Versions Compared

Old Version 7

changes.mady.by.user CABELLO MARTOS-ext, Gabino

Saved on

compared with

New Version Current

changes.mady.by.user WENNINGER-ext, Sascha

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: inserted mention that use in R3 is subject to a KDD.
Status

Page Status

Owner

CABELLO MARTOS-ext, Gabino 

StakeholdersRUFFINONI, Francois NARCISO, ines DALAL, Shivang 
LeanIX LinkIcertis Contract Intelligence

Introduction

Scope & Objectives

The purpose of this document is to describe the architecture of Icertis Contract Intelligence application and the systems it will be integrating with. 

Out of Scope:

  • Since Icertis is a SaaS application, network and infrastructure architecture will be considered as out of Scope.
  • Information related to product documentation can be found online will not be documented here, but referenced using hyperlinks. 

Key Decisions and Requirements


Description Rationale
Single Sign-On (SSO)As part of SyWay project, a common authentication mechanism (e.g., SAML) is adopted for ease of access and unified user experience.
Users must access Icertis using HTTPS.As part of SyWay standards, all data in transit must be encrypted.
Data stored in Icertis must be encrypted.As part of SyWay standards, all data at rest to be encrypted.
Icertis must have appropriate data protection.Icertis performs data backups regularly so that point in time recovery can perform to recover data. Additional, backups must be replicated to another site to protect against a site disaster. 
Terminology
LandscapeIcertis will consist of a three tier landscape of Dev, QA, and Prod. 

Application Architecture

Overview


draw.io Diagram
bordertrue
diagramNameUntitled DiagramIcertis-17634890526541764339081614
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth998979
height642857
revision24

Application Architecture Components

Icertis Contract Intelligence

Icertis is a contract lifecycle management (CLM) platform that helps organizations manage contracts digitally from creation to execution and compliance. It’s widely used by enterprises to improve visibility, reduce risk, and ensure compliance across all types of contracts.The "Ariba connector for Icertis" refers to the Icertis Contract Intelligence (ICI) for SAP Ariba integration, which extends SAP Ariba's procurement capabilities with Icertis's advanced contract lifecycle management (CLM) features. This integration synchronizes data between the two platforms, allowing users to manage contracts from sourcing through to payment, leveraging AI and automation for tasks like contract authoring, risk assessment, and compliance tracking.

Image Removed


Ariba Connector for Icertis

The SAP Ariba Connector for Icertis is a packaged, API‑based integration that unifies SAP Ariba sourcing & contracting workflows with Icertis Contract Intelligence (ICI). It enables pre‑signature authoring and negotiation in Icertis, and post‑signature contract usage, compliance and visibility in SAP Ariba—so contract data and documents flow reliably across the source‑to‑pay lifecycle.

Network Architecture



System Landscape

ICertis will consist of a three tier landscape. Application will be introduced in with Release 2 of SyWay and later integrated with S/4HANA as part of Release 4. Its use in Release 3 is to be confirmed via a KDD.

ApplicationRegionSBXDEVINTUATPARTRGPROD
ICertis
EU-DEVTestDEVUAT

PRD

US*--Test*

PRD*

*) Subject of a KDD to confirm if required for Release 3. 


Application Security

User Access

Icertis is a SaaS application and can be accessed by users over the internet via HTTPS using their web browser. No Syensqo infrastructure or application is required to access Icertis.

User must have their IDs created and assigned with the correct role before they can login to Icertis. Icertis will be integrated in the SAP identity governance and provisioning procedure defined for Syensqo, complete information can be found in Application Architecture Identity Tooling document.

Following are the URLs for Icertis instances:

Authentication

Icertis is configured to perform SAML SSO with Syensqo Entra ID. The use of SSO is mandatorily enforced via configuration, and users cannot bypass SSO to log in with a password. 

Authorization

Standard Single - Tenant deployment with access restrictions using ICI Authorisation Model

ICertis Contract Intelligence (ICI)  will be deployed in Single Tenant (ST) Deployment model in a region aligned to the rest of the landscapeAuthorizations are based on Security groups & role–action mapping govern feature/data access; groups are the primary container (iciwikiapac.icertis.com).


Every Syensqo user will be assigned a position in the organisation organization at that node of the hierarchy, or at nodes below that node. Syensqo can configure region-specific Org Units.

Authorisations Authorizations in ICertis will be driven by Org structure, Security Groups configured by Syensqo.

All data and all contract documents will be stored in same deployed region, but users will access it based on their permission assigned. For example, China users will have access to only those contracts which are under “China Org”, However US Legal can have access to contracts for US as well as China. 


Communication Security

  • For data in transit encryption, communication is secured using SSL/TLS (TLS 1.2+) encryption, and weak ciphers are disabled.

Data Security

  • Uses TLS/HTTPS for communication and AES encryption for stored data. Supports double encryption and customer-managed keys (CMK) via Azure Key Vault.
  • Maintains ISO 27001, SOC 1/2, PCI DSS, HIPAA, and GDPR certifications through cloud provider (Azure) and internal policies.
  • For data at rest encryption, features provided by underlying Azure services are used, e.g., TDE for SQL DB, SSE for BLOB storage, and so on. Industry-standard algorithms like AES 256 bit are used for encryption. everages Icertis leverages Azure’s certifications—ISO 270xx, SOCSOC2, NIST, FedRAMP, EU Data Boundary—for regulated workloads.
  • By default, data at rest encryption is enabled with the Microsoft managed keys. Where a customer has requested Icertis managed keys for data at rest encryption, Icertis uses Azure Key Vault (AKV) for storing and managing the encryption keys.

