Mindtree Limited

SAP Hybris Cloud for Customer (C4C)

The provision of implementation services for the end-to-end implementation of SAP Hybris Cloud for Customer (C4C) and Cloud for Service(C4S) into a customer’s existing SAP landscape. This service also includes a range of pre and post implementation services to support the customers adoption of SAP Cloud for Customer and Service.


  • Service Desk/Contact Centre/Call Centre/Knowledge Base Tool
  • Supports exisiting Line Of Business workflow and porocesses
  • Mobile, device agnostic application and extensions
  • CRM, Customer / Citizen / Contact Relationship Management
  • Optimised for consumption via Digital Channels
  • Secure, UK only and EU only Data Residency and Processing
  • Development Platform to deploy and manage other applications
  • Public Sector Accelorators available, e.g. for Council, Health, Police
  • The only true real-time CRM system running on SAP HANA
  • Flexable Licencing and Support options


  • Automate and process in realtime
  • Built with native digital commerce, engagment and marketing capability
  • ERP & back office systems and applications intergration
  • Ease of deployment with established and expert partner ecosytem
  • Easy to use, adaptive and responsive User Interface (UI)
  • Market and engage to an audience of one
  • Open API Platform supporting easy integrations
  • Presentation and mobilisations environment for ALL (SAP and non) systems
  • Secure Platform to support Public,Private or Hybrid Cloud
  • UK Support Centre with UK only Staff and Datacentre


£37 to £117 per user per month

Service documents


G-Cloud 11

Service ID

1 8 1 5 0 4 2 8 1 7 8 9 6 8 8


Mindtree Limited

Paril Popat



Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
SAP Hybris Cloud for Customer (Cloud) integrates with SAP Enterprise Resource Planning (ERP) via HCI and PI and/ or with SAP Customer Relationship Management (CRM) via HCI and PI.

Additionally, with OData API, you can query, read, add, update and delete data from and into SAP Cloud for Customer.
Cloud deployment model
Public cloud
Service constraints
Potential disadvantage of the application is that every three months there is an update of the solution. This update is pushed to every C4C user in the world. Unfortunately, you can’t choose to wait a week or to keep using the older version. However, it is understandable decision of SAP, as this assures that all users are running the newest innovations and receive the same support.
System requirements
  • Microsoft Silverlight (minimum 5.0)
  • Adobe Reader 8.1.3 or higher

User support

Email or online ticketing support
Yes, at extra cost
Support response times
We offer a range of SLAs to meet all budgets
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
We offer a variety of support models from ad-hoc per ticket support to fully outsourced Application Management Support
Support available to third parties

Onboarding and offboarding

Getting started
Depending on the client's needs we can provide written documentation and user guide on how to use the C4C service. Bluefin Solutions offer knowledge transfer, onsite training and online/ remote training from our offshore consultants.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data extraction tools are available in the SAP C4C product.
End-of-contract process
Please read section 6 of the GENERAL TERMS AND CONDITIONS

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Native mobile apps are available for Apple and Android devices.
Service interface
What users can and can't do using the API
Here are approximately 200 APi's which can be consumed in C4C for various objects. These API's can either create data or extract data from the system based on the standard provided system objects. These API's are system specific and will enable system testing prior to deploying to a production system.

The API's are delivered as standard with each C4C system, and with very little configuration they are ready to use, depending on the security requirements these services can be secured either with SSL certificates or Basic Authentication.

There are a number of options for sending data which could include system to system messages or front end user applications to populate the objects. The API can be customised by adding additional fields to the service to either store or extract the required data.

The provided API cannot be reduced and a complete object extract is required where standard fields have been populated, the only control available is to decide whether to add additionally created fields to the service or not.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Customisation is possible through Key User Tools (KUT) where user can adjust screen layouts for different business roles and manipulate field creations. Via Cloud Application Studio user can access development tools to create bespoke objects or new screens. KUT and Cloud Studio Application -SDK development allows customisation of the C4C screens, objects, data validation and layout. There are also several options in-built within the system to allow admins to restrict the data that users can access or see, or to auto determine rule based field population. Only certain users (i.e. administrators) can customise the system based on roles and authorisations that have been set up. Regular system user can only customise his/her screen to suit business or personal preference.


