Pegasystems Inc. has obtained ISO/IEC 27001:2013 (“ISO 27001”) certification of its information security management system supporting infrastructure and services used to support the Pega Cloud Managed Service Infrastructure. ISO 27001 is a globally recognized standard for the establishment and certification of an information security management system (ISMS). The standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties. In order to achieve the certification, a company must show it has a systematic and ongoing approach to effectively manage sensitive company and customer information. The certification was performed by Schellman & Company, LLC, an ANAB and UKAS accredited Certification Body based in the United States.
General Data Protection Regulation
The GDPR goes into effect May 25, 2018, and has major repercussions for companies worldwide. With potential fines of up to 4% of revenue, this is much more than a compliance issue. Currently, there is no official certification for GDPR compliance. Pega is committed to providing secure solutions that enable our customers to fully comply with data privacy and security best practices, including the GDPR.
Health Insurance Portability and Accountability Act
Currently, there is no official certification for HIPAA or HITECH Act compliance. However, Pega has received an assessment from an independent audit firm which concluded Pega Cloud meets the requirements of the HIPAA/HITECH privacy and security regulations. This assessment provides Pega Cloud clients with confidence that they can securely process and store PHI (Protected Health Information) in Pega Cloud.
Payment Card Industry Data Standard
Pega has received an Attestation of Compliance (AOC) from a qualified security assessor which demonstrates that Pega Cloud is compliant with PCI DSS. This enables Pega Cloud clients to reduce the associated effort and costs to obtain PCI certification for an end-to-end solution which leverages Pega Cloud as a component.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Pega complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework for protecting personal data transferred from the EU and Switzerland. Pega's adherence to the Privacy Shield Principles allows clients to comply with the data protection requirements of the EU Data Protection Directive when transferring personal data to Pega and its affiliates outside of the EEA and with the requirements of the Swiss Federal Act on Data Protection when transferring personal data outside of Switzerland.
Pega Cloud for Government is in the process of achieving FedRAMP compliance and an Authority to Operate (ATO) at the Moderate level. The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, in order to accelerate the adoption of secure cloud solutions by government agencies.
Rehabilitation Act of 1973, Section 508
Pega Cloud meets the accessibility requirements as outlined by Voluntary Product Accessibility Template (VPAT), in accordance with the Section 508 standards. The VPAT assists U.S. Federal contracting and procurement officials in understanding how Pega Cloud meets accessibility requirements.