Pega Trust Center

Resources

Digital Security Policies

Veracode Statement

Penetration Test Summaries

Business Continuity Plan Summary

Disaster Recovery Test Results

Last updated

12/2/2023

N/A

8/3/2023

3/31/2023

12/29/2023

Assessment scope

Pega Cloud AWS, GCP

Pega Cloud AWS, GCP

Pega Cloud AWS, GCP

Pega Cloud AWS, GCP

Pega Cloud AWS

APRA

Australia, like other countries, has implemented significant cybersecurity and regulations to address the increasing challenges of hacking, fraud, and state-sponsored attacks. Like any other set of rules, qualified organizations must assess these regulations that can understand the law and how it is applied in real-world situations. The Information Security Registered Assessors Program is a unique compliance program that attests to the ability of private and public organizations to meet cybersecurity requirements.

CSA STAR

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.

Cyber Essentials

Cyber Essentials is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organizations demonstrate operational security against common cyber-attacks.

Cyber Essentials Plus

Cyber Essentials Plus is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organizations demonstrate operational security against common cyber-attacks. It builds upon the Cyber Essentials certification by incorporating independent verification of technical controls.

CyberGRX

CyberGRX provides a cybersecurity platform designed to assist businesses in handling cyber risks related to third-party vendors. Pega leverages CyberGRX to streamline our vendor risk assessment process. With CyberGRX, Pega can assess the security posture of our third-party vendors, identify possible risks, and prioritize necessary mitigation measures.

Cybervadis

Cybervadis is a platform for cybersecurity ratings designed to assess the cyber risk associated with a company’s third-party suppliers. At Pegasystems, a global technology company, Cybervadis is employed to evaluate the cybersecurity posture of our suppliers and partners. Through the assessment of cyber risk associated with our suppliers, Pegasystems can make well-informed decisions concerning the security and resilience of our supply chain.

Cybervadis offers a comprehensive risk assessment based on various factors, including data security, infrastructure security, and regulatory compliance. Pegasystems utilizes these ratings to identify potential vulnerabilities within the supply chain and to take effective measures to mitigate associated risks.

Ultimately, by leveraging Cybervadis, Pegasystems is positioned to enhance our security posture, strengthen risk management processes, and ensure the security and integrity of our operations.

ENS

The Esquema Nacional de Seguridad (ENS) is the Spanish National Security Framework. It is a set of security requirements and guidelines that are mandatory for all organizations that handle sensitive information on behalf of the Spanish government. The ENS is based on the principles of confidentiality, integrity, availability, and accountability. It is designed to protect sensitive information from unauthorized access, modification, or disclosure, and to ensure that it can be used only for authorized purposes.

Resources

Certificado ENS Pegasystems Limited

Last updated (YYYY-MM-DD)

2023-11-24

Assessment Scope

Pega Cloud AWS & GCP

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings

French HDS

The Hébergeurs de Données de Santé (HDS) certification is required for entities such as cloud service providers that host the personal health data governed by French laws and collected for delivering preventive, diagnostic, and other health services. The HDS regulation was issued by ASIP SANTÉ which, under the French Ministry of Health, is responsible for promoting electronically based healthcare solutions in France.

HITRUST

Developed in collaboration with data protection professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security and privacy framework. The HITRUST Risk-based, 2-year (r2) Validated Assessment is globally recognized as a high-level validation showing that an organization successfully manages cyber risk by meeting and exceeding industry-defined and accepted information security requirements. The HITRUST r2 Validated Assessment + Certification is considered the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of quality review, and consistency of oversight.

IL4

The Defense Information Systems Agency (DISA) published the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) that outlines the security model and requirements by which DoD will leverage cloud computing along with the security controls and requirements necessary for using cloud-based solutions. IL4 information covers controlled unclassified information (CUI), non-CUI information, non-critical mission information, and non-national security systems.

IRAP

The Infosec Registered Assessors Program (IRAP) ensures entities can access high-quality security assessment services.

ISO 22301

Published by the International Organization for Standardization, ISO 22301 is designed to help organizations prevent, prepare for, respond to and recover from unexpected and disruptive incidents. To do so, the standard provides a practical framework for setting up and managing an effective business continuity management system. ISO 22301 aims to safeguard an organization from a wide range of potential threats and disruptions.

This standard may be right for your organization if you need to demonstrate to stakeholders that your organization can rapidly overcome operational disruption to provide continued and effective service.

ISO 27001

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

ISO 27017

ISO 27017 is an international standard offering guidance on information security controls for cloud services. These controls supplement the guidance of ISO 27002 and are included in Pega Cloud’s ISO 27001 certification. It helps address cloud security challenges by advising on effective measures like provider responsibilities, information sharing, personnel security, and compliance.

ISO 27018

ISO 27018 is a standard that provides guidelines for protecting personally identifiable information (PII) in the cloud. These guidelines supplement the guidance of ISO 27002 and are included in Pega Cloud’s ISO 27001 certification.

PCI/DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

SOC 1

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 1 reports are primarily concerned with examining controls that are relevant for the financial reporting of customers

SOC 2, Type 2

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.

TISAX

TISAX is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.

If you want to process sensitive information from your customers or evaluate the information security of your own suppliers, TISAX supports you in reducing efforts.

California Consumer Privacy Act/ California Privacy Rights Act

The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA seeks to ensure California consumers have a certain level of privacy rights. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

On November 3, 2020, the California Privacy Rights Act (“CPRA”) passed. The CPRA amends the CCPA and includes additional privacy protection for consumers. The majority of CPRAs provisions will enter into effect on January 1, 2023, with a look-back to January, 2022.

FDA

Food Drug Administration CFR Title 21. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

GDPR

The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

Data Privacy Framework

The EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were respectively developed in furtherance of transatlantic commerce by the U.S. Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.
 
The effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 10, 2023, which is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.

Effective as of July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF may do so; however, personal data cannot be received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF before the date that the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. The data bridge will enable the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law

To learn more about the Data Privacy Framework program, and how we comply with the Data Privacy Framework, please visit our Privacy & Security page here. To view our Data Privacy Framework notice and to view our participation, please visit https://www.dataprivacyframework.gov/s/