Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
SAP Concur commits to maintaining the confidentiality, integrity, and availability of customer data and the development of solutions through the adoption of the SAP global security policy and internationally recognised standards.
This blog covers all SAP Concur solutions including Concur Travel, Concur Expense, and Concur Invoice.
Certifications & Compliance
SAP Concur Compliance
The below certificates, reports, and attestations (for SAP Concur) can be found in the SAP Trust Center:
ISO 27001
International framework for information security.
SAP Concur has had a certified ISMS since 2004.
ISO 9001
International Standard for Quality Management.
SAP Concur is included in the SAP QMS for development of solutions since 2019.
ISO 22301
Business continuity management framework.
SAP Concur has had a certified BCMS since 2021.
PCI DSS
Payment Card Industry data security standard.
SAP Concur is audited annually by a PCI Qualified Security Assessor (QSA).
SOC 1 Type II
SAP Concur transitioned to the SSAE18 and ISAE3402 standards in 2010.
Reports are made available every 6 months.
SOC 2 Type II
SAP Concur added a SOC2 security audit report, beginning in 2017.
SAP Concur has over a hundred micro-services running in AWS which comprise of application, customer data, and backup services. Services are distributed across multiple availability zones with no single point of failure.
Data Center Regions
Customer's choose a geo-graphical zone for the hosting of their data and can choose between the US or EMEA. See below for the AWS regions SAP Concur leverages within each geo-graphical zone:
Services
North America Zone
EMEA Zone
Application, Data, Backup
AWS Oregon
AWS Germany
Remote Backup
AWS Ohio
AWS Ireland
Data Center Listing for SAP Cloud Services
Note - The remote backup region is not listed in this document.
Video: SAP Concur Shared Responsibility Model Overview
RISE with SAP Blog
Read the following blog written by Jana Subramanian to learn more about how the shared responsibility model has been standardised and adopted across all of SAP Cloud Services:
SAP cloud services offer enhanced DPP (data protection & privacy) protection to customers through robust security measures, data encryption, strict access controls, and compliance with global privacy regulations. Such measures ensure customer data remains both secure and confidential.
BS 10012
British Standard framework for managing personal information and ensuring data protection.
SAP Concur in conjunction with SAP SE was one of the first global organisations to attain the BS 10012.
Data Processing Agreement (DPA)
Attached to customer agreements via the order form.
Standard contractual clauses (SCCs)
Provide a reliable & legally recognised mechanism for transferring personal data outside the EEA.
Ensures an adequate level of data protection and assists in: Compliance with data protection regulations, protecting data subject rights, and establishes responsibilities + obligations for data processing.
Technical and organisational measures (TOMs)
Help protect personal data, ensure legal compliance, manage risks, and promote transparency and accountability for data processing activity.
Sub processors
SAP-affiliated and third-party entities perform a crucial role in the delivery of the cloud service.
Sub processors may provide infrastructure, operational or agreed & defined data processing services on behalf of SAP Concur.
Transfer impact assessments (TIAs)
Sub processor listings and transfer factsheets are maintained and published for customers via the SAP My Trust Center.
Customers can subscribe for updates and get an email when a new version is available.