Scribd
Upload
696 views22 pages

Anaplan Technical Reference Guide September 2024

Anaplan Technical Reference Guide September 2024

Uploaded by

Karim Hjiaj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
696 views22 pages

Anaplan Technical Reference Guide September 2024

Anaplan Technical Reference Guide September 2024

Uploaded by

Karim Hjiaj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

1

January 2024

Technical Reference Guide


For the current year’s guide:
Anaplan internal, find it on: HighSpot
Anaplan clients & interested parties: Please contact your Anaplan representative
2

January 2024

Table of Contents
Anaplan’s Service ....................................................................................................................................... 4
Anaplan Service Description..................................................................................................................... 4
Global locations ........................................................................................................................................ 4
Information Security Management System .............................................................................................. 4
Information Security Management System............................................................................................... 4
Standards Overview ................................................................................................................................. 4
Framework and Certifications ................................................................................................................... 5
GDPR........................................................................................................................................................ 5
Privacy Policy............................................................................................................................................ 5
SOC Reports............................................................................................................................................. 5
Risk Management........................................................................................................................................ 6
Risk Management ..................................................................................................................................... 6
Information Security Roles........................................................................................................................ 6
Incident Investigations and Response ...................................................................................................... 6
Corporate Insurance Coverage ................................................................................................................ 6
Affiliates and Sub-Contractors .................................................................................................................. 7
Anaplan’s People ........................................................................................................................................ 7
Employment Policy ................................................................................................................................... 7
Terms of Employment............................................................................................................................... 7
Employee Screening ................................................................................................................................. 7
Employee Security Responsibilities, Code of Ethics and Conduct, Non-Disclosure ................................ 7
Employee Training .................................................................................................................................... 8
Anaplan’s Platform ..................................................................................................................................... 8
Anaplan Architecture Overview ................................................................................................................ 8
Platform Tenancy, Structure, and Privacy ................................................................................................ 8
High Availability ........................................................................................................................................ 8
Scalability .................................................................................................................................................. 9
Availability SLA ......................................................................................................................................... 9
Backup and Recovery................................................................................................................................. 9
Business Continuity and Disaster Recovery (BCDR) ............................................................................... 9
Backup and Disaster Recovery Details .................................................................................................... 9
Three Levels of Backup Redundancy: ................................................................................................. 9
Recovery Events: ................................................................................................................................. 9
Data Centers .............................................................................................................................................. 10
Data Centers ........................................................................................................................................... 10
Physical Security Controls ...................................................................................................................... 10
Anaplan’s Security Controls .................................................................................................................... 11
Security Controls Overview .................................................................................................................... 11
In-Memory Platform ................................................................................................................................ 11
Removable Media ................................................................................................................................... 11
Supported Browsers and System Requirements.................................................................................... 11
Anaplan Mobile Applications................................................................................................................... 12
Disposal of Media ................................................................................................................................... 12
Network and Communications ................................................................................................................ 12
Network Security Overview..................................................................................................................... 12
Malware Controls .................................................................................................................................... 13
Ports and Protocols ................................................................................................................................ 13
Data Encryption and Key Management .................................................................................................. 13
Bring Your Own Key (BYOK) .................................................................................................................. 13
3

January 2024
Platform Maintenance and Updates ........................................................................................................ 13
Change Management Policies ................................................................................................................ 13
Development, Testing, and Quality Overview ........................................................................................ 13
Anaplan's Update Process and Scheduling............................................................................................ 14
Update Process and Controls ............................................................................................................ 14
Product Enhancement Updates ......................................................................................................... 15
Vendor Recommended Updates (HW/SW/Security Patches) ........................................................... 15
Update Scheduling ............................................................................................................................. 15
Vulnerability Scanning, Penetration Testing, and Auditing ..................................................................... 15
Internal Pre-Production Vulnerability Scanning.................................................................................. 15
Internal Production Vulnerability Scanning ........................................................................................ 15
External Penetration Testing .............................................................................................................. 15
External Auditing ................................................................................................................................ 16
Performance - Logging and Monitoring.................................................................................................. 16
Logging Overview ................................................................................................................................... 16
Model History logs: ............................................................................................................................. 16
Anaplan Tenant Audit: ........................................................................................................................ 16
Infrastructure logs: .............................................................................................................................. 16
Performance ........................................................................................................................................... 16
Access Controls (Anaplan) ...................................................................................................................... 17
Segregation of Duties ............................................................................................................................. 17
Access Rights Review and Removal ...................................................................................................... 17
Anaplan Employee Administrative and Privileged Account Access ....................................................... 17
Access Controls (Client’s Users) ............................................................................................................ 17
Single Sign-On with SAML2.0 ................................................................................................................ 17
Anaplan Native Authentication (UID/PWD) ............................................................................................ 18
Role Based Security Authorization ......................................................................................................... 18
SCIM API ................................................................................................................................................ 18
Data............................................................................................................................................................. 19
Client is the Data Controller .................................................................................................................... 19
Anaplan is the Data Processor ............................................................................................................... 19
Customer Controlled Assets ................................................................................................................... 19
Lifecycle Environments (Development - Test - Stage - Production)....................................................... 19
Data Separation ...................................................................................................................................... 19
Data Integrations .................................................................................................................................... 20
Anaplan's REST API v2.0 ....................................................................................................................... 21
Support....................................................................................................................................................... 21
Anaplan Support ..................................................................................................................................... 21
Standard and Enhanced Support ........................................................................................................... 22
Support Tickets and Escalation .............................................................................................................. 22
4

January 2024

Anaplan’s Service

Anaplan Service Description


Anaplan provides a business modelling and planning platform in the cloud. The Connected Planning
Platform is built on adaptive technology that allows its customers to quickly modify or build their own
planning applications.
Anaplan's applications allow development of multidimensional plans at the level of detail the user
requests, from corporate strategy to the smallest unit size. The Anaplan real-time modelling and
calculation engine can load large volumes of transactional data. Data is instantly accessible for advanced
calculations at granular level.
Anaplan's platform creates a hub for collaborative planning and execution from corporate level plans to
the store or account level. Anaplan drives user adoption and engagement by combining self-service
power with usability. Any authorized user, anywhere, anytime can work with Models and plans from any
device. Anaplan's unified platform enables cross-functional planning and brings distributed, on-the-ground
experience to corporate plans; delivering top-down and bottom-up alignment.
Anaplan delivers the application through a software-as-a-service ("SaaS") model. End users connect to
the application using an HTML 5 compliant browser over an encrypted HTTPS session. No software client
on a customer's laptop or server is required. Service design and implementation restricts customer
access by employing role-based access controls. Anaplan is responsible for providing the platform, data
security, software development, and underlying operations.

Global locations
The addresses of Anaplan Inc. locations can be found here: https://www.anaplan.com/contact/

Information Security Management System


Information Security Management System
Anaplan built its information security and privacy management system on ISO 27000 series
standards. Anaplan is certified in these domains:
• ISO27001:2013 (Information Security Management)
• ISO27017:2015 (Information Security Controls for Cloud Services)
• ISO27018:2019 (PII Protection in the Cloud)
• ISO27701:2019 (Privacy Information Management).

Anaplan’s Information Security and Privacy Policies apply to Anaplan, its personnel (including but not
limited to: employees, contractors, consultants, interns), systems, and suppliers. The ISMS policy suite is
reviewed and updated at least yearly and as required by changing business needs.
Policy changes must be approved by Anaplan management. Changes are communicated throughout
Anaplan as policy documents, operational plans, and as part of regular employee operational and security
certification.

Standards Overview
Anaplan's ISMS/security program is certified to ISO27001:2013 standards.
• Cybersecurity engineering designs are NIST (National Institute of Standards and Technology)
NCP (National Checklist Program) based.
• Code security standards follow OWASP and SANS.
• Encryption methods are TLS and AES.
• Anaplan uses an Agile-based SDLC methodology.
• Auditing follows AICPA SOC1 and SOC2 standards.
5

January 2024
• Infrastructure is hardened based on CIS standards.

Framework and Certifications


Anaplan has achieved and maintains a large number of registrations and certifications and undergoes
regular third-party security assessments and audits. These include:

• ISO27001:2013 (certified) - https://www.iso.org/standard/54534.html


• ISO27017:2015 (certified) - https://www.iso.org/standard/43757.html
• ISO27018:2019 (certified) - https://www.iso.org/standard/61498.html
• ISO27701:2019 (certified) - https://www.iso.org/standard/71670.html
• APEC CPBR certified https://privacy.truste.com/privacy-seal/validation?rid=f724f192-4353-40cc-
9463-06c6b97ff212
• EU-US DPF certified: https://www.dataprivacyframework.gov/s/participant-search/participant-
detail?id=a2zt00000004TlXAAU&status=Active
• Cloud Security Alliance (CSA) STAR registrant: https://cloudsecurityalliance.org/star- registrant/a
naplan/
• TRUSTe Privacy certified: https://privacy.truste.com/privacy-seal/validation?rid=376c7527-
21af- 41b8-8cd4-395b683fc8f8
• SOC1 Type II Audits - Twice Yearly
• SOC2 Type II Audits - Twice Yearly
• ISO27001 certified and SOC audited data centers
• Pen Test - Yearly by third-party CREST certified tester
• Pen Test - internal at least quarterly
• DR process tested at least annually

GDPR
Regarding data that is owned and controlled by Anaplan tenants; Anaplan maintains compliance with
GDPR and other Privacy regulations by employing controls that ensure the security, integrity, resilience,
and privacy of the data that it processes. Anaplan's privacy program is tested in SOC2 Type II and ISO
certification audits. Where Client's use of the Anaplan Service includes the processing of personal data
(as described in the Regulation (EU) 2016/679 (General Data Protection Regulation)) within the European
Economic Area (EEA), Anaplan and Client shall enter into a data processing addendum. For more
information about our DPA, please check the document at the following address: www.anaplan.com/dpa

Privacy Policy
Anaplan's Information security and privacy policy is a set of policies (including ISMS) that support
Anaplan's operational adherence to both business and regulatory requirements. Anaplan's Information
Security Management System (ISMS) policies are ISO27001:2013 (information security management),
ISO27017:2015 (information security controls for cloud services) and ISO27018:2019 (PII protection in
the cloud) certified. Anaplan’s Information Security and Privacy Policy applies to Anaplan, its personnel
(including but not limited to: employees, contractors, consultants, interns), systems, and suppliers.
Anaplan's CISO is the ISMS Policy owner and has responsibility for the development, review, and
management of the policies. Policy changes must be approved by Anaplan management. Changes are
communicated throughout Anaplan as policy documents, operational plans, and as part of regular
employee operational and security certification. The ISMS policy suite is reviewed and updated at least
yearly to ensure continued improvements in suitability, adequacy and effectiveness.
Privacy Policy
https://www.anaplan.com/privacy-statement/

SOC Reports
Anaplan's controls are tested by SOC1 Type II and SOC2 Type II audits twice annually.
6

January 2024
A copy of the latest SOC2 report can be provided to prospective customers under fully signed NDA. The
report is provided through the Anaplan Global Technical Pre-Sales and is emailed directly to the
prospect's reviewer.

Risk Management

Risk Management
Anaplan follows a documented Risk Assessment framework. The risk framework is designed to identify
risks in the business plan, to identify and evaluate options for the treatment of risks and to select controls
that will reduce the risks to acceptable levels. The risk analysis discovery is performed from the top-
down(enterprise) and bottom-up (department). Changes are communicated throughout Anaplan as policy
documents, operational plans, and as part of regular employee operational and security certification.
The Chief Information Security Officer is responsible for ensuring that Anaplan’s risk framework meets
management’s requirements. Anaplan maintains a legal, regulatory and contractual compliance
framework which enables it to identify which controls are implemented and applicable in relation to which
requirements or regulations.

Information Security Roles


Anaplan has clearly defined authorization levels which cannot be delegated. Responsibility for the
oversight of Anaplan's information security controls belongs to the Chief Information Security Officer
(CISO). The CISO has ultimate authority over the information security and privacy policy, and ISMS and
approves and authorizes all changes to the information security policy, the Statement of Applicability, and
any separate policy statements.
Anaplan's Security organization, under the CISO, are responsible for aspects of the daily operations of
Information security as are defined in their roles. As far as is practicable and possible, Anaplan
segregates duties and areas of responsibility. Segregation of duties is built into procedures, including the
requirement that that the owner of a procedure or process cannot authorize its modification, withdrawal,
or release.
Access to the production infrastructure hosting the service is granted based on job-role, with
management approval, and with quarterly access reviews. These aspects are described and tested in
on-going SOC audits

Incident Investigations and Response


Suspected security events are investigated by the Anaplan Cyber Defense Team. When conditions
necessitate, the investigating team has a purview to escalate events to the incident category. An incident
has specific legal/regulatory and contractual obligations. Incident management is performed by a cross-
functional Incident Response Team (IRT) under the direction of the assigned Incident Manager. Anaplan
ISMS policy requires creation of a secure single incident repository for the collection of evidentiary
information. Where possible, evidentiary artifacts are to be unmodified or least modified as the situation
dictates. Communications of an event to affected customers are performed by the Incident Manager
and/or the Anaplan legal team as the situation dictates. Incident communications are provided to affected
customers without undue delay after incident confirmation.

Corporate Insurance Coverage


Anaplan maintains industry standard insurance coverage, including Commercial General Liability,
Automobile Liability, Umbrella Liability, Workers Comp and Employers' Liability, Professional Liability and
Cyber Liability coverage. Current certificate of insurance is available on request to customers and to
prospective customers under NDA.
7

January 2024
Affiliates and Sub-Contractors
The Anaplan platform is hosted on Anaplan operated systems. Primary data center space and physical
security are provided by data center vendors. Anaplan maintains a Disaster Recovery (DR) site for each
primary. Hosting options include AWS, GCP, and Equinix centers. No Anaplan employee or contractor
has access to Client Data unless the access has been specifically granted by the customer's
administrator(s).

Anaplan uses contractors/sub-processors in a very limited capacity. Anaplan monitors adherence to the
established relationship agreements between itself and its suppliers to ensure that the agreed
performance service levels and mutual obligations are met. Anaplan conducts regular reviews and audits
of its suppliers including review of independent auditor reports, regular progress meeting and identified
issue follow-up. Reviews are conducted at least yearly or as agreed in the contract terms. Anaplan's
vendor management program, including annual vendor reviews as well as contractual obligations for
vendors, is ISO certified and described and tested in the SOC audit reports.

