The purpose of this document is to describe the architecture of BlackLine application and the systems it will be integrating with. 

Out of Scope:

• Since BlackLine is a SaaS application, network and infrastructure architecture will be considered as out of Scope.
• Information related to product documentation and can be found online will not be documented here. 

Key Decisions and Requirement

Application Architecture

Overview

SAP Account Substantiation and Automation by Blackline solution is be used to automate account reconciliations, centralizing period-end tasks, and enforcing internal controls.

Financial Close BlackLine SaaS instance is provisioned for Syensqo. This solution leverages Blackline Core and Blackline Connector S/4HANA add-ons to integrate S/4HANA and Blackline application. Blackline is also configured to perform SAML SSO with Syensqo's Entra ID.

Hosting Details

System Landscape

The BlackLine landscape consists of 2-tiers: Non-Production and Production. The non-PRD system is integrated with all non-PRD S/4HANA instances.

Following are the URLs for BlackLine instances:

• Non-Production: https://sapsyensqo.sbeu3.blackline.com
• Production: https://sapsyensqo.eu3.blackline.com

Application Security

User Access

BlackLine is a SaaS application and can be accessed by users over the internet via HTTPS using their web browser. No Syensqo infrastructure or application is required to access BlackLine.

User must have their IDs created and assigned with the correct role before they can login to BlackLine.

Authentication

BlackLine is configured to perform SAML SSO with Syensqo Entra ID. The use of SSO is mandatorily enforced via configuration, and users cannot bypass SSO to log in with a password. 

Communication Security

Data in transit is encrypted using secure TLS protocols (v.1.2 or greater) with 2048-bit keys. 

Data Security

The following controls are implemented to ensure data security:

• Client files and databases at rest are protected using 256-bit AES encryption. 
• To ensure system and client data availability, production data is replicated to the DR site every hour.
• Backups are encrypted and have ransomware protection enabled with audit logging.

Other Controls

Blackline is covered by standard availability SLA for SAP Cloud Services - 99.7%

Operation Architecture

Change and Configuration Management

Blackline does not have a transport tool. Users will need to replicate configurations manual from non-PRD to PRD.

Monitoring

Blackline performs the following monitoring:

• Information Security monitoring: Network intrusion detection and unauthorized access.
• Cloud and Data Center Operations: Monitoring of critical hardware, software and performance. 
• Backup: Monitoring of backup processes.

Blackline system availability can be monitored via Trust Blackline.

Sizing & Capacity Management

Blackline tenants allocates 2GB of storage per users and monitors the usage for the whole instance. 

High Availability & Disaster Recovery

Blackline has implemented high availability throughout its environment to prevent single points of failure. 

It has the following DR targets:

• RPO - 2h
• RTO - 24h

BlackLine conducts disaster recovery tests on an annual basis.

Backup/Restore

BlackLine does backups of Production and non-Production instances daily from 9pm to 1am Pacific Standard Time. Backups are retained for 30 days and this can be increase to a maximum of 90 days by opening a support ticket. 

Users can request for their Blackline instance to be restored using the daily backups for the last 30 days 

Maintenance Plan

Blackline maintenance schedule can be found in Trust Blackline. Syensqo BlackLine tenants are deployed to the following regions:

• Non-PRD: sbeu3
• PRD: eu3

See also

• LeanIX Factsheet - BlackLine Account Substantiation and Automation

Change log