Other Controls

Other Controls

  • Icertis will provide 99.5% System Availability SLA.
  • The ICI Platform is hosted on the Microsoft Azure cloud.  For Azure data center compliance, please refer to https://azure.microsoft.com/en-in/overview/trusted-cloud/
  • Icertis is an ISO 27001, ISO 27017, and 27018 certified organization. Icertis also complies with ITAR and has SOC2 (Type1, type2) certifications.Icertis is covered by standard availability SLA for SAP Cloud Services - 99.7%
  • Icertis Contract Intelligence platform (ICI), is hosted primarily on the Microsoft Azure cloud, where Icertis owns the cloud subscription. 
  • The Icertis Trust Center is a resource provided by Icertis to help customers understand the company’s commitment to security and compliance team ensures
    that Icertis operations handle customer data hosted on the Microsoft Azure cloud with all best practices., privacy, compliance, and transparency in its cloud services and products. 
  • Icertis implements the following industry-standard information standard information security frameworks to assure data confidentiality, integrity, availability, and privacy:

Note: FedRamp compliance only required for US Gov tenants if confirmed via a separate KDD that Icertis will be used for Release 3. 


Operation Architecture

Change and Configuration Management

Please refer to document DD-TEC-170 Transport Management for Release 4. See below information from referenced document:ICertis is a brownfield system and will be support by SyWay project team. A shared landscape strategy will be adopted for ICertis where both support and project team will use the same landscape. 

Landscape 

ICertis will consist of a three tier landscape.

DEVBuildBuild, Integration Test, UATQASTest & UATRegression Test (during Parallel Run)PRDProduction Cut-Over

US ICertis Tenant details are not included.

Transport Path

Configurations and changes will be performed in development and transported to QAS & Production instances.

Transport Approach

Promote Configurations (P2P) Tool will be used to transport changes from non-production systems to Production. 

Monitoring

  • Icertis system availability can be monitored via Icertis Trust Center.
  • All Icertis internal critical servers and systems are configured to log general activities. This includes auditing of events on critical Windows systems such as successful logons, unsuccessfullogonsunsuccessful logons, access file rights successes or failures, privilege modifications, etc. The logs are maintained in the Centralized Syslog Server for 90 days.
  • Event logs generated by ICI platform are stored for up to 30 days. Security event logs captured from Azure infrastructure are maintained in Microsoft Sentinel SIEM for up to 90 days.
  • Icertis has implemented ‘Microsoft Defender for Cloud’ for security management and threat protection of user entity instances on the Microsoft Azure platform.
  • A Microsoft system monitoring tool is utilized to identify availability issues or concerns with metrics such as server load alert, SQL Database Transaction Unit (DTU) utilization, failed Azure activity logs, free disk space, high disk utilization, etc. through alerts. Alerts are configured by the Icertis Cloud Operations team for each user entity instance on the Microsoft Azure platform. The Cloud Operations team receives email alerts for any breach in utilization threshold. The Cloud Operations team analyzes the alerts and if necessary, raises an incident ticket within the Freshdesk/ ServiceNow ticketing tool and takes corrective actions.
  • All application-level logs are stored in the Azure SQL database, and they are encrypted at rest using TDE.

Sizing


High Availability & Disaster Recovery

Icertis is deployed across multiple Azure availability zones with the following SLA:

  • RPO - 24h
  • RTO - 8h

Backup/Restore

  • For customer data, Incremental backup is performed every 24 hours. Full back-up is performed once aweek a week during a pre-defined maintenance window. Backups are stored on geo-replicated Azure replicated Azure storage.
  • Restoration of normal network operations is the final goal of any security violation response. Normal Ad Hoc backups are available by contacting the IT Icertis IT team.

Maintenance Plan

  • Icertis Releases.
    • Icertis releases two major versions of Icertis Contract Intelligence every year. The major releases are typically scheduled for June and December. In between these major releases, maintenance packs are typically delivered every 4 to 6 weeks.
  • Upgrade Calendar.
    • The current Upgrade calendar for major releases and maintenance packs can be accessed from the Icertis support portal. The calendar is typically updated every 6 months and provides visibility for the next 12 months. Single tenant subscribers may deviate from this calendar by scheduling their Upgrade directly with Icertis within the supported timeframe.
  • Upgrade Cadence.
    • Multi-tenant subscribers are automatically Upgraded to the latest release, maintenance pack or hotfix as per the Upgrade calendar.For multi-tenant subscribers, Icertis offers a contingency opt-out from the Upgrade calendar that allows a subscriber to skip an Upgrade cycle once every two major releases (approximately once a year). Any compliant opt-out must be requested through a support ticket at least 2 weeks prior to the applicable scheduled Upgrade as mentioned in the published calendar. If there is an opt-out for an Upgrade cycle, the subscriber will automatically get Upgraded in the next cycle and does not get an option of consecutive opt-out.

Product Support

The support levels offered by ICertis are shown below. Syensqo has subscribed to the Standard support level. 

Image Added


Exceptions


See also

Attachments
previewfalse
patterns^(?!.*\.(png|jpg|jpeg|svg)$).*
sortOrderdescending

Change log

Change History
limit10