel
Showing results for 
Search instead for 
Did you mean: 

SIGNAVIO IT requirements and other topics

ma_goe
Member

I have several questions regarding IT requirements and other topics. Unfortunately I could not find the answers in the material and trainings. I really appreciate if someone could help out here 🙂 Thank you!

  • What is SIGNAVIOS information security concept for secure operation of the solution and how do they regularly update it? Please provide documentation for it.
  • What is SIGNAVIOS concept for protection of PII (personally identifiable information) data and how do they update it? Please provide documentation for technical and organizational measures.
  • Does SIGNAVIO do security audits?
  • In which country does SIGNAVIO host the data?
  • Where/Who is SIGNAVIOS main contact for Information Security, IT-Security or Cybersecurity?
  • Does SIGNAVIO ensure that the customer will remain the owner of the data?
  • In case the contract may be discontinued at a certain point of time - how does SIGNAVIO hand back data to customers?
  • What happens to the customer’s data, configuration, dashboards etc. created when ending the contract? What needs to be considered when going further with process mining? What transfer would afterwards be possible in an own process mining environment and in which timeframe?
  • Is it possible to have direct access (with 5-10 own licenses) to the process mining solutions? How is the access handled?

Thank you!

Accepted Solutions (0)

Answers (1)

Answers (1)

julienmoigno
Advisor
Advisor

Dear Maya,

Apologies for the tardy answer it took me some time to gather all responses. I answered as best as I could.

What is SIGNAVIOS information security concept for secure operation of the solution and how do they regularly update it? Please provide documentation for it.

Signavio is ISO 27001 certified. We have implemented a comprehensive information security management system (ISMS) based on international standards. Customers can have confidence that Siganvio takes information security seriously.

The SAP Signavio Process Manager (SPM) gateway plays a crucial role in guaranteeing robust security for external communication within the network. It upholds various security facets, including:

Network Security: Through the implementation of protected routes and authenticated headers, the SPM gateway ensures that all communication originating from outside the network is subject to rigorous authentication, safeguarding against unauthorized access.

Communication Channel Security: To fortify communication channel security, the SPM gateway employs HTTPS request protection. This cryptographic protocol not only encrypts data exchanged between clients and the server but also authenticates the parties involved, ensuring secure and confidential data transmission.

In addition to these security measures, Signavio's suite of products, including SAP Signavio Process Governance and SAP Signavio Process Manager, goes a step further to protect sensitive data. Notably, these applications have the capability to store sensitive information, such as passwords, in an encrypted format. This encryption process involves the use of a dedicated secret key that is explicitly generated for the application, providing a robust layer of security for confidential data storage. For comprehensive insights into data storage security, we recommend referring to the "Data Storage Security" section for more detailed information on Signavio's approach to safeguarding sensitive information.Data storage security .

Here are some concept you can use that will strenght the security of your operation

Manage Access Rights: Effective management of access rights is pivotal for maintaining a secure environment. We highly recommend creating user groups with access rights tailored to your organizational needs, as elaborated in the "User groups." section. This approach ensures that permissions align with your specific requirements, promoting controlled access. It's essential to note that if users are not initially assigned to any group, they inherit extensive privileges, granting them the ability to read, write, delete, or publish within all folders and models located in the Shared Documents folder. Therefore, assigning users to appropriate groups should be a fundamental part of your access control strategy. Additionally, granting access rights to a folder extends access to all subfolders and diagrams contained within it. This hierarchical permission structure simplifies access management while preserving security.

Define Access Rights: define access rights is a crucial aspect of ensuring that users can only perform actions that align with their roles and responsibilities. This granular control not only safeguards sensitive information but also maintains the integrity of your workspace.

Set Up IP Address Filtering: Implementing an IP address filter is a valuable security measure. It enables you to establish a list of trusted IP addresses that are permitted to access SAP Signavio Products. By limiting access to authorized IP addresses, you enhance security by reducing the attack surface and potential threats.

Define a Password Policy: Enforcing a robust password policy is a vital component of security. This policy ensures that secure passwords are used, mitigating access security issues even when multiple users have access to your workspace. A well-defined password policy is an essential line of defense against unauthorized access.

