Client Data Responsibilities for Pega Cloud

This article is part of the Pega Cloud Subscription Documentation.

Clients must agree to comply with the Pega Cloud Acceptable Use Policy.

The below rights and responsibilities will govern clients’ use of the Subscription Services in addition to and in accordance with the terms of clients’ Agreement and an applicable Schedule.

During the term of the Subscription Services, Client must agree to comply with the following:

Data Responsibilities

• Notify Pega of specific data domiciling or regulatory requirements, such as U.S. or EU-only data storage or Business Associate Agreements;
• Be responsible for the accuracy, integrity and legality of content and data;
• Be responsible for the classification and use of the application data they collect, including:
  • Data minimization and retention
  • Data use limitation
  • Data quality and content integrity
• Not include Protected Health Information (PHI) in a Production Environment unless using Pega Cloud HIPAA/HITECH Edition;
• Not include Personally-Identifiable Information (PII) in a Production Environment unless identified in the Schedule to the Agreement;
• Not include confidential or sensitive data in the Client Application log files; 
• Acknowledge that Pega stores names and email addresses for client-identified named contacts who may contact Pega Support.  If Client has regional or industry requirements that prohibit client’s PII as it relates to the names and email addresses of their staff’s assigned contacts in Pega’s My Support Portal (MSP), it is the Client’s responsibility to register anonymous names and email address for these named contacts.  It is then Client’s additional responsibility to manage internal routing of these anonymous emails to their named staff.
• If Client elects to move private or confidential data to non-production environments (sandbox or non-production mirror sandbox), Client will be mindful of security best practices as described in the Security Checklist.

• Create and protect security credentials related to Client’s use of the Subscription Services;
• Notify Pega within twenty-four (24) hours if it becomes aware of any actual or alleged data security incident at the application layer;
• Establish, manage, monitor, and otherwise control all application user accounts and privileges within their developed applications.
• Report issues and incidents to Pega Cloud, and follow  up on the status of those issues to ensure that they are resolved.
• Configure appropriate security controls in their application, and monitor the security of the developed application by using Pega Platform tools. 
• Configure appropriate masking for fields where customer data is private or confidential (where applicable and based on client security policies). 

For additional information on accomplishing these tasks, see the below articles, which are not part of the Pega Cloud Subscription Documentation:

• Assessing your application using the Security Checklist
• The Security Checklist
• Mask or hide sensitive customer information in Configuring Pega Co-Browse
• Encrypting application data

Application Responsibilities

• Be responsible for configuring a Guardrail Compliant Client Application;    
• Be responsible for verifying that the application design for Client application adheres to performance best practices, by utilizing Pega Predictive Diagnostic Cloud (PDC) and adopting performance recommendations;     
• Be responsible for any third-party software, tool, library or component that is installed and/or used by or on behalf of the Client in any Environment in connection with the Subscription Services;
• Be responsible for third party data flows that the Client integrates with and into the Environments;
• Agree that Pega will update Pega software within the Client's Pega Cloud Subscription Service to keep Client current on Pega's latest generally-available release;
  • Client will perform required client tasks during major and minor release updates (such as regression-testing applications) during their update window (see link below for Pega Cloud update process for client update-related tasks)
  • Client must be only one minor release behind the current release.  Client must update to the current minor release before the next minor version of Pega Platform is released.
• For clients using the Customer Decision Hub (CDH):  Be responsible for adhering to Service and Data Health limits for CDH  (see link below for Service and Data Health Limits);

For additional information on accomplishing these tasks, see the below articles, which are not part of the Pega Cloud Subscription Documentation:

• Adding the Check guardrail