Pega is committed to maintaining customer data privacy. To that end, Pegasystems is making the necessary investments to follow the standards and practices of the regulatory programs described below in order to assure customer data is being maintained in accordance with standard regulatory and industry practices.
The Payment Card Industry Data Security Standard (PCI DSS) is a standard that was created by the major credit card providers (i.e. Visa, Master Card, American Express, Discover and JCB) for organizations that handle cardholder data. It was established in order to increase controls as well as reduce credit card fraud. The Payment Card Industry Security Standards Council administers the standard.
Pega Cloud has received an Attestation of Compliance from a qualified security assessor that it meets the requirements of PCI-DSS v.3.2 SAQ D for service providers.
Service Organization Controls (SOC) reports reflect the results of a Pega Cloud audit by an independent third party auditing firm. Specifically, these reports show how Pega Cloud’s internal controls are in accordance with the security, availability and confidentiality SOC objectives.
Pega Cloud meets the general requirements of CfR 164 for the privacy and security components of the American Institute of Certified Public Accountants’ applicable criteria for the SOC 2 Type II reports.
The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the security and privacy of Protected Health Information (PHI).
Pega Cloud received a privacy and security compliance assessment report relating to the Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health (HITECH) Act. As conducted by an independent third party auditing firm, the assessment included and evaluated the HIPAA/HITECH privacy and security regulatory criteria including the administrative, technical and physical controls along with supporting policies, processes, procedures and personnel.
The report concluded Pega Cloud meets the requirements of the HIPAA/HITECH privacy and security regulations.
The Rehabilitation Act of 1973, Section 508, requires that Federal agencies’ electronic and information technology is accessible to people with disabilities. Under this section, a template, the Voluntary Product Accessibility Template (VPAT) has been defined to measure compliance.
Pega Cloud meets the accessibility requirements as outlined by Voluntary Product Accessibility Template (VPAT), in accordance with the Section 508 standards.
The Federal Risk and Authorization Management Program (FedRAMP) is a United States-based program that is the result of close collaboration with cybersecurity and cloud experts from GSA, NIST, DHS, DOD, NSA, OMB, the Federal CIO Council and its working groups, as well as private industry.
The FedRAMP assessment process is initiated by agencies or cloud service providers (CSPs) beginning a security authorization using the FedRAMP requirements which are FISMA compliant and based on the NIST 800-53 rev3 and initiating work with the FedRAMP PMO.
CSPs must implement the FedRAMP security requirements on their environment and hire a FedRAMP approved third party assessment organization (3PAO) to perform an independent assessment to audit the cloud system and provide a security assessment package for review.
Pega Cloud’s FedRAMP status is in process.
Privacy Shield Frameworks
The Privacy Shield effectively replaces the Safe Harbor regime which was invalidated by the European Court of Justice in October 2015.Pegasystems’ adherence to the Privacy Shield Principles allows European companies to comply with the dataprotection requirements of the EU Data Protection Directive when transferring personal data to Pegasystems and its affiliates outside of the EEA and with the requirements of the Swiss Federal Act on Data Protection when transferring personal data outside of Switzerland.