Security standards for Pega Cloud

This article is part of the Pega Cloud Subscription Documentation.

Pega and the client are both responsible for security in Pega Cloud:

• The Client is responsible for the security of, and access to, the Client Application at the application level.
• Pega is responsible for the security of the Client Application and Environments at the infrastructure level. 

Note: For Legacy Web Chat (formerly Pega Chat), Co-Browse, Workforce Intelligence, Digital Messaging, and Voice AI, the client is responsible for securing sensitive data that could inadvertently be shared.  All these services, except for Voice AI, provide field-masking capabilities that allow clients to mask sensitive data such as PHI or PCI, to support their own compliance strategy.

The Pega Security Program outlined in the cloud agreement governs the infrastructure on which the client Environment is built up through the deployed Pega Platform and Pega applications.

• This Pega Security Program infrastructure includes the hardware, software, networking, and facilities that support Pega Cloud.
•  Pega Cloud manages these services on behalf of each Client, from initial provisioning to final decommissioning.

Compliance

Pega provides transparency about our compliance posture on emerging and established international and local regulations and standards. Pega maintains an extensive set of compliance certifications, attestations, and third party assessments to give our clients  confidence in our solutions.  For details, see the Pega Trust Center.

Technical and Organization Controls

The technical and organizational measures implemented by Pega include:

• Encryption of personal data:  Pega encrypts all data at rest in an Environment using 256-bit AES encryption.  Pega Cloud-hosted web applications provide functionality for data in transit encryption with https (TLS) and digital certificates.  Within the Pega Platform, Client can also use Dev Studio to configure secure TLS 1.2 connectivity to their external REST or SOAP services.  (Pseudonymisation or anonymization of personal data is the sole responsibility of the Client.)

• Ability to restore availability and access to personal data:  Pega shall maintain a commercially reasonable disaster recovery plan, including automatic failover to a like facility to meet the recovery point objective (RPO) and recovery time objective (RTO) parameters published in the Subscription Documentation.

• Notification of incidents:  During the term of the Subscription Services, Pega will notify clients without undue delay (unless otherwise required under applicable law) when Pega confirms any actual security incident affecting the confidentiality, integrity or availability of client data at the infrastructure layer.  In the event of such a security incident, Pega will cooperate with Client in accordance with the law and regulations applicable to Pega.

• Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures:  Pega regularly reviews global industry standards for various compliance certifications, and performs high-level organizational and technical reviews at least once per calendar year, for products which are already-GA'd before the audit cycle begins.  New products or services which were not GA’d before the audit cycle begins may not be included until the next review cycle.  For details on Pega’s trust certifications, see the Pega Trust Center.

• Pega agrees to perform, or have a qualified third party perform, external penetration tests of Pega Cloud and to conduct internal network security vulnerability assessments at least quarterly. Pega shall mitigate any critical or high vulnerabilities discovered during the penetration tests or network security vulnerability assessments.

Pega is also responsible for:

• Establishing security group configurations for secure client access.
• Protecting data in transit over the Internet.  This is in addition to data security protocols for which clients are responsible.
• Providing host-based virus protection services, scans, and signature updates for pega Cloud.
• Monitoring the security of the infrastructure components in each client Environment.
• Managing the security of Pega Cloud-delivered Environments and the Pega Cloud service management systems.
• Providing a dedicated security team that manages compliance, security monitoring, and security event response.
• Accommodating requests for client penetration testing of client applications, as permitted by the Vulnerability Testing Policy.
• Subjecting sandbox Environments to hibernation to block threats and conserve energy after two hours of inactivity; Environments automatically restart when users return.

Clients are responsible for the Client Data Responsibilities, as set forth in the applicable Subscription Documentation, including:

• The development, management, implementation, maintenance, and security of their Pega-Platform-based applications as they build and operate their Pega-based applications beyond the default platform. Several of these responsibilities include, but are not limited to, application and workflow development, data classification, and user administration and entitlement management.

• The security of data in transit between Pega Cloud and clients’ external systems using client-selected and Pega-supported connectivity method(s) (either public Internet or private connectivity options).

Physical and Environmental controls

Pega Cloud uses third parties as its Infrastructure-as-a-Service (IaaS) providers (see supported regions for providers), which host Pega Cloud Environments in state-of-the-art, large-scale, secure data centers.

• The IAAS provides the physical and Environmental security controls for the cloud infrastructure. Pega Cloud inherits these controls as part of the shared security model . See the IAAS provider website for summary of controls available through that IAAS provider, based on your Deployment Region(s)

• Pega Cloud provides client support facilities replicated across the globe, from which Pega Cloud are monitored and maintained.

• Pega Cloud also provides security monitoring capabilities; our engineers proactively develop and implement industry-standard security practices.

• Access to the Pega Cloud support facilities is restricted to authorized personnel only.  Additionally, Pega Cloud provides access controls (detailed in clients’ contracts) as part of the Pega Cloud Security Program.

Access Controls

In addition to the physical security, Pega Cloud operations has implemented access control measures which:

• restrict access to clients' Environments to only those Pega Cloud support personnel that have a documented, current business need
• maintain a list of personnel with authorized access
• review and approve access lists quarterly
• remove personnel who no longer require access

All access to data centers and client Environments is logged and routinely audited.

All administration of our cloud Environments is done through a control plane, using role-based access control with multi-factor authentication.

Network and infrastructure controls

The Pega Cloud network architecture provides a level of security that allows each Client to effectively operate the Pega Platform. Pega Cloud manages and provides each client with:

• Virtual network devices to establish the boundaries, network rulesets, and access controls to govern inbound and outbound traffic in any client Environment.
• Network security controls that limit access from untrusted sources.
• Protection against distributed denial-of-service (DDoS) attacks.
• An HTTPS Internet gateway that provides access for clients who want connectivity to their Pega Cloud Environment directly from the Internet.
• Support for optional private connectivity capabilities as described in our Pega Cloud connectivity options articles. (These articles are additional Pega Cloud information which is not part of the Pega Cloud Subscription Documentation.)
• Authentication controls for Pega Cloud support personnel supporting client infrastructure. Authorized Pega Cloud engineers are required to authenticate to Pega Cloud Management tools by using unique user identification credentials and replay-resistant two-factor authentication tokens prior to being granted secure access to the Pega Cloud network.
• Continuous monitoring of the infrastructure components in each client Environment.

Malware protection

• Pega Cloud deploys anti-malware software on the Pega infrastructure level.
• Pega Cloud deploys host-based malware services, scans, and signature updates that cannot be disabled or altered by users.

Risk management

Pega Cloud security and compliance teams conduct regular audits and risk assessments of the Pega Cloud offering to maintain adequate governance over the entire Environment. In addition:

• Pega Cloud provides vulnerability and security management for Pega Cloud-delivered Environments and the Pega Cloud management systems.
• Client-led, application-level vulnerability assessment requests, which include penetration testing and other security reviews related to the client applications, can be accommodated according to the Vulnerability testing policy for applications on Pega Cloud.
• At least once per year or when significant changes to the networks are made, Pega Cloud conducts an information security risk assessment on current information security controls that affect the confidentiality, integrity, and availability of client data.