Pega provides transparency about our compliance posture on emerging and established international and local regulations and standards. We maintain an extensive set of compliance certifications and attestations, and third party assessments to give you confidence in our solutions.
"Our customers require a higher level of security, and Pega exceeds those requirements."
Pegasystems Inc. has obtained ISO/IEC 27001:2013 (“ISO 27001”) certification of its information security management system supporting infrastructure and services used to support the Pega Cloud Managed Service Infrastructure. ISO 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS).
General Data Protection Regulation
The GDPR goes into effect May 25, 2018, and has major repercussions for companies worldwide. With potential fines of up to 4% of revenue, this is much more than a compliance issue. Currently, there is no official certification for GDPR compliance. Pega is committed to providing secure solutions that enable our customers to fully comply with data privacy and security best practices, including the GDPR.
Service Organization Controls
Pega has received a SOC 2 Type 2 report from an independent audit firm which describes how Pega Cloud complies with Service Organization Controls framework. This report provides Pega Cloud clients with confidence in Pega's information security practices.
Health Insurance Portability and Accountability Act
Currently, there is no official certification for HIPAA or HITECH Act compliance. However, Pega has received an assessment from an independent audit firm which concluded Pega Cloud meets the requirements of the HIPAA/HITECH privacy and security regulations. This assessment provides Pega Cloud clients with confidence that they can securely process and store PHI (Protected Health Information) in Pega Cloud.
Payment Card Industry Data Standard
Pega has received an Attestation of Compliance (AOC) from a qualified security assessor which demonstrates that Pega Cloud is compliant with PCI DSS. This enables Pega Cloud clients to reduce the associated effort and costs to obtain PCI certification for an end-to-end solution which leverages Pega Cloud as a component.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Pega complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework for protecting personal data transferred from the EU and Switzerland. Pega's adherence to the Privacy Shield Principles allows clients to comply with the data protection requirements of the EU Data Protection Directive when transferring personal data to Pega and its affiliates outside of the EEA and with the requirements of the Swiss Federal Act on Data Protection when transferring personal data outside of Switzerland.
Pega Cloud for Government is in the process of achieving FedRAMP compliance and an Authority to Operate (ATO) at the Moderate level. The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, in order to accelerate the adoption of secure cloud solutions by government agencies.
Rehabilitation Act of 1973, Section 508
Pega Cloud meets the accessibility requirements as outlined by Voluntary Product Accessibility Template (VPAT), in accordance with the Section 508 standards. The VPAT assists U.S. Federal contracting and procurement officials in understanding how Pega Cloud meets accessibility requirements.
FDA CFR Title 21 Part 11
Although regulatory authorities do not certify individual products or services as Part 11 compliant, the Pega Platform provides life sciences organizations with the necessary process and technical controls needed to achieve compliance with FDA CFR Part 11.
Pega Cloud is listed as a cloud service provider on the G-Cloud Digital Marketplace. This enables U.K. government agencies to easily locate and procure Pega Cloud services.