Skip to main content

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
   Apache Log4j vulnerability update: Learn what steps Pega is taking to address this 
uki-insurance-hero-bg-2

Pega Trust Center

Secure. Reliable. Compliant. Pega Cloud empowers the world’s biggest brands to meet – and exceed – the challenges of today and tomorrow. Learn how.

Security

Our security policies provide a framework for safeguarding against unauthorized access and preventing/mitigating attacks that compromise performance and availability.

View security bulletins

Authorization & access

Manage user and system data access with role-based controls to Pega Cloud Environment(s). Simplify native identity access management and integration with leading single sign-on technologies, including SAML, OAuth, and Active Directory.

Network protection

Our network architecture is designed to meet a range of security control requirements. Gain secure operation of your Pega Cloud Environment(s) isolated from fellow Pega clients and internal services thanks to our network rulesets and access controls.

Secure system integration

We offer multiple secure and private ways for Pega Cloud Environment(s) to integrate with systems in enterprise environments.

Client-based access control

Client-based access control rules define where and how customer data is stored and accessed. We associate personal data with actual people, not abstract entities such as businesses.

Data encryption

Encryption is critical to the protection of data whether it is in transit or at rest. Pega Cloud employs encryption across all Pega Cloud Environment(s) that meet or exceed client and regulatory requirements. When data is at rest, AES 256-bit encryption is the standard. For data in transit, Pega Cloud employs TLS 1.2.

Open Accordion Close Accordion

Pega maintains a set of documents and white papers that allow our clients to better understand our overall security posture from software development through service/delivery.

Last updated

12/21/2021

N/A

2/23/2022

10/13/2021

3/1/2022

Assessment scope

Pega Cloud AWS, GCP

Pega Cloud AWS, GCP

Pega Cloud AWS

Pega Cloud AWS, GCP

Pega Cloud AWS

Privacy

Use our services to enable you to implement your own privacy and compliance strategies. We continually evolve our platform to provide the features and security measures that you may use to support your security and privacy strategy.

Read Pega's privacy notice

Compliance certifications, attestations, and accessibility

When evaluating the services listed under each compliance standard it should be noted that Pega relies on a common set of controls for the purposes of adherence. These common controls exist across the Pega Platform, the underlying infrastructure, and the operations, administration and management provided by Pega in Pega Cloud. Pega applications deployed within/on the Pega Platform inherit these controls which are attested to in the current scope

Pega Cloud certifications

APRA logo

APRA

Australia, like other countries, has implemented significant cybersecurity and regulations to address the increasing challenges of hacking, fraud, and state-sponsored attacks. Like any other set of rules, qualified organizations must assess these regulations that can understand the law and how it is applied in real-world situations. The Information Security Registered Assessors Program is a unique compliance program that attests to the ability of private and public organizations to meet cybersecurity requirements.

Last updated

10/16/2020

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

CSA logo

CSA STAR

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.

Last updated

2/4/2022

2/1/2022

Assessment scope

Pega Cloud AWS

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

Cyber Essentials logo

Cyber Essentials Plus

Cyber Essentials Plus is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organizations demonstrate operational security against common cyber-attacks.

Last updated

2/4/2022

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

FedRAMP logo

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings

Last updated

2/17/2021

Assessment scope

Pega Cloud for Government

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Sales Automation Standard Edition
Predictive Diagnostic Cloud
Co-Browse

*Digital messaging/web messaging, and chat are not supported in Pega Cloud for Government

French HDS

French HDS

The Hébergeurs de Données de Santé (HDS) certification is required for entities such as cloud service providers that host the personal health data governed by French laws and collected for delivering preventive, diagnostic, and other health services. The HDS regulation was issued by ASIP SANTÉ which, under the French Ministry of Health, is responsible for promoting electronically based healthcare solutions in France.

Last updated

12/1/2021

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

HITRUST logo

HITRUST

Developed in collaboration with data protection professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security and privacy framework. The HITRUST Risk-based, 2-year (r2) Validated Assessment is globally recognized as a high-level validation showing that an organization successfully manages cyber risk by meeting and exceeding industry-defined and accepted information security requirements. The HITRUST r2 Validated Assessment + Certification is considered the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of quality review, and consistency of oversight.

Last updated

12/14/2021

12/14/2021

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

Department of Defense logo

IL4

The Defense Information Systems Agency (DISA) published the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) that outlines the security model and requirements by which DoD will leverage cloud computing along with the security controls and requirements necessary for using cloud-based solutions. IL4 information covers controlled unclassified information (CUI), non-CUI information, non-critical mission information, and non-national security systems.

