Skip to main content

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
   Apache Log4j vulnerability update: Learn what steps Pega is taking to address this 
uki-insurance-hero-bg-2

Pega Trust Center

Secure. Reliable. Compliant. Pega Cloud empowers the world’s biggest brands to meet – and exceed – the challenges of today and tomorrow. Learn how.

Security

Our security policies provide a framework for safeguarding against unauthorized access and preventing/mitigating attacks that compromise performance and availability.

View security bulletins

Authorization & access

Manage user and system data access with role-based controls to Pega Cloud Environment(s). Simplify native identity access management and integration with leading single sign-on technologies, including SAML, OAuth, and Active Directory.

Network protection

Our network architecture is designed to meet a range of security control requirements. Gain secure operation of your Pega Cloud Environment(s) isolated from fellow Pega clients and internal services thanks to our network rulesets and access controls.

Secure system integration

We offer multiple secure and private ways for Pega Cloud Environment(s) to integrate with systems in enterprise environments.

Client-based access control

Client-based access control rules define where and how customer data is stored and accessed. We associate personal data with actual people, not abstract entities such as businesses.

Data encryption

Encryption is critical to the protection of data whether it is in transit or at rest. Pega Cloud employs encryption across all Pega Cloud Environment(s) that meet or exceed client and regulatory requirements. When data is at rest, AES 256-bit encryption is the standard. For data in transit, Pega Cloud employs TLS 1.2.

Open Accordion Close Accordion

Pega maintains a set of documents and white papers that allow our clients to better understand our overall security posture from software development through service/delivery.

Last updated

12/21/2021

N/A

2/23/2022

10/13/2021

3/1/2022

Assessment scope

Pega Cloud AWS, GCP

Pega Cloud AWS, GCP

Pega Cloud AWS

Pega Cloud AWS, GCP

Pega Cloud AWS

Privacy

Use our services to enable you to implement your own privacy and compliance strategies. We continually evolve our platform to provide the features and security measures that you may use to support your security and privacy strategy.

Read Pega's privacy notice

Compliance certifications, attestations, and accessibility

When evaluating the services listed under each compliance standard it should be noted that Pega relies on a common set of controls for the purposes of adherence. These common controls exist across the Pega Platform, the underlying infrastructure, and the operations, administration and management provided by Pega in Pega Cloud. Pega applications deployed within/on the Pega Platform inherit these controls which are attested to in the current scope

Pega Cloud certifications

APRA logo

APRA

Australia, like other countries, has implemented significant cybersecurity and regulations to address the increasing challenges of hacking, fraud, and state-sponsored attacks. Like any other set of rules, qualified organizations must assess these regulations that can understand the law and how it is applied in real-world situations. The Information Security Registered Assessors Program is a unique compliance program that attests to the ability of private and public organizations to meet cybersecurity requirements.

Last updated (YYYY-MM-DD)

2020-10-16

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

CSA logo

CSA STAR

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.

Last updated (YYYY-MM-DD)

2022-02-04

2022-02-01

Assessment scope

Pega Cloud AWS

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

Cyber Essentials

Cyber Essentials

Cyber Essentials is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organizations demonstrate operational security against common cyber-attacks.

Last updated (YYYY-MM-DD)

2024-01-24

Assessment scope

Pega Cloud AWS & GCP

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

Cyber Essentials Plus

Cyber Essentials Plus

Cyber Essentials Plus is a UK Government-backed, industry-supported certification scheme introduced in the UK to help organizations demonstrate operational security against common cyber-attacks. It builds upon the Cyber Essentials certification by incorporating independent verification of technical controls.

Last updated (YYYY-MM-DD)

2024-02-06

Assessment scope

Pega Cloud AWS & GCP

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

ENS

The Esquema Nacional de Seguridad (ENS) is the Spanish National Security Framework. It is a set of security requirements and guidelines that are mandatory for all organizations that handle sensitive information on behalf of the Spanish government. The ENS is based on the principles of confidentiality, integrity, availability, and accountability. It is designed to protect sensitive information from unauthorized access, modification, or disclosure, and to ensure that it can be used only for authorized purposes.

Last updated (YYYY-MM-DD)

2023-11-24

Assessment Scope

Pega Cloud AWS & GCP

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

FedRAMP logo

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings

Last updated (YYYY-MM-DD)

2021-02-17

Assessment scope

Pega Cloud for Government

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Sales Automation Standard Edition
Predictive Diagnostic Cloud
Co-Browse

*Digital messaging/web messaging, and chat are not supported in Pega Cloud for Government

French HDS

French HDS

The Hébergeurs de Données de Santé (HDS) certification is required for entities such as cloud service providers that host the personal health data governed by French laws and collected for delivering preventive, diagnostic, and other health services. The HDS regulation was issued by ASIP SANTÉ which, under the French Ministry of Health, is responsible for promoting electronically based healthcare solutions in France.

Last updated (YYYY-MM-DD)

2022-09-06

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

HITRUST logo

HITRUST

Developed in collaboration with data protection professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security and privacy framework. The HITRUST Risk-based, 2-year (r2) Validated Assessment is globally recognized as a high-level validation showing that an organization successfully manages cyber risk by meeting and exceeding industry-defined and accepted information security requirements. The HITRUST r2 Validated Assessment + Certification is considered the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of quality review, and consistency of oversight.

Last updated (YYYY-MM-DD)

2023-12-04

2023-12-04

Assessment scope

Pega Cloud AWS & Pega Cloud GCP

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

Department of Defense logo

IL4

The Defense Information Systems Agency (DISA) published the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) that outlines the security model and requirements by which DoD will leverage cloud computing along with the security controls and requirements necessary for using cloud-based solutions. IL4 information covers controlled unclassified information (CUI), non-CUI information, non-critical mission information, and non-national security systems.

Last updated (YYYY-MM-DD)

2019-03-15

Assessment scope

Pega Cloud for Government

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Sales Automation
Predictive Diagnostic Cloud
Co-Browse

*Assessment status applicable if VoiceAI, digital messaging/web messaging are not used

IRAP logo

IRAP

The Infosec Registered Assessors Program (IRAP) ensures entities can access high-quality security assessment services.

Last updated (YYYY-MM-DD)

2020-07-03

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

ISO 22301

Published by the International Organization for Standardization, ISO 22301 is designed to help organizations prevent, prepare for, respond to and recover from unexpected and disruptive incidents. To do so, the standard provides a practical framework for setting up and managing an effective business continuity management system. ISO 22301 aims to safeguard an organization from a wide range of potential threats and disruptions.

This standard may be right for your organization if you need to demonstrate to stakeholders that your organization can rapidly overcome operational disruption to provide continued and effective service.

Last updated (YYYY-MM-DD)

2023-12-06

2023-12-04

Assessment scope

Pega Cloud AWS

Pega Corporate

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

ISO 27001

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

Last updated (YYYY-MM-DD)

2023-06-15

2022-10-13

2023-01-24

Assessment scope

Pega Cloud AWS & GCP

Pega Cloud AWS

Pega Corporate

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if Co-Browse and legacy Chat are not used

PCI DSS preview card

PCI/DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Last updated (YYYY-MM-DD)

2023-08-18

2023-08-18

Assessment scope

Pega Cloud AWS

Pega Cloud AWS

Products

Pega Platform
Smart Dispute
Smart Investigate
Pega Foundation for Financial Services

AICPA logo

SOC 1

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 1 reports are primarily concerned with examining controls that are relevant for the financial reporting of customers

Last updated (YYYY-MM-DD)

2022-03-31

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

AICPA logo

SOC 2, Type 2

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.

Last updated (YYYY-MM-DD)

2021-09-30

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud
Workforce Intelligence

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

AICPA logo

SOC 3

These reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed.

Last updated (YYYY-MM-DD)

2021-09-30

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

TISAX logo

TISAX

TISAX is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants.

If you want to process sensitive information from your customers or evaluate the information security of your own suppliers, TISAX supports you in reducing efforts.

Last updated (YYYY-MM-DD)

2022-02-01

Assessment scope

Pega Cloud AWS

Products

Pega Platform
Pega Customer Service Case Management Edition*
Pega Customer Service Enterprise Edition*
Pega Customer Decision Hub
Pega Sales Automation
Pega Cloud SFTP Service
Predictive Diagnostic Cloud

*Assessment status applicable if VoiceAI, digital messaging/web messaging, and Co-Browse are not used

In many cases Pega products have industry centric frameworks that will not be listed as a supported service but are considered included within the associated statement. For example, Pega Customer Service*, includes Pega Customer Service for Healthcare.

Laws and regulations

Pega's security, privacy controls and policies allow clients to address a broad range of laws and regulations. Below are some examples:

Open Accordion Close Accordion
Seal of California state

California Consumer Privacy Act/ California Privacy Rights Act

The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA seeks to ensure California consumers have a certain level of privacy rights. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

On November 3, 2020, the California Privacy Rights Act (“CPRA”) passed. The CPRA amends the CCPA and includes additional privacy protection for consumers. The majority of CPRAs provisions will enter into effect on January 1, 2023, with a look-back to January, 2022.

FDA preview card

FDA

Food Drug Administration CFR Title 21. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

GDPR preview card

GDPR

The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws

HIPAA preview card

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. Adherence to applicable laws is a shared responsibility. Pega provides relevant security controls, guidance and feature capabilities that allow our clients to adhere to laws. Pega is designed to allow Clients to configure their own strategy for compliance with applicable laws.

Open Accordion Close Accordion
Data Privacy Framework Program

Data Privacy Framework

The EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were respectively developed in furtherance of transatlantic commerce by the U.S. Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.
 
The effective date of the EU-U.S. DPF Principles, including the Supplemental Principles and Annex I of the Principles is July 10, 2023, which is the date of entry into force of the European Commission’s adequacy decision for the EU-U.S. DPF. The adequacy decision enables the transfer of EU personal data to participating organizations consistent with EU law.

Effective as of July 17, 2023, eligible organizations in the United States that wish to self-certify their compliance pursuant to the UK Extension to the EU-U.S. DPF may do so; however, personal data cannot be received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF before the date that the adequacy regulations implementing the data bridge for the UK Extension to the EU-U.S. DPF enter into force. The data bridge will enable the transfer of UK and Gibraltar personal data to participating organizations consistent with UK law

To learn more about the Data Privacy Framework program, and how we comply with the Data Privacy Framework, please visit our Privacy & Security page here. To view our Data Privacy Framework notice and to view our participation, please visit https://www.dataprivacyframework.gov/s/

Resources

N/A

Last updated

7/31/2023

Voluntary Product Accessibility Templates for Pega Customer Service v8.8
Voluntary Product Accessibility Template for Pega v8.7
Web Content Accessibility Guidelines (WCAG) Overview

Service reliability

Whenever you need us, we’re there – 24/7, 365. Because reliability is the cornerstone of strong service.

Real-time system status:

 

View all systems status

Global service operation centers

From Cambridge, Massachusetts and Dulles, Virginia in the US to Sydney, Australia and Bangalore, India, the Pega Cloud global service operation center teams provide around-the-clock and follow the sun vulnerability and security management for environments and managed systems.

Complete system monitoring

We monitor for virtual infrastructure component issues and employ monitoring tools in order to get a full view of our network hosting environment. Plus, with Pega Access Manager, you gain a single view of your security model.

Risk & remediation

We handle risk and remediation by focusing on two areas of operational support: platform maintenance and incident response. Maintaining an updated platform is key to ensure all known vulnerabilities are patched. Our comprehensive approach to mitigation is designed to minimize the impact of any attempted attack.

"With more than 30 years of experience working with the world’s most respected brands, Pega understands the importance of security. This experience extends to Pega’s products and services that enable Pega to establish long-term partnerships with customers that are built on trust and transparency."

Share this page Share via x Share via LinkedIn Copying...