Pega Trust Center
Secure. Reliable. Compliant. Pega Cloud empowers the world’s biggest brands to meet – and exceed – the challenges of today and tomorrow. Learn how.Security
Our security policies provide a framework for safeguarding against unauthorized access and preventing/mitigating attacks that compromise performance and availability.
Authorization & access
Manage user and system data access with role-based controls to Pega Cloud Environment(s). Simplify native identity access management and integration with leading single sign-on technologies, including SAML, OAuth, and Active Directory.
Network protection
Our network architecture is designed to meet a range of security control requirements. Gain secure operation of your Pega Cloud Environment(s) isolated from fellow Pega clients and internal services thanks to our network rulesets and access controls.
Secure system integration
We offer multiple secure and private ways for Pega Cloud Environment(s) to integrate with systems in enterprise environments.
Client-based access control
Client-based access control rules define where and how customer data is stored and accessed. We associate personal data with actual people, not abstract entities such as businesses.
Data encryption
Encryption is critical to the protection of data whether it is in transit or at rest. Pega Cloud employs encryption across all Pega Cloud Environment(s) that meet or exceed client and regulatory requirements. When data is at rest, AES 256-bit encryption is the standard. For data in transit, Pega Cloud employs TLS 1.2.
Pega maintains a set of documents and white papers that allow our clients to better understand our overall security posture from software development through service/delivery.
Resources
Last updated
12/21/2021
N/A
2/23/2022
10/13/2021
3/1/2022
Assessment scope
Pega Cloud AWS, GCP
Pega Cloud AWS, GCP
Pega Cloud AWS
Pega Cloud AWS, GCP
Pega Cloud AWS
Privacy
Use our services to enable you to implement your own privacy and compliance strategies. We continually evolve our platform to provide the features and security measures that you may use to support your security and privacy strategy.
Read Pega's privacy noticeCompliance certifications, attestations, and accessibility
When evaluating the services listed under each compliance standard it should be noted that Pega relies on a common set of controls for the purposes of adherence. These common controls exist across the Pega Platform, the underlying infrastructure, and the operations, administration and management provided by Pega in Pega Cloud. Pega applications deployed within/on the Pega Platform inherit these controls which are attested to in the current scope
Pega Cloud certifications
APRA
Australia, like other countries, has implemented significant cybersecurity and regulations to address the increasing challenges of hacking, fraud, and state-sponsored attacks. Like any other set of rules, qualified organizations must assess these regulations that can understand the law and how it is applied in real-world situations. The Information Security Registered Assessors Program is a unique compliance program that attests to the ability of private and public organizations to meet cybersecurity requirements.
Last updated (YYYY-MM-DD)
2020-10-16
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
CSA STAR
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.
STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.
Last updated (YYYY-MM-DD)
2022-02-04
2022-02-01
Assessment scope
Pega Cloud AWS
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
Cyber Essentials
Cyber Essentials is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organizations demonstrate operational security against common cyber-attacks.
Last updated (YYYY-MM-DD)
2022-02-04
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings
Resources
Last updated (YYYY-MM-DD)
2021-02-17
Assessment scope
Pega Cloud for Government
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Sales Automation Standard Edition
Predictive Diagnostic Cloud
Co-Browse
*Digital messaging/web messaging, and chat are not supported in Pega Cloud for Government
French HDS
The Hébergeurs de Données de Santé (HDS) certification is required for entities such as cloud service providers that host the personal health data governed by French laws and collected for delivering preventive, diagnostic, and other health services. The HDS regulation was issued by ASIP SANTÉ which, under the French Ministry of Health, is responsible for promoting electronically based healthcare solutions in France.
Resources
Last updated (YYYY-MM-DD)
2022-09-06
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
HITRUST
Developed in collaboration with data protection professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security and privacy framework. The HITRUST Risk-based, 2-year (r2) Validated Assessment is globally recognized as a high-level validation showing that an organization successfully manages cyber risk by meeting and exceeding industry-defined and accepted information security requirements. The HITRUST r2 Validated Assessment + Certification is considered the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of quality review, and consistency of oversight.
Last updated (YYYY-MM-DD)
2021-12-14
2021-12-14
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
IL4
The Defense Information Systems Agency (DISA) published the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) that outlines the security model and requirements by which DoD will leverage cloud computing along with the security controls and requirements necessary for using cloud-based solutions. IL4 information covers controlled unclassified information (CUI), non-CUI information, non-critical mission information, and non-national security systems.