Trusted Domains: For users looking to embed SAP Signavio products in iframes using trusted domains, two options are available: Utilize one of the public trusted domains, which provides a secure and reliable means of embedding. Alternatively, you can add workspace-specific trusted domains, granting you greater control over the embedding process. This customization ensures that embedding is restricted to domains you explicitly trust, bolstering security. Incorporating these access management and security measures into your SAP Signavio setup contributes significantly to safeguarding your data and operations, promoting a secure and controlled environment for your organization.

What is SIGNAVIOS concept for protection of PII (personally identifiable information) data and how do they update it? Please provide documentation for technical and organizational measures.

In Signavio we have created this Privacy Statement to demonstrate our firm commitment to the individual’s right to data protection and privacy. It outlines how we handle information that can be used to directly or indirectly identify an individual “Personal Data”.

For a safeguard to Personal Identifiable Information (PII)

We can design our Data Extraction and Transformation setup to align our management of PII along the guidelines of GDPR.

Does SIGNAVIO do security audits?

You can use the Security Audit Log to record changes to user data records or user removal. You can then access this information for evaluation in the form of an audit analysis report. The Security Audit Log provides for long-term data access. Currently there is no direct access to logs, it needs to be requested through Customer Support. Please contact our SAP Signavio service experts from the SAP for Me portal.

In which country does SIGNAVIO host the data?

The country where your data is located depends on where the client is located. secure servers are located in Germany, Australia, and the USA. You are free to choose in which one of these countries you wish to store your data. SAP Signavio is ISO 27001 certified

SAP does only store your Personal Data for as long as it is required:

  • to make products and services requested by you or your employer available to you
  • for SAP to comply with statutory obligations to retain Personal Data, resulting inter alia e.g. from applicable export, finance, tax or commercial laws.
  • until the other purposes listed herein are completed.
  • to fulfill SAP’s legitimate business purposes as further described in this Privacy Statement, unless you object to SAP’s use of your Personal Data for these purposes
  • until you revoke a consent you previously granted to SAP to process your Personal Data. To learn more about how you may revoke consent, please see guidance below in section titled, “What are your data protection rights".

SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. For further information please refer to Signavio Privacy

Where/Who is SIGNAVIOS main contact for Information Security, IT-Security or Cybersecurity?

Does SIGNAVIO ensure that the customer will remain the owner of the data?

Signavio is ISO 27001 certified, we focuses on establishing and maintaining an effective information security management system (ISMS) within an organization. through this information security controls and processes, Signavio meets its data protection obligations and ensure the confidentiality, integrity, and availability of data. Ownership of data typically hinges on the terms and conditions outlined in the contract or service agreement. To get a comprehensive answer regarding data ownership, I would suggest to review Signavio's terms of service in your contract.

In case the contract may be discontinued at a certain point of time - how does SIGNAVIO hand back data to customers?

The standard retention time is 30 days and within these the customer can access the data (currently on request, soon probably the whole 30 days) and after an additional 30 days the data is deleted. there is no handover. (maybe internal) As there is no export for PI, in the end there is also simply no way at all to export the data.

What happens to the customer’s data, configuration, dashboards etc. created when ending the contract?

At contract end the customers tenant is first deactivated and then deleted

What needs to be considered when going further with process mining? What transfer would afterwards be possible in an own process mining environment and in which timeframe?

It sounds like you're interested in taking your process mining efforts further. In order to provide you with the best guidance and insights, we would need a more detailed conversation about your specific use case and objectives. This will allow us to understand your unique needs, challenges, and goals. Once we have a clear understanding of your requirements, we can discuss what kind of transfer or migration might be possible to your own process mining environment. This could include transferring data, models, or configurations, depending on what aligns with your objectives. The timeframe for any transfer or implementation would depend on the complexity of your use case and the scope of the project.

Is it possible to have direct access (with 5-10 own licenses) to the process mining solutions? How is the access handled?

You need another license to be able to access the workspace. its not possible to have additional internal licenses at a customers workspace, if you need a license to work, it needs to come out of the customers amount

In case you would like to review a part of the answer in details do not hesitate to contact us via signavio_success@sap.com

Best