The following link provides information on Anaplan sub-contractors / Sub-processors / Affiliates.


https://support.anaplan.com/list-of-subprocessors-ebe27a88-4b65-4c92-ba23-a8d44cccf556

Anaplan’s People

Employment Policy
Management requires employees and contractors to apply security in accordance with the policies and
procedures of Anaplan’s ISMS. All employees and contractors are required to complete information
security and privacy training and Code of Conduct and Ethics training as part of onboarding and annually
thereafter. Completion of training requirements is described and tested in the SOC2 audit report.
Anaplan Code of Conduct and Ethics documentation can be found
here: https://www.anaplan.com/company/trust-and-integrity/

Terms of Employment
All employees or contractors must sign non-disclosure agreements prior to access grant. Organizational
policies state the obligations of employee/roles regarding data classification and asset
ownership/stewardship of both internally and externally owned assets. Policies and responsibilities are
communicated to candidates prior to and during employment. Anaplan employees and contractors are
required to adhere to Codes of Conduct and Ethics, system use and access policies, ISMS and data
protection policies. Disciplinary action for the disregard of policy may be taken, including dismissal.

Employee Screening
All candidates for employment and contractors undergo background verification checks. Checks are
conducted in accordance with relevant laws, regulations, and ethics. Verification checks are proportional
to the business requirements, the classification of the information to be accessed, and the perceived
risks.
As allowed by local law, background checks typically include verification of government issue photo ID,
criminal background check, validation of employee eligibility, work history, academic and professional
qualification and references.

Employee Security Responsibilities, Code of Ethics and Conduct,


Non-Disclosure
All employees or contractors must read and attest to understanding the company code of conduct and
ethics, and must sign Anaplan non-disclosure agreements within 30 days of hire date. Organizational
policies state the obligations of employee/roles with regard to data classification and asset
ownership/stewardship of both internally and externally owned assets. Policies and responsibilities are
communicated to candidates prior to and during employment. Anaplan employees and contractors are
8

January 2024
required to adhere to codes of conduct and ethics, system use and access policies, ISMS and data
protection policies. Policies include disciplinary action for non-compliance.
Anaplan's Trust & Integrity page includes links to current versions of:
• Code of Conduct and Ethics
• Slavery and Human Trafficking Statements
• Vendor Code of Conduct
The Trust & Integrity page can be found here: https://www.anaplan.com/company/trust-and-integrity/

Employee Training
All Anaplan employees undergo new hire security, confidentiality and privacy training within 30 days of
start date and receive annual refreshers. Employee training is assessment tested computer-based
training. Anaplan leverages a learning management service to deliver and track adherence to the
required employee training. Automated reports are generated and available to employee managers.
Anaplan employees are required to adhere to Anaplan's Information Security Management Systems
(ISMS) and corporate policies regarding the privacy and security of both corporate assets and customer
assets. All Anaplan employees are required to sign non-disclosure agreements and are bound to abide by
the agreements between Anaplan and its customers. Development staff are required to participate in
OWASP secure coding training.

Anaplan’s Platform

Anaplan Architecture Overview


Anaplan focuses on addressing the modeling needs and complexities that have not been resolved by
traditional software tools. Anaplan has created a platform for enterprise connected planning. Anaplan
follows a Software as a Service (SaaS Cloud) availability model whereby the hardware, software,
installation, maintenance, and upkeep of the platform is performed by Anaplan. The customer designs,
builds and manages its own purpose-built applications within a private workspace in Anaplan. The
software interface is delivered to the browser as a single interface with role-enabled capabilities for
modeling, use, and administration of customer’s connected planning applications. The design, build, and
administration of applications in Anaplan is performed by the customer in a natural language syntax and
does not require special programming skills.
Each Anaplan cloud instance is an in-memory data-store that is coupled to a highly efficient calculation
engine, Anaplan's patented Hyper-Block technology. Anaplan requires only an HTML5 compliant browser
for access. Data in transit is encrypted HTTPS (TLS 1.2-1.3), data at rest is encrypted AES-256.
Customer has exclusive control of user provisioning and data access for their Anaplan workspaces.

Architecture and Security Controls Overview:


https://www.anaplan.com/papers/anaplan-architecture-and-security-controls/thanks/

Platform Tenancy, Structure, and Privacy


The Anaplan platform (hardware/software) is managed by Anaplan. Application design and Data are
managed by the tenant. The underlying infrastructure hardware is shared (multi-tenant).
Tenant Workspaces are private secure areas. Workspaces fully provisioned at startup. Workspace assets
are allocated and assigned based on the tenant's subscription agreement.
High Availability
An Anaplan tenant may consist of an unlimited number of connected workspaces. The tenant's collection
of workspaces is not confined to any single piece of hardware. Tenant workspaces individually
dynamically assigned at startup and so may collectively occupy resources across many physical
machines. The Architecture within each primary data center is configured for high availability. No single
component failure should result in a DR event. Each primary data center also backs up to a
geographically remote DR site that will be used if a primary data center is unavailable.
9

January 2024
Scalability
Anaplan provides clients with the ability to scale both vertically in a single workspace hyper-model, and
horizontally across an unlimited number of connected workspaces with unlimited model
dimensions. Anaplan has at its backbone a highly optimized multi-dimension calculation engine coupled
with an all In-Memory data store and HyperBlock connectors that allow the calculation of only change-
related data. The application is specifically designed to handle billions of individual cells and thousands of
users.
Customer Workspaces are fully provisioned at start-up based on the subscription agreement. To scale a
workspace customers need only purchase additional licenses.

Availability SLA
Anaplan's Availability SLA is 99.5%.
This SLA is contractually defined in the SaaS Subscription Agreement (SSA).

Backup and Recovery


Business Continuity and Disaster Recovery (BCDR)
The primary infrastructure is highly redundant so that no single failure should result in a DR event. If a
disaster is declared, the primary data center is paired with a regional DR center that will resume
operation. Anaplan includes full backup and DR as part of the standard service. Backups are iteratively
streamed to the DR center via in-built encrypted node-to-node replication. BCDR tests are conducted
annually.
See the Anaplan BCDR overview at:
https://www.anaplan.com/resources/papers/disaster-recovery/thanks/
Backup and Disaster Recovery Details
Both backup and disaster recovery (DR) are included with Anaplan’s service. The service includes a
primary processing data center and a separate, in the region, DR center. Both processing centers have
architectures that are highly redundant and fault-tolerant. A single failure in the primary architecture
should never result in a disaster recovery level event. Anaplan provides three levels of client data
backups to provide for self-services data (history) recovery as well as primary and DR data backup.

Three Levels of Backup Redundancy:


Model History - Each model contains a detailed history log. The history log records every change to
the client’s model, data, and security; and contains the date, time, user, pre/post-change values. The
history log can be used both as an audit of changes and as the first level of (Rollback) backup. The
client’s administrators can use the history log to revert a model to any previous time state. The
history log is automatically enabled and retained for the life of the model.
Primary Data Backup – As an integral part of normal operations; the in-memory model is persisted
to redundant AES-256 encrypted storage in the primary center.
Disaster Recovery Backup – The persisted files created in the primary center are replicated to the
DR cluster in the primary data center, then streamed to the DR cluster in the DR data
center. Backups are encrypted AES-256. Backups, DR plans and documentation, restore testing,
and DR testing are described and tested in the Availability section of the SOC 2.
Recovery Events:
Model - In the majority of cases, data rollback may be needed to restore data to a previous state to
undo a mistake. Anaplan makes this easy with model history rollback, no intervention is required by
Anaplan and the process is completely self-service.
Primary - In a case where a primary component system failure had occurred the client’s application
would be automatically reinitialized from the most recent primary data center backup (Snapshot). If
automatic reinitialization fails alerts are triggered to the Anaplan operations team to intervene.
Disaster Recovery - In a case where a primary data center disaster is declared; The most recent
DR center backups are used to reinitialize the client’s applications at the DR center, and data
processing is switched from the primary center to the DR center. The DR centers have processing
10

January 2024
capability that is equivalent to the primary center. Disaster Recovery exercises are conducted for
each Primary/DR pair at least yearly.
For more information see the Anaplan BCDR overview:
https://www.anaplan.com/resources/papers/disaster-recovery/thanks/

Data Centers

Data Centers
Data centers are in the US, EU, Japan, Canada, and Australia. Each primary data center is paired with an
in-region Disaster Recovery center. Anaplan follows data movement rules and does not transfer Client
Owned (Client Data) outside the selected region without customer consent. Note that some configurations
require userIDs (user name, email address) to reside in Anaplan’s global ‘frontdoor’ for authentication in
the USA.

Data Center Locations


EU Primaries: Equinix Netherlands & Germany
EU DR: AWS Ireland
US Primaries: Equinix California & Virginia, GCP/AWS USA
US DR: AWS Ohio & Oregon, GCP USA
Japan Primary: GCP Tokyo
Japan DR: GCP Osaka
Canada Primary: GCP Toronto
Canada Backup: GCP Montreal
Australia Primary: AWS Sydney
Australia DR: AWS Sydney (Multi-availability zone)
The addresses of Anaplan global office locations can be found here:
https://www.anaplan.com/about/locations/.

Physical Security Controls


Anaplan approaches the physical protection of assets through a defense-in-depth strategy. Controls are
select to reduce risks to protected assets. Controls protect the asset from physical and environmental
concerns such as theft, loss, unauthorized use, intentional or accidental damage, disclosure, and external
observation. Anaplan establishes defense perimeters to physically protect assets and adopts policies that
ensure their secure treatment.
Defensive / protective controls pertain to assets whether they are in Anaplan offices, secure data centers,
or authorized for off-premise (mobile) use. Controls commensurate to the risk assessment of the asset
are required for its protection; these include Secure Areas (Data Centers, offices, meeting rooms, storage
areas).
• Secure Area protective controls may include but are not limited to: secure construction techniques,
protective barriers, secure cabling, ingress/egress controls, guards, alarms, monitoring, protective
shielding, visitor authorization/logging/escort, secure delivery portals, Equipment Use/Reuse,
Maintenance and Siting.
• Protection of equipment and devices used in processing facilities or in the conduct of Anaplan’s regular
business requires considerations for placement, use policies, maintenance. Equipment is protected in
secure areas and/or with security controls appropriated to the risk assessment of the asset and its
content. Siting of secure perimeters within the facilities, and protective controls for the individual
device/asset including (secure areas, encryption, passwords, screensavers, locks, clear desk policies).
Data Center Features
Data center space and physical security are provided by the cloud data center vendor. Data centers are
ISO27001 certified and SOC audited. Anaplan conducts audits of the data center vendor security not less
than annually.
Anaplan's platform resources are private and dedicated to the Anaplan cloud and to Anaplan's clients.
Anaplan is the cloud host / cloud operator the platform resources are only accessible to Anaplan's
authorized employees.
11

January 2024
The certifications of our data centers providers are available at the following addresses:
https://www.equinix.com/services/data-centers-colocation/standards-compliance/#/
https://aws.amazon.com/compliance/programs/
https://cloud.google.com/security/compliance

Anaplan’s Security Controls

Security Controls Overview


Anaplan employs a Defence-In-Depth security strategy that is aligned to our operational controls (ISMS
Policy). ISMS policies are certified to the ISO27002:2013 Standards including the ISO27018 privacy
guideline. Our strategy seeks to identify and eliminate threats at each defense perimeter; including (not
limited to) the following examples:

• Physical security at the data center (7X24 security, CCTV, fire protection, power backup)
• Multiple Internet Service Providers (ISPs) at each data center.
• Hardware security (Hardened to CIS standards)
• Network Security (WAF, next-gen firewalls, IDS/IDP, EDR, DDoS mitigation, anti-malware, secure
logging, monitoring, regular penetration testing)
• Secure coding practices (OWASP, Code Scanning, SAST, DAST, internal and external
penetration testing)
• Data separation (Unique GUIDs at the Workspace, Model, and User levels with Java serialization
and dedicated file space)
• Change Management / Secure Code Migration Policies (Changes are reviewed and approved by
management. Only board authorized changes are permitted. The code migration process
includes automated configuration management with auto-rollback features for any unauthorized
changes.)
• Workspace security/User Access Controls. (Including Role-Based-Access-Controls, and support
for SAML2.0 assertions or Native UID/PWD. Customers are the data controllers and responsible
for user provisioning, access controls and regulatory compliance.)
• Data Security (Data is protected by encryption both at rest (AES-256) and in transit (HTTPS-
TLS1.2-1.3))
• Segregation of Duties (Anaplan’s ISMS policies follow the principles of Duty Segregation and
Least Access. The policies align to ISO27001 standards and are tested regularly under SOC2
Type II audits.)

In-Memory Platform
Anaplan is an in-memory platform. It does not rely on any traditional RDBMS for platform operations.

Removable Media
Anaplan's removable media management policies are designed to prevent the unauthorized disclosure,
modification, removal, or destruction of information stored on removable media. For corporate devices,
write to removable media is blocked by technical control.

Removable media is not used within the Anaplan production data centers or with regard to Anaplan
production client data. Neither is removable media used within the backup and recovery processes. Client
Data is stored within the primary data center in client dedicated directories on AES-256 encrypted
storage. Backups are streamed from the primary data center, via node-to-node replication, to the DR data
center where the data is stored in an AES-256 encrypted platform.

Supported Browsers and System Requirements


Anaplan is a web-based solution that can be accessed using any device that employs a modern HTML5
compliant browser that supports RFC-6455 WebSocket, and TLS 1.2 (minimum).
12

January 2024
Recommended browsers include Mozilla Firefox, Microsoft Edge, Apple Safari, and Google Chrome.
Anaplan's core features support both desktop and mobile users. For specific limitations on mobile use see
the link provided below.
System Requirements: https://help.anaplan.com/system-requirements-44e67e19-4233-4c15-a6dd-
f560af8d9d00

Anaplan Mobile Applications


Anaplan’s mobile application is available for download for iOS and Android devices. The mobile
application empowers users to accelerate planning, approval, and decision-making by offering
accessibility, collaboration, and actionability for users on the move. The application may be secured with
Single Sign-On through SAML2.0 or by native login. Pages, Apps, boards, and worksheets from the
Anaplan UX will automatically render to the mobile application.
You can find details on mobile compatibility here:
https://help.anaplan.com/en/9eb18fd5-fba3-4c65-a6a8-0dbf22cc5db6-Mobile-compatibility

Disposal of Media
Anaplan policy dictates that secure media disposal procedures are proportional to the sensitivity of the
data classifications the media contains. The asset owner is required to identify assets that require
sanitizing and ensure that assets are sanitized, disposed of, and logged in accord with policy. In the event
of decommissioning of production infrastructure media: the media, Anaplan follows NIST 800-88, media is
destroyed onsite by the authorized vendor with a certificate of destruction.