Independence of resources
The SAP C4C solution is cloud based,fully scalable and can be dynamically enhanced as the load increases or decreases. A key benefit of a cloud solution is that it does not need to care about scaling or multi-tenancy as SAP caters for this as part of the global service. This global scalability is transparent and provided automatically. There are zero infrastructure costs as this is a subscription based service priced per user, additional license costs would be based on user volumes and potentially any expert support required in support of future functional changes.


Service usage metrics
Metrics types
SAP provides dashboards and reports to measure and monitor how the solution is being used by C4C licensed users.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach
The SAP cloud is inspected several times a year by external auditors, in accordance with various standards (including ISO 27001, ISAE-3402, and SSAE-16) to ensure that the security organization as well as all technical and organizational measures are implemented and reflect state-of-the-art technology. These certificates and audit reports may be shared with customers, although this may require signing a non-disclosure agreement (NDA).
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
All SAP Cloud for Customers data objects can be extracted via an Excel mechanism.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
SAP warrants at least 99.5% availability over any calendar month. Please see the following link for details:
Approach to resilience
An intrusion detection system monitors incoming data and identifies suspicious activities, while firewalls made by different manufacturers protect the data in the data center. Data and backup files are exchanged with customers in an encrypted format or transmitted via secure fiber-optic cables.
Outage reporting
Should the multiple-redundancy power supply system fail, batteries are automatically and immediately actuated and supply electricity for up to 15 minutes. Within this time frame, emergency power diesel generators are started up. They can then supply power to the data center for an extended period.
A power outage is simulated once annually. The external power supply is cut off, so that the emergency power supply is actuated. This procedure ensures that the batteries can bridge the power failure as expected, the diesel motors start up automatically, and an extended supply of electricity is provided. This test is conducted and recorded by the data center operator. The reports are then submitted to the TÜV, which compares them to the ISO 27001 standards.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Every user type must authenticate itself to SAP Cloud solutions for regular browser-based front-end access, as well as for electronic data exchange, such as Business-to-Business communication. SAP Cloud solutions do not support anonymous access. When a new user is created in your SAP Cloud solution, for example, during the hiring process of a new employee, a user ID is created. To log on your SAP Cloud solution, the following authentication mechanisms are supported:
● Logon using SAML 2.0 assertion for front-end Single Sign-On (SSO)
● Logon using client certificate (X.509) as logon certificate
● Logon using user ID and password
Access restriction testing frequency
At least once a year
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Link to Certificate
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • SOC 1 / SSAE 16
  • SOC 2
  • ISO 22301

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
All SAP Cloud services are ISO 27001 certified. For detailed information please refer to http://www.sapdatacenter.com for more detailed information.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Cloud solutions from SAP help organizations meet security requirements by providing industry standard certifications and IT IL-based operational processes that include security management and governance functionality such as the following:
•Change and security patch management processes
•Security incident management processes
•Identity management processes
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
SAP has implemented technical vulnerability management in its solutions to reduce risks resulting from the exploitation of technical vulnerabilities. The use of operator logs and fault logging helps ensure the identification of system problems. System monitoring checks the effectiveness of the controls that are implemented and verifies conformity to the information security policies and standards found in cloud solutions from SAP. The company uses industry-leading security partners to conduct daily and monthly penetration tests on the production environment, and customers
also can perform their own application vulnerability testing.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
SAP applies high security level not only to the cloud server environment but also to the administrator client infrastructure found in cloud solutions to quickly respond to potential compromises. Every PC or laptop used by employees that work on providing these service offerings are monitored by antivirus software, intrusion prevention systems, and compliance monitoring tools. This helps ensure quick response to incidents and also checks compliance of the operating system and applications used by our employees with the company’s security policy. Additionally, the hard drives in all client devices are encrypted.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
SAP Cloud implements formal event reporting and follows escalation procedures if an information security incident occurs. Real-time notifications of vulnerabilities and security incidents are entered into the SAP ticketing system, and the appropriate SAP personnel are notified. All actions taken to resolve a problem are documented, so all problems can be tracked to completion. Information security staff will generate a report regarding the need for enhanced or additional controls to limit the frequency, damage, and cost of future occurrences, as well as required revisions to information security policies.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£37 to £117 per user per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