Resources
Last updated (YYYY-MM-DD)
2019-03-15
Assessment scope
Pega Cloud for Government
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Sales Automation
Predictive Diagnostic Cloud
Co-Browse
*Assessment status applicable if VoiceAI, digital messaging/web messaging are not used
IRAP
The Infosec Registered Assessors Program (IRAP) ensures entities can access high-quality security assessment services.
Resources
Last updated (YYYY-MM-DD)
2020-07-03
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
ISO 22301
Published by the International Organization for Standardization, ISO 22301 is designed to help organizations prevent, prepare for, respond to and recover from unexpected and disruptive incidents. To do so, the standard provides a practical framework for setting up and managing an effective business continuity management system. ISO 22301 aims to safeguard an organization from a wide range of potential threats and disruptions.
This standard may be right for your organization if you need to demonstrate to stakeholders that your organization can rapidly overcome operational disruption to provide continued and effective service.
Last updated (YYYY-MM-DD)
2022-10-20
2022-12-15
Assessment scope
Pega Cloud AWS
Pega Corporate
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
ISO 27001
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
Resources
Pega Cloud ISO 27001 Certificate #1745248-7
Pega Cloud ISO 27001 Certificate #1745248-6 (external certificate)
Last updated (YYYY-MM-DD)
2022-10-13
2022-10-13
2023-01-24
Assessment scope
Pega Cloud AWS
Pega Cloud AWS
Pega Corporate
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if Co-Browse and legacy Chat are not used
PCI/DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
Last updated (YYYY-MM-DD)
2022-08-09
2022-08-09
Assessment scope
Pega Cloud AWS
Pega Cloud AWS
Products
Pega Platform
Smart Dispute
Smart Investigate
Pega Foundation for Financial Services
SOC 1
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 1 reports are primarily concerned with examining controls that are relevant for the financial reporting of customers
Resources
Last updated (YYYY-MM-DD)
2022-03-31
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
SOC 2, Type 2
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.
Resources
Last updated (YYYY-MM-DD)
2021-09-30
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
Workforce Intelligence
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
SOC 3
These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed.
Resources
Last updated (YYYY-MM-DD)
2021-09-30
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
TISAX
TISAX is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.
If you want to process sensitive information from your customers or evaluate the information security of your own suppliers, TISAX supports you in reducing efforts.
Resources
Last updated (YYYY-MM-DD)
2022-02-01
Assessment scope
Pega Cloud AWS
Products
Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used
In many cases Pega products have industry centric frameworks that will not be listed as a supported service but are considered included within the associated statement. For example, Pega Customer Service*, includes Pega Customer Service for Healthcare.
Laws and regulations
Pega's security, privacy controls and policies allow clients to address a broad range of laws and regulations. Below are some examples:
California Consumer Privacy Act/ California Privacy Rights Act
The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA seeks to ensure California consumers have a certain level of privacy rights. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.
On November 3, 2020, the California Privacy Rights Act (“CPRA”) passed. The CPRA amends the CCPA and includes additional privacy protection for consumers. The majority of CPRAs provisions will enter into effect on January 1, 2023, with a look-back to January, 2022.
FDA
Food Drug Administration CFR Title 21. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.
GDPR
The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.
Data Privacy Framework
The EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were respectively developed in furtherance of transatlantic commerce by the U.S. Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.
The effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 10, 2023, which is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.
Effective as of July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF may do so; however, personal data cannot be received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF before the date that the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. The data bridge will enable the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law
To learn more about the Data Privacy Framework program, and how we comply with the Data Privacy Framework, please visit our Privacy & Security page here. To view our Data Privacy Framework notice and to view our participation, please visit https://www.dataprivacyframework.gov/s/
Resources
N/A
Last updated
7/31/2023
Accessibility
Read our accessibility statementService reliability
Whenever you need us, we’re there – 24/7, 365. Because reliability is the cornerstone of strong service.
Global service operation centers
From Cambridge, Massachusetts and Dulles, Virginia in the US to Sydney, Australia and Bangalore, India, the Pega Cloud global service operation center teams provide around-the-clock and follow the sun vulnerability and security management for environments and managed systems.
Complete system monitoring
We monitor for virtual infrastructure component issues and employ monitoring tools in order to get a full view of our network hosting environment. Plus, with Pega Access Manager, you gain a single view of your security model.
Risk & remediation
We handle risk and remediation by focusing on two areas of operational support: platform maintenance and incident response. Maintaining an updated platform is key to ensure all known vulnerabilities are patched. Our comprehensive approach to mitigation is designed to minimize the impact of any attempted attack.
"With more than 30 years of experience working with the world’s most respected brands, Pega understands the importance of security. This experience extends to Pega’s products and services that enable Pega to establish long-term partnerships with customers that are built on trust and transparency."