Network and Communications

Network Security Overview


Anaplan's corporate networks are completely physically isolated from the production platform
infrastructure. The platform infrastructure includes dedicated redundant ISP drops.

Internal network infrastructure is securely segmented using firewalls, virtual networks (VLANS), and
access control lists (ACLs), which limits access and communication between systems. Firewalls are in
place between internal and external networks throughout the Anaplan server infrastructure. Firewalls are
also in place between primary and DR data centers for data backup transfer via dedicated line. No
system or individual can reach another system unless explicitly authorized to do so. The Anaplan platform
uses only wired connections and does not leverage Wi-Fi or IOT. No removable media is used. Incoming
traffic is monitored to detect malicious traffic and actively mitigate DDoS attacks.

Incoming network traffic first travels through a market-leading cloud Web Application Firewall (WAF). The
WAF blocks connection attempts from known malicious sites and a variety of common attacks. All
inbound and outbound connections (data in transit) must pass through Anaplan's firewall over HTTPS
(TLS 1.2-1.3) on approved ports only.
• Key exchange is done via the browser using 2048-bit certificates.
• Session key length is negotiated by the end-user browser using the strongest available encryption.
All systems are continually monitored with all activity logged to an enterprise SIEM. SIEM logs are
retained for at least 12 months.

Anaplan utilizes anti-malware/anti-virus/anti-rootkit systems to continually monitor for threats.


• Definitions are updated daily.
Anaplan employs Data Loss Prevention and Mobile Device Management (MDM) with application
Containerization on employee devices and corporate networks.

Anaplan employs several email security technologies and controls including Sender Policy Framework,
13

January 2024
Domain-based Message Authentication, Reporting and Conformance, Domain Keys Identified Mail, as
well as user training to identify and alert Anaplan's security desk of suspected phishing attempts.

Malware Controls
Controls against malware include systems to prevent, detect, and recover from malware; and include
preventative and detective controls and user awareness programs.
• Definitions are updated daily.
Controls include: Comprehensive EDR tools which include (Anti-Malware/Virus/Rootkit function), User
Awareness programs, prohibition and detection of unauthorized software (Application Whitelisting);
malicious website blocking (Blacklisting); multi-product malware protection, inbound mail, file, page
scanning; technical vulnerability scanning and management; software and file inventory scanning; regular
(daily) update of malware definitions; system isolation, and business continuity and recovery plans.

Ports and Protocols


All communications are client-initiated via HTTPS(TLS1.2-1.3).
All interactions require both authentication and authorizations to access the target object.
Data Encryption and Key Management
Anaplan encrypts data both at-rest (AES-256) and in-transit (TLS1.2-1.3). In-transit certificates are issued
by a leading certificate authority and managed/rotated annually by Anaplan. Data at rest (backups) is
stored on AES-256 encrypted devices. At-rest disk keys are hardware generated, managed, and stored.
Keys are automatically rotated on a regular basis and cannot be accessed/read by any person. Additional
BYOK (Bring Your Own Key) services are available whereby a customer may upload and manage their
own set of at-rest encryption keys . Key controls and effective management are tested as part of SOC2
auditing.

Bring Your Own Key (BYOK)


Clients who elect to participate in Anaplan's Bring Your Own Key services may encrypt and decrypt
workspaces using client-controlled encryption keys.
For more information on the BYOK service please see details at the link below.
https://www.anaplan.com/resources/datasheets/bring-your-own-key/

Platform Maintenance and Updates

Change Management Policies


Anaplan maintains formal change management policies designed to ensure satisfactory implementation
of changes to business processes, information processing facilities, and systems. Change management
policies establish the controls that require significant changes to be: identified and recorded, planned and
tested, assessed for impact, security reviewed, management reviewed and approved, communicated to
stakeholders, audit-able, reversible. Anaplan's change management controls are ISO certified and
extensively tested in the SOC audits.
Software Change Management
Procedures specific to control the implementation, installation, change, or update of software on
operational systems require that: All changes are made by qualified system administrators with
appropriate authorizations; Operational system contain only released code and neither development code
nor compilers; promoted changes have been scrutinized, tested, and approved prior to release. Change
management is described and tested in the SOC2 audit report.

Development, Testing, and Quality Overview


Anaplan is fully committed to ensuring customer privacy and data security. Anaplan uses an Agile-based
SDLC (Software Development Lifecycle) methodology. Anaplan's development team is trained in and
14

January 2024
follows OWASP Top10 coding practices. Anaplan's engineering/development is managed by Anaplan
employees with dedicated developer resources on Anaplan owned and managed hardware.

Developed code is subject to a variety of vulnerability scans during the SDLC; including manual reviews,
SAST, DAST, and internal penetration testing. Code is versioned and retained in a secure code
repository. Access to the secure code repository is based on the need-to-know / need-to-use principle;
repository access requires multi-factor authentication. Code is reviewed and approved by the Anaplan
Security and QA teams.

Development engineers do not have access to place code into production. Upgrades are managed by
release/configuration automation software with automated rollback/overwrite features. Major upgrades
are generally about 4-5 per year, with frequent minor upgrades. Upgrades and patching occur as part of
the same cycle and are generally performed on Saturdays 1-5 pm Pacific Time US.
More information is available at https://product.anaplan.com/release-calendar-714beab2-4944-43cf-a591-
693679004876

Anaplan's Update Process and Scheduling


The Anaplan platform is a SaaS-based cloud planning platform. Anaplan hosts/operates the platform from
a variety of regional global data centers. The physical data centers are operated by our data center
partners (Amazon-AWS, Google-GCP, and Equinix). In the case of public cloud providers (AWS/GCP),
the client’s workspaces are instantiated on an Anaplan operated tenant within the data center provider’s
hardware infrastructure. The data center partner and operating region are selected by the client.
Anaplan owns, operates, and maintains the Anaplan platform. Updates are applied across the entire
platform by Anaplan as part of the customer's subscription; during updates, all Anaplan tenants are
updated to the most current release level simultaneously, via configuration management software.
Updates are generally the result of a combination of the following: Product Improvement Updates
(enhancements, new features, product fixes, software or hardware updates, security
enhancements) and/or Vendor Recommended Updates (hardware or software updates, security
updates).
Anaplan performs all required updates as part of the provided service. Updates generally take place as
part of a regular update cycle from 1pm to 5pm US Pacific Time on a Saturday. The scheduling of
individual components within the update release is based on the component’s impact assessments and
their dependencies.
Notifications of upcoming releases are emailed up to one month prior to production application. The
Anaplan Community (documentation center for Anaplan) is updated and release notes are
published once the upgrade is complete and service restored to our users. The release update calendar
and new features/functionality blog are both available on the Anaplan community website. You may
subscribe for automated updates.
Previous Releases:
https://product.anaplan.com/latest-platform-releases-f0a5a653-4b25-42bf-a4c1-e0e453541191
Upcoming Release Calendar:
https://product.anaplan.com/release-calendar-714beab2-4944-43cf-a591-693679004876
Current status:
https://status.anaplan.com

