Client security responsibilities for Pega Cloud Services
This article is part of the Pega Cloud Services Subscription Documentation.
Client Data Rights and Responsibilities
The below rights and responsibilities will govern clients’ use of the Subscription Services in addition to and in accordance with the terms of clients’ Agreement and an applicable Schedule.
During the term of the Subscription Services, clients will be responsible for the accuracy, integrity and legality of content and data.
- The Client agrees to notify Pegasystems of specific data domiciling or regulatory requirements, such as U.S. or EU-only data storage or Business Associate Agreements.
- Client agrees to be responsible for the classification and use of the data they collect, including:
- Data minimization and retention
- Data use limitation
- Data quality and content integrity
- Create and protect security credentials related to Client’s use of the Subscription Services;
- Notify Pegasystems without undue delay if it becomes aware of a data security incident at the application layer;
- Be responsible for third party data flows that the Client integrates with and into the Environments
Clients must not:
- include Protected Health Information in a Pega Cloud Services Production Environment unless identified in the applicable Schedule. In this case, clients must use the Pega Cloud Services HIPAA Edition.
- use regulated data in their Pega Cloud Services environment unless identified in the applicable Schedule.
- use regulated data or other personally-identifiable data in a non-Production Environment.
- include regulated data in the Client Application log files.
If the client wishes to retrieve their data after termination of the Subscription Services, they must make a request within 15 days from the termination date. Pegasystems will then provide Client’s data in a Production Environment database backup file encrypted to customary standards. Pegasystems may delete any client data once it has been provided to Client, or any client data that is not requested within 15 days from termination of the Subscription Services, unless legally prohibited.
Client privacy and security responsibilities
Clients agree to maintain certain controls in their Pega Cloud Services environments, which complement the controls in Pega Cloud Services.
Clients must agree to:
- Comply with the Pega Cloud Acceptable Use Policy.
- Establish, manage, monitor, and otherwise control all application user accounts and privileges within their developed applications.
- Be responsible for the accuracy, classification, quality, integrity, and legality of the Client’s applications, content, and stored data, and for the quality, configuration, and performance of the Client applications.
- Make reasonable efforts to prevent unauthorized access to or use of the subscription, and notify Pegasystems promptly of any such unauthorized access or use.
- Report issues and incidents to Pega Cloud Services, and to follow up on the status of those issues to ensure that they are resolved.
- Monitor the security of the developed application by using Pega Platform tools.