Last updated

3/15/2019

Assessment scope

Pega Cloud for Government

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Sales Automation
Predictive Diagnostic Cloud
Co-Browse

*Assessment status applicable if VoiceAI, digital messaging/web messaging are not used

IRAP logo

IRAP

The Infosec Registered Assessors Program (IRAP) ensures entities can access high-quality security assessment services.

Last updated

7/3/2020

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

ISO 22301

Published by the International Organization for Standardization, ISO 22301 is designed to help organizations prevent, prepare for, respond to and recover from unexpected and disruptive incidents. To do so, the standard provides a practical framework for setting up and managing an effective business continuity management system. ISO 22301 aims to safeguard an organization from a wide range of potential threats and disruptions.

This standard may be right for your organization if you need to demonstrate to stakeholders that your organization can rapidly overcome operational disruption to provide continued and effective service.

Last updated

11/12/2021

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

ISO 27001

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

Last updated

12/1/2021

12/1/2021

Assessment scope

Pega Cloud AWS

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

PCI DSS preview card

PCI/DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Last updated

8/09/2022

8/09/2022

Assessment scope

Pega Cloud AWS

Pega Cloud AWS

Products

Pega Platform
Smart Dispute
Smart Investigate
Pega Foundation for Financial Services

AICPA logo

SOC 1

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 1 reports are primarily concerned with examining controls that are relevant for the financial reporting of customers

Last updated

3/31/2022

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

AICPA logo

SOC 2, Type 2

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.

Last updated

9/30/2021

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
Workforce Intelligence

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

AICPA logo

SOC 3

These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed.

Last updated

9/30/2021

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

TISAX logo

TISAX

TISAX is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.

If you want to process sensitive information from your customers or evaluate the information security of your own suppliers, TISAX supports you in reducing efforts.

Last updated

2/1/2022

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

In many cases Pega products have industry centric frameworks that will not be listed as a supported service but are considered included within the associated statement. For example, Pega Customer Service*, includes Pega Customer Service for Healthcare.

Laws and regulations

Pega's security, privacy controls and policies allow clients to address a broad range of laws and regulations. Below are some examples:

Open Accordion Close Accordion
Seal of California state

California Consumer Privacy Act/ California Privacy Rights Act

The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA seeks to ensure California consumers have a certain level of privacy rights. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

On November 3, 2020, the California Privacy Rights Act (“CPRA”) passed. The CPRA amends the CCPA and includes additional privacy protection for consumers. The majority of CPRAs provisions will enter into effect on January 1, 2023, with a look-back to January, 2022.

FDA preview card

FDA

Food Drug Administration CFR Title 21. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

GDPR preview card

GDPR

The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws

HIPAA preview card

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

Privacy Shield preview card

Privacy Shield

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. We continue to comply with the EU-U.S. and the Swiss – U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce, however we do not rely on this mechanism for transfer of EEA or Swiss data.

To learn more about the Privacy Shield program, and to learn more how we comply with the Privacy Shield Principles please visit our Privacy & Security page here. To view our EU-US and Swiss- US Privacy Shield notice and to view our certification, please visit https://www.privacyshield.gov.

Resources

Active Participant

Last updated

N/A

Voluntary Product Accessibility Template for Pega v8.7
Voluntary Product Accessibility Template for Pega v8.6
Voluntary Product Accessibility Template for Pega v8.5
Web Content Accessibility Guidelines (WCAG) Overview

Service reliability

Whenever you need us, we’re there – 24/7, 365. Because reliability is the cornerstone of strong service.

Real-time system status:

 

View all systems status

Global service operation centers

From Cambridge, Massachusetts and Dulles, Virginia in the US to Sydney, Australia and Bangalore, India, the Pega Cloud global service operation center teams provide around-the-clock and follow the sun vulnerability and security management for environments and managed systems.

Complete system monitoring

We monitor for virtual infrastructure component issues and employ monitoring tools in order to get a full view of our network hosting environment. Plus, with Pega Access Manager, you gain a single view of your security model.

Risk & remediation

We handle risk and remediation by focusing on two areas of operational support: platform maintenance and incident response. Maintaining an updated platform is key to ensure all known vulnerabilities are patched. Our comprehensive approach to mitigation is designed to minimize the impact of any attempted attack.

"With more than 30 years of experience working with the world’s most respected brands, Pega understands the importance of security. This experience extends to Pega’s products and services that enable Pega to establish long-term partnerships with customers that are built on trust and transparency."

Alan Trefler CEO, Pegasystems