Update Process and Controls


Updates are performed in accordance with the Anaplan ISMS policies. Updates are subject to Anaplan’s
change control process/policies including code review/testing/approval; quality, security, and operations
review/approval; and management review/approval.
Infrastructure configuration is managed via automated configuration software with automatic rollback and
overwrite features to further protect against unauthorized or incidental changes. Development engineers
do not have access to release code into production.
15

January 2024
Product Enhancement Updates
The product feature enhancement roadmap is largely guided by customer requests, requirements, and
feedback. Customers are invited to participate via the Customer Advisory Board to identify desired
enhancements. Once identified enhancements are prioritized based on impact, customer demand, and
criticality. With each release, Anaplan invites customers to review the enhancements and provide
additional feedback through the Idea Exchange and the Customer Advisory Board, through participation
in the pre-release Beta program. Customers may opt-in to the Beta program to gain early access to new
features, test functionality, and provide feedback on the upcoming release.

Vendor Recommended Updates (HW/SW/Security Patches)


Patching and maintenance of the infrastructure is governed by ISMS policy, and is tested as part of SOC
audits every 6 months.

Update Scheduling
Anaplan typically performs 4-5 feature releases/updates per year; minor or critical updates may be
interspersed. The regular update cycle occurs on a Saturday between 1pm and 5pm Pacific Time (US).
Customers are notified in advance of updates. During the upgrade window, Anaplan may be unavailable
to customers; prior to any scheduled downtime customers will be notified of the purpose and expected
length of downtime. The scheduling of individual components within the update is based on the
component’s impact assessments and their dependencies. Non-critical updates are generally performed
as part of the regular quarterly update cycle. Critical and zero-day patches may be scheduled for off cycle
implementation.

Vulnerability Scanning, Penetration Testing, and Auditing


Internal Pre-Production Vulnerability Scanning
Anaplan performs internal vulnerability scans as part of our Agile based Secure Software Development
Lifecycle. Anaplan's development team is trained in and follows OWASP and SANS secure development
coding practices.
Software releases are subject to static and dynamic code scans, manual reviews, internal vulnerability
scanning and corrections during the pre-production cycle. Code is subject to final review and change
management approvals prior to production release. Scanning and remediation activities, as well as
change management controls are described and tested in the SOC audit report.

Internal Production Vulnerability Scanning


Anaplan code is managed via release automation software with auto-rollback for unauthorized code.
Anaplan employs a defense-in-depth approach including WAF, next-gen firewalls, IDS/IDP, EDR, and
DDoS mitigation services. Production infrastructure hosting the service undergoes vulnerability scanning
monthly.

External Penetration Testing


Anaplan undergoes annual penetration testing performed by and external third-party CREST certified
vendor. Penetration test vendors are periodically rotated to ensure a "fresh look."
Security testing draws upon a multitude of tools and skills to assess the overall health of the security
infrastructure. Our pen test firms use a blended approach of Open Source, Custom Scripts, and
Commercial Tools to conduct testing. The methodology is based around 7 key phases.
• Scoping
• Reconnaissance and Enumeration
• Mapping and Service Identification
• Vulnerability and Exposure Analysis
• Service Exploitation
• Pivoting
• Reporting and Debrief
16

January 2024
External Auditing
Anaplan does not permit independent customer vulnerability testing, as Anaplan is a multi-tenant
environment. Anaplan undergoes SOC 1 Type 2 (ISAE 3402 equivalent) and SOC 2 Type 2 audits every
6 months. Anaplan is also ISO 27001, 27017, 27018, and 27701 certified, and undergoes annual ISO
surveillance audits. ISO certifications and SOC audit reports are available to customers and to
prospective customers under NDA.

Performance - Logging and Monitoring

Logging Overview
Anaplan stores logs at 3 levels: Model History logs, Anaplan Tenant Audit logs and Infrastructure logs.
Model History logs:
(https://help.anaplan.com/a49cfdfc-e921-44d6-8c73-026c1be4097b-History)
Anaplan includes a full audit log of changes to the model, consisting of when a user adds, edits, deletes,
or renames one of the following:
Actions, Currency qualifiers, Dashboards, Functional Areas, Import Data Sources, Import source
mappings, Line item subsets, Line items, List properties, Lists including list items, Modules, Processes,
Revision tags, Roles, Saved views, Subsets of lists, Time settings, plus Undo operations.
A user may also drill into an individual cell to see previous values. The History log cannot be edited by
any users. Anaplan staff have no access to these logs as they are contained within the application itself to
which only customer users have access.
These logs can be exported via .txt files (manual or automated) for use/analysis within other systems if
required.
Anaplan Tenant Audit:
(https://help.anaplan.com/da22b141-55bc-448c-ae1c-8b634cd27dc5)
Anaplan Audit Logs are available to the members of the Tenant Auditor role via either the Administration
UI or via the Audit API and available to Enterprise and Professional subscription customers. The Tenant
Admin assigns members of the Tenant Auditor Role. Logs are read only.
The audit logs are available through the console or the REST API for 30 days and may be downloaded,
as a .CEF (Common Event Format) file or via the API, for use with an external SIEM (Security Information
and Event Management) system. Logs may be filtered by time period and application.
The Audit API is documented at http://auditservice.docs.apiary.io/.
Logged audit events include User Activity events. User Activity events include log in/out success/failure,
IP Address, User Create/Modify, User object access success/failure, User enable/disable, User tenant
assignment/removal success/failure.
Infrastructure logs:
At the infrastructure level, audit logs include the following: Date, time and time zone of the event, URL
executed or entity ID operate on, Identity of the system and the component, Type of event, operation
performed, Success or failure, User ID, Client IP address. These logs are written to a SIEM and retained
for 12 months and remain internal only.

Performance
Anaplan has at its backbone a highly optimized multi-dimension calculation engine coupled with an all In-
Memory data store and HyperBlock connectors that allow the calculation of only change-related data. The
application is specifically designed to handle billions of individual cells and thousands of users.

Customer Workspaces are fully provisioned at startup based on the subscription agreement. To scale a
workspace, customers need only purchase additional licenses. Anaplan has a unique ability to distribute
across multiple connected Workspaces enabling enterprise-connected planning scalability that is
theoretically unlimited.

Outside of the efficiencies inherent in the Anaplan platform, calculation times are largely dependent on
the customer’s model design. Anaplan customer success can assist with the load testing/stress testing
17

January 2024
that is conducted on an individual customer basis in pursuit of customer-specific performance baselines
or model efficiency improvements. We consider customer test results as private privileged information
and they are not published.

Access Controls (Anaplan)

Segregation of Duties
As far as is practicable and possible, Anaplan segregates duties and areas of responsibility. Segregation
of duties is built into procedures, including the requirement that the Owner of a procedure or process
cannot authorize its modification, withdrawal, or release. Activity monitoring, audit trails, and management
supervision is used to support duty of segregation.

Access Rights Review and Removal


User’s physical and logical access rights are assigned, then reviewed and adjusted regularly or upon any
change of employment status (promotion, demotion, transfer, termination). Adjustments to access rights
include the removal, revocation, replacement of credentials, keys, identification cards, and tokens used to
access Anaplan assets. Automated removal of rights for terminated employees occurs within two
business days.

Anaplan Employee Administrative and Privileged Account Access


The use of privileged access rights is restricted and controlled by the general access control policies and
by additional policies specific to the elevated risk of privileged account access. The additional restrictions
must include but are not limited to considerations for: rigorous adherence to the principle of least
privilege, specified expiry of rights associated with the account, segregation of privileged account IDs
from those used for the user's regular business, regular competency review for the privileged account
user, and elevated security controls / monitoring for unauthorized use of privileged IDs.

Administrative Access Accounts Example


Administrative / Operational access to complete normal daily activities is performed by authorized senior
Anaplan Infrastructure Engineering and Cyber Defense Teams. Administrative / Operational access is
logged and audited. Operational access requires individual credentials and logon via dedicated hardened
servers with Anaplan’s enterprise single sign-on solution which includes MFA and is secured via VPN.

Personnel are authorized for Administrative / Operational access based on the principles of least
privilege. Authorized individuals must fulfil the criteria for job/role requirements, qualifications,
certifications, training and need-to-know/need-to-use. Administrative / Operational access is reviewed
regularly in accordance with the Anaplan ISMS polices; authorized accounts that no longer meet the
criteria are removed.

Access Controls (Client’s Users)

Single Sign-On with SAML2.0


Anaplan fully supports SAML 2.0 SSO (Single Sign-On) and can be utilized for customers who prefer to
retain total control of their users through a centrally managed system. Using SSO user authentication is
entirely under customer control, including password complexity policies, whitelisting, time of day access
windows, two-factor authentication and any other controls required by the customer’s security policies. As
Anaplan is accessed via a browser, the authentication is the same across all internet-enabled browser
devices. Anaplan supports identity federation services (examples: Okta, Ping, ADFS).

https://help.anaplan.com/4c918673-6bb5-4fc8-8e36-ae19f4e603f8-Self-Service-SAML
18

January 2024
Anaplan Native Authentication (UID/PWD)
Anaplan supports Native Authentication (User ID and Password). Anaplan Native Authentication has a set
of associated policies the fall within the generally accepted industry standards. Passwords are salted and
hashed.
Anaplan supports a variety of security controls including:
• Unique user IDs
• All access must be granted by the customer's administrator.
o New users are denied access by default.
• Inactivity timeout for the platform (browser session) is 35 minutes.
• Account lockout occurs with 5 failed attempts.
o User must change password to unlock.
o Password reuse is not allowed for last 10 passwords.
• Default password expiry is 90 days (can be set to 60 or 30 days via support ticket).
• An IP Allow List to restrict access to your tenant based on a user's IP address or range.
Password complexity requirements:
• Minimum of 8 characters
o At least one uppercase character
o At least one lower case character
o At least one numeric character
Password Reset
Password Reset can be initiated by the user by clicking on the “Forgot Password?” link on the login
screen. The registered e-mail address (Account) is used to send a password reset to the user.

Role Based Security Authorization


Anaplan uses role-based access controls. Roles provide a very flexible way of managing users and
ensure a consistent approach to user management. They are methods of grouping users who perform the
same business function and need to share common data access and control for a model. You can create
as many roles as the use case requires and assign different permissions and data access to each. Those
roles are then assigned to users. User provisioning and data access are controlled by the customer
administrators. Administrators manage security for an application and create roles for managing access
into the application.
Administrators control access for the model and can secure data down to a specific cell if required.
Customer administrators manage user logons and model security and can assign Anaplan actions to
roles.

Creating User Account / Role


Users - https://help.anaplan.com/control-user-access-within-models-8c495688-216e-49c4-aa56-
a4b70487e5d7
Restricting content - https://help.anaplan.com/restrict-access-to-a-page-d11711e5-e7fe-46ba-99da-
8ffccfca1d61
Roles - https://help.anaplan.com/model-roles-30783e17-b789-4005-b87a-ff15cd3c9044
Selective access to data - https://help.anaplan.com/enable-selective-access-for-a-list-4b9dee80-c7aa-
4235-b07e-627e2d0689a2
Importing users via data integration - https://help.anaplan.com/set-up-a-users-import-71396862-8d1f-
4d03-9daf-ee8d898e5574
Centralized Identity Management - https://help.anaplan.com/centralized-identity-management-09d4fcff-
cfaf-402a-8fcc-ba64ffb97a2e

SCIM API
Anaplan offers REST-based SCIM APIs which may be used in data integrations between the Anaplan
tenant and a SCIM-compliant identity source (e.g., Okta). SCIM APIs allows customers to easily create
users in Anaplan, assign workspaces, and apply simple changes via API. Customers can automate the
provisioning and management of user identities from their source systems/IDPs to Anaplan.
19

January 2024
SCIM API Documentation:
https://scimapi.docs.apiary.io/

Data

Client is the Data Controller


Regarding client data and data regulations including GDPR; Anaplan acts as the Data Processor; the
client acts as the Data Controller. As the Data Controller, the client determines the data to be processed,
the use of the data, data retention policy, provisions and authorized users, and any further classification
to meet their legal and regulatory obligations.

The client may download and delete data from the active application at their pleasure. In the event of
contract termination, client data previously submitted to Anaplan is retained in inactive status for a wind-
down period of 30 days. During the wind-down period, the client may export their data. After the wind-
down period has elapsed; client workspaces are de-provisioned and client data is purged from memory
and backups.

Anaplan is the Data Processor


Anaplan processes the client’s data at the instruction of the client. Uploaded and processed data remains
the property of the client. Anaplan regards all client-controlled data as private and confidential. No
Anaplan employee or contractor has any inherent access to client-owned data. Users may only access a
client’s data if granted explicit access by the client’s administrator. Anaplan does not provide a client’s
users or assign user access to client-owned data.

Customer Controlled Assets


Regarding Client Data; Anaplan acts as the Data Processor; the client acts as the Data Controller.
Anaplan regards all Client-controlled Data as private and confidential. The client determines the data to
be processed, its retention policy, and any further classification to meet their legal and regulatory
obligations. Anaplan processes the data at the instruction of the client. In the event of contract
termination, Client Data previously submitted to Anaplan is retained in inactive status for a wind-down
period of 30 days. During the wind-down period, the client may export their data. After the wind-down
period has elapsed; client workspaces are de-provisioned and Client Data is purged from memory and
backups.

Lifecycle Environments (Development - Test - Stage - Production)


Anaplan can support any number of client lifecycle environments. Customers may choose to implement
multiple logical instances (Workspaces/Models/Versions) to act as lifecycle environments
(Dev/test/stage/prod) for the application. Clients administer their own environments in Anaplan and
therefore are able to tailor their promotion procedures to a process that best matches their policies.
Anaplan provides lifecycle management tools that make it easy to copy/promote objects between the
lifecycle environments. All customer environments and data reside in the Anaplan production platform
instance regardless of their client lifecycle designation.

Data Separation
Anaplan is a multi-tenant solution however, the architecture keeps each customer instance(Workspace)
isolated via customer- workspace- and user-specific GUIDs, Access Control Lists (ACLs), and
serialization. The unique GUIDs at both Workspace and Model level carry through all of the application
and file system layers. No two Workspaces/Models share directory or file space. There is no commingling
of data.
20

January 2024
Data Integrations
Anaplan is known for seamless secure integrations with nearly any software system. Integrations include
source and target data repositories, enterprise schedulers, ETLs, ERPs, reporting, presentation, and
analytics systems. Our clients use industry standard connection methods to leverage data from their time-
tested legacy systems (AS400/DB2), from all modern systems (SAP, Snowflake, Salesforce, Workday,
etc.), and from cloud technologies (AWS S3, Google Big Query, Azure Blob).

The industry standard options (noted below) of importing include both manual and automated
integrations.
Anaplan tools:
• The Anaplan GUI supports direct import of text, CSV, and the export of text, CSV, pdf, and Excel
(manual point & click).
• Anaplan Connect allows you to move flat files connect to JDBC sources and interface with
enterprise schedulers.
• CloudWorks allows native integration to AWS S3, Google Big Query, and Azure Blob as well as
scheduled model-to-model imports within Anaplan.
Direct Integrations: Available for consumer software Excel, Google Sheets, Tableau, Workiva, PowerBi,
PowerPoint, and Microsoft 365.
ETLs and Third Party tools:
• Any ETL, Orchestration, or scheduling provider may be used as long as they are able to call
either Batch or Shell scripts or leverage API calls.
• Anaplan makes it easy with built-in connectors for popular tools: Informatica Cloud, MuleSoft,
Snaplogic, Boomi, Workiva Chains.
• Anaplan HyperConnect (a limited-use license of Informatica Cloud- hundreds of connectors)
Custom integrations: Extend platform capabilities using REST APIs, (fully supported/documented APIs
for both Batch and Transactional data)

Data Integration Resources


• Overview - https://help.anaplan.com/data-integration-d583c819-d1f1-4d8a-9446-0015cac5ea2d
Anaplan Tools
• Anaplan Connect - https://help.anaplan.com/anaplan-connect-e3a9f00c-3924-4cfb-aed0-
1ec14233821b
• Cloudworks - https://help.anaplan.com/cloudworks-96f951fe-52fc-45a3-b6cb-16b7fe38e1aa
Consumer Direct Integrations
• Tableau integration - https://help.anaplan.com/tableau-connector-for-anaplan-b13a6074-319a-
43ea-a8a4-7187f41f2f91
• Google Sheets - https://help.anaplan.com/en/12e56d54-c37e-4791-9771-1a6bbee8e4d5-Google-
Sheets-Add-on
• PowerBI - https://help.anaplan.com/e1cdf0b7-631f-4cd6-b4df-a5e0927e1ef8-Anaplan-Connector-
Power-BI-Desktop
• Excel Add-In- https://help.anaplan.com/4f3c3661-1e69-42f1-ad86-00c6898075c6-Excel-Add-in-
Series-4
• Microsoft 365 - https://help.anaplan.com/a90600ae-7ae8-42cb-824b-25aea2069c0c-Anaplan-for-
Microsoft-365
• Workiva - https://marketplace.workiva.com/en-us/connectors/anaplan-connector
ETLs and Third Party
• Third-Party and ETL - https://help.anaplan.com/third-party-data-integration-0e2e7180-3a87-4899-
afed-6da6a98cb470
• HyperConnect - https://help.anaplan.com/anaplan-hyperconnect-powered-by-informatica-
4ac7d75b-6933-4909-86b2-80394950839c
REST API
• Rest API Document - https://help.anaplan.com/anaplan-api-da432e9b-24dd-4884-a70e-
a3e409201e5c
21

January 2024
Anaplan's REST API v2.0
Anaplan’s REST API is free for all customers and can be leveraged to allow custom API calls that can
automate imports, exports, ALM syncs, security audit reports, user provisioning and more. There are
many programming languages, and tools that allow you to make API calls to Anaplan that can be
customized to fit your needs. Python, Postman, and cURL commands are some common methods used
to leverage Anaplan’s API.
All API calls are digitally signed by default. All API calls are encrypted using HTTPS(TLS).

Bulk API - https://help.anaplan.com/93218e5e-00e5-406e-8361-09ab861889a7


Transactional API - https://help.anaplan.com/cc1c1e91-39fc-4272-a4b5-16bc91e9c313-Use-the-
transactional-APIs
SCIM API - https://scimapi.docs.apiary.io/
Audit API - https://auditservice.docs.apiary.io/#
Application Lifecycle Management API - https://almapi.docs.apiary.io/
Developer Hub - https://community.anaplan.com/categories/developers
Anaplan’s API supports Asynchronous vs synchronous API calls
Bulk APIs are optimized for loading or deleting large sets of data. Use them to query, insert, update, or
delete many records asynchronously by submitting batches. Bulk APIs are designed to make it simple to
process data from a few thousand to millions of records. Bulk API imports work with TXT and CSV data
formats.
Transactional APIs provide synchronous data modifications with may consist of minor changes, such as
individual cell updates or data exports.
Transactional API requests work with JSON and CSV data formats.
REST API Authentication and Token Generation
The REST API v2.0 leverages OAuth 2.0, Certificate Authority (CA) issued certificates, or
username/password for authentication. CA certificates can be obtained through your company's
intermediary CA (typically issued by IT or a Security group) or by purchasing them from a trusted
Certificate Authority.
Once authenticated, a token is generated to use going forward. Tokens are valid for 35 minutes. If your
token is about to expire, you can refresh your token to remain authenticated for another 35 minutes.
Details on CA certificates:
https://help.anaplan.com/en/23410167-f022-41fb-9f77-93c66e8e409f-Administration:-Security---
Certificates
IP Address Restriction / Whitelisting
REST APIs are supported by Anaplan's IP Allow List feature which allows the restriction of access by an
integration account based on an IP address or range. For more information on IP Allow List-supported
APIs please see: https://help.anaplan.com/c39707d0-ab62-407e-896f-b41519ba76e9-Anaplan-tools-
covered-by-the-IP-allow-list

Support

Anaplan Support
Anaplan provides 24/7/365 support for all customers. There is no limit to the number of support cases or
users. Support operations are handled through Anaplan's global support centers. Users may freely
browse the Anaplan Support website for answers to common questions, best practices, Anapedia
documentation, user forums, and known issues.

Anaplan provides 24/7/365 support to our clients through the following avenues:
• Unlimited support tickets
• Email - [email protected]
• Live Chat - Available from https://support.anaplan.com/contact directly from the Anaplan Platform
under the 'Help' menu.
22

January 2024
• Telephone - https://support.anaplan.com/contact
• Extensive user documentation and self-help support is available
at https://community.anaplan.com/categories/academy detailed service information may be
found, including our online documentation 'Anapedia'. https://help.anaplan.com/

Standard and Enhanced Support


The Anaplan service includes standard support for all clients. Additional levels of enhanced support are
also available. For more information on standard support, enhanced support, and support guidelines;
please see the link below. https://www.anaplan.com/legal/HyperCare-Support/

Support Tickets and Escalation


All support interactions result in a trackable ticket that is auto-generated for the submitter. The ticket
shows full issue history and resolution. In the event that an issue cannot be resolved by first line support,
tickets are escalated for resolution with the appropriate Anaplan resource teams.

You might also like