Security standards for Pega Cloud Services
This article is part of the Pega Cloud Services Subscription Documentation.
Pega and the client are both responsible for security in Pega Cloud Services:
- The Client is responsible for the security of, and access to, the Client Application at the application level.
- Pegasystems is responsible for the security of the Client Application and Environments at the infrastructure level.
Note: For Chat, Co-Browse, Workforce Intelligence, and Digital Messaging, the client is responsible for securing sensitive data that could inadvertently be shared. These services all provide field-masking capabilities that allow clients to mask sensitive data such as PHI or PCI, to help meet compliance requirements.
The Pegasystems Security Program outlined in the cloud agreement governs the infrastructure on which the Client environment is built up through the deployed Pega Platform and Pega applications.
- This Pegasystems Security Program infrastructure includes the hardware, software, networking, and facilities that support Pega Cloud Services.
- Pega Cloud Services manages these services on behalf of each Client, from initial provisioning to final decommissioning.
Pegasystems provides transparency about our compliance posture on emerging and established international and local regulations and standards. Pegasystems maintains an extensive set of compliance certifications, attestations, and third party assessments to give our clients confidence in our solutions. For details, see the Pega Trust Center.
Note: Workforce Intelligence undergoes an annual SOC 2, Type 2 audit that reports on the design and operating effectiveness of stated controls. A copy of the Workforce Intelligence SOC 2 report is available to clients upon request.
Technical and Organization Controls
The technical and organizational measures implemented by Pegasystems include:
- Encryption of personal data: Pegasystems encrypts all data at rest in an Environment using 256-bit AES encryption. Pega Cloud Services-hosted web applications provide functionality for data in transit encryption with https (TLS) and digital certificates. Within the Pega Platform, Client can also use Dev Studio to configure secure TLS 1.2 connectivity to their external REST or SOAP services. (Pseudonymisation or anonymization of personal data is the sole responsibility of the Client.)
- Ability to restore availability and access to personal data: Pegasystems shall maintain a commercially reasonable disaster recovery plan, including automatic failover to a like facility to meet the recovery point objective (RPO) and recovery time objective (RTO) parameters published in the Subscription Documentation.
- Notification of incidents: During the term of the Subscription Services, Pegasystems will notify clients without undue delay (unless otherwise required under applicable law) when Pegasystems confirms any actual security incident affecting the confidentiality, integrity or availability of client data at the infrastructure layer. In the event of such a security incident, Pegasystems will cooperate with Client in accordance with the law and regulations applicable to Pegasystems.
- Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures: Pegasystems shall perform a SSAE 18 SOC 2 Type 2 review at least once per calendar year. Pegasystems agrees to perform, or have a qualified third party perform, external penetration tests of Pega Cloud Services and to conduct internal network security vulnerability assessments at least quarterly. Pegasystems shall mitigate any critical or high vulnerabilities discovered during the penetration tests or network security vulnerability assessments.
- Return of data at termination: In the case of termination of the Subscription Services, upon client’s request made within 15 days of the termination date, Pegasystems will provide the client’s data in a Production Environment database backup file encrypted to customary standards. Pegasystems may delete any Client data once provided to Client, or data that is not requested within 15 days from termination of the Subscription Services, unless legally prohibited.
Pega is also responsible for:
- Establishing security group configurations for secure client access.
- Protecting data in transit over the Internet. This is in addition to data security protocols for which clients are responsible.
- Providing host-based virus protection services, scans, and signature updates.
- Monitoring the security of the infrastructure components in each client environment.
- Managing the security of Pega Cloud Services-delivered environments and the Pega Cloud service management systems.
- Providing a dedicated security team that manages compliance, security monitoring, and security event response.
- Accommodating requests for client penetration testing of client applications, as permitted by the Vulnerability Testing Policy.
- Subjecting sandbox environments to hibernation to block threats and conserve energy after two hours of inactivity; environments automatically restart when users return.
Clients are responsible for the Client Rights and Responsibilities, as set forth in the applicable Subscription Documentation, including:
- The development, management, implementation, maintenance, and security of their Pega-Platform-based applications as they build and operate their Pega-based applications beyond the default platform. Several of these responsibilities include, but are not limited to, application and workflow development, data classification, and user administration and entitlement management.
- The security of data in transit between Pega Cloud Services and clients’ external systems using client-selected connectivity method(s) (example: public Internet, virtual private networks (VPNs), etc.).
Physical and environmental controls
Pega Cloud Services uses a third party (currently Amazon Web Services [AWS]) as its Infrastructure-as-a-Service (IaaS) provider, which hosts Pega Cloud Services environments in state-of-the-art, large-scale, secure data centers.
- The IAAS provides the physical and environmental security controls for the cloud infrastructure. Pega Cloud Services inherits these controls as part of the shared security model . See the IAAS provider website for summary of controls with current IAAS provider (currently Amazon Cloud Security).
- Pega Cloud Services provides client support facilities replicated across the globe, from which Pega Cloud Services are monitored and maintained.
- Pega Cloud Services also provides security monitoring capabilities; our engineers proactively develop and implement industry-standard security practices.
- Access to the Pega Cloud Services support facilities is restricted to authorized personnel only. Additionally, Pega Cloud Services provides access controls (detailed in clients’ contracts) as part of the Pega Cloud Services Security Program.
In addition to the physical security, Pega Cloud Services operations has implemented access control measures which:
- restrict access to clients' environments to only those Pega Cloud Services support personnel that have a documented, current business need
- maintain a list of personnel with authorized access
- review and approve access lists quarterly
- remove personnel who no longer require access
All access to data centers and client environments is logged and routinely audited.
All administration of our cloud environments is done through a control plane, using role-based access control with multi-factor authentication.
Network and infrastructure controls
The Pega Cloud Services network architecture provides a level of security that allows each Client to effectively operate the Pega Platform. Pega Cloud Services manages and provides each client with:
- Virtual network devices to establish the boundaries, network rulesets, and access controls to govern inbound and outbound traffic in any client environment.
- Network security controls that limit access from untrusted sources.
- Network architecture that limits the effects of distributed denial-of-service (DDoS) attacks.
- An HTTP/HTTPS Internet gateway that provides access for clients who want connectivity to their Pega Cloud Services environment directly from the Internet.
- An optional secure IPsec virtual private network (VPN) connection point that enables access between the clients' location and the clients' Pega Cloud Services.
- Authentication controls for Pega Cloud Services support personnel supporting client infrastructure. Authorized Pega Cloud Services engineers are required to authenticate to Pega Cloud Services Management tools by using unique user identification credentials and replay-resistant two-factor authentication tokens prior to being granted secure access to the Pega Cloud Services network.
- Continuous monitoring of the infrastructure components in each client environment.
- Pega Cloud Services deploys anti-malware software on the Pegasystems infrastructure level.
- Pega Cloud Services deploys host-based malware services, scans, and signature updates that cannot be disabled or altered by users.
Pega Cloud Services security and compliance teams conduct regular audits and risk assessments of the Pega Cloud Services offering to maintain adequate governance over the entire environment. In addition:
- Pega Cloud Services provides vulnerability and security management for Pega Cloud Services-delivered environments and the Pega Cloud Services management systems.
- Client-led, application-level vulnerability assessment requests, which include penetration testing and other security reviews related to the client applications, can be accommodated according to the Pega Cloud Services Vulnerability Testing Policy.
- At least once per year or when significant changes to the networks are made, Pega Cloud Services conducts an information security risk assessment on current information security controls that affect the confidentiality, integrity, and availability of client data.
Amazon Web Services and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.