Client Data Rights and Responsibilities for Pega Cloud GCP Early Access Program
This content applies only to Pega Cloud environments
This article is part of the Pega Cloud GCP Early Access Subscription Documentation.
Clients must agree to comply with the Pega Cloud Acceptable Use Policy.
The below rights and responsibilities will govern clients’ use of the Subscription Services in addition to and in accordance with the terms of clients’ Agreement and an applicable Schedule.
During the term of the Subscription Services, Client will:
- Notify Pegasystems of specific data domiciling or regulatory requirements, such as U.S. or EU-only data storage or Business Associate Agreements;
- Be responsible for the accuracy, integrity and legality of content and data;
- Be responsible for the classification and use of the application data they collect, including:
- Data minimization and retention
- Data use limitation
- Data quality and content integrity
- Be responsible for configuring a Guardrail Compliant Client Application;
- Be responsible for verifying that the application design for Client application adheres to performance best practices, by utilizing Pega Predictive Diagnostic Cloud (PDC) and adopting performance recommendations;
- Be responsible for any third-party software, tool, library or component that is installed and/or used by or on behalf of the Client in any Environment in connection with the Subscription Services;
- Not include Protected Health Information (PHI) in a Production Environment
- Not include Personally-Identifiable Information (PII) in a Production Environment unless identified in the Schedule to the Agreement;
- Not include confidential or sensitive data in the Client Application log files;
- Create and protect security credentials related to Client’s use of the Subscription Services;
- Notify Pega within twenty-four (24) hours if it becomes aware of any actual or alleged data security incident at the application layer;
- Be responsible for third party data flows that the Client integrates with and into the Environments;
- Agree that Pega will update Pega software to stay current on Pega’s latest generally-available release;
- Acknowledge that Pega stores names and email addresses for client-identified named contacts who may contact Pega Support. If Client has regional or industry requirements that prohibit client’s PII as it relates to the names and email addresses of their staff’s assigned contacts in Pega’s My Support Portal (MSP), it is the Client’s responsibility to register anonymous names and email addresses for these named contacts. It is then Client’s additional responsibility to manage internal routing of these anonymous emails to their named staff.
- If Client elects to move private or confidential data to non-production environments (sandbox or non-production mirror sandbox), Client will be mindful of security best practices as described in the Security Checklist.
For additional information on accomplishing these tasks, see the below articles, which are not part of the Pega Cloud Subscription Documentation:
- Software Update and Extended Support Policy
- Adding the Check guardrail compliance score task
- Utilizing Pega Predictive Diagnostic Cloud
- The Security Checklist
In addition, clients agree to maintain certain controls in their Pega Cloud environments, which complement the controls in Pega Cloud.
Clients must agree to:
- Establish, manage, monitor, and otherwise control all application user accounts and privileges within their developed applications.
- Report issues and incidents to Pega Cloud, and follow up on the status of those issues to ensure that they are resolved.
- Configure appropriate security controls in their application, and monitor the security of the developed application by using Pega Platform tools.
- Configure appropriate masking for fields where customer data is private or confidential (where applicable and based on client security policies).
For additional information on accomplishing these tasks, see the below articles, which are not part of the Pega Cloud Subscription Documentation: