Client responsibilities for Pega Cloud Services

This content applies only to Cloud environments.

This article is part of the Pega Cloud Services Subscription Documentation.

Client Data Rights and Responsibilities

Clients must agree to comply with the Pega Cloud Acceptable Use Policy.

The below rights and responsibilities will govern clients’ use of the Subscription Services in addition to and in accordance with the terms of clients’ Agreement and an applicable Schedule.

During the term of the Subscription Services, Client will:

  • Notify Pegasystems of specific data domiciling or regulatory requirements, such as U.S. or EU-only data storage or Business Associate Agreements;
  • Be responsible for the accuracy, integrity and legality of content and data;
  • Be responsible for the classification and use of the application data they collect, including:
    • Data minimization and retention
    • Data use limitation
    • Data quality and content integrity
  • Be responsible for configuring a Guardrail Compliant Client Application;    
  • Be responsible for verifying that the application design for Client application adheres to performance best practices, by utilizing Pega Predictive Diagnostic Cloud (PDC) and adopting performance recommendations;     
  • Be responsible for any third-party software, tool, library or component that is installed and/or used by or on behalf of the Client in any Environment in connection with the Subscription Services;
  • Not include Protected Health Information (PHI) in a Production Environment unless using Pega Cloud HIPAA/HITECH Edition;
  • Not include Personally-Identifiable Information (PII) in a Production Environment unless identified in the Schedule to the Agreement;
  • Not include confidential or sensitive data in the Client Application log files; 
  • Create and protect security credentials related to Client’s use of the Subscription Services;
  • Notify Pega within twenty-four (24) hours if it becomes aware of any actual or alleged data security incident at the application layer;
  • Be responsible for third party data flows that the Client integrates with and into the Environments;
  • Agree that Pega will update and upgrade client environments and Pega applications. Any extensions will be resolved in a timely fashion;
  • Use security best practices as described in the Security Checklist, if clients elect to move private or confidential data to non-production environments.  Note:  It is not best practice to move private or confidential client data to non-production environments. 

For additional information on accomplishing these tasks, see the below articles, which are not part of the Pega Cloud Services Subscription Documentation:


Client privacy and security responsibilities

Clients agree to maintain certain controls in their Pega Cloud Services environments, which complement the controls in Pega Cloud Services. 

Clients must agree to:

  • Establish, manage, monitor, and otherwise control all application user accounts and privileges within their developed applications.
  • Report issues and incidents to Pega Cloud Services, and follow  up on the status of those issues to ensure that they are resolved.
  • Configure appropriate security controls in their application, and monitor the security of the developed application by using Pega Platform tools. 
  • Configure appropriate masking for fields where customer data is private or confidential (where applicable and based on client security policies). 

For additional information on accomplishing these tasks, see the below articles, which are not part of the Pega Cloud Services Subscription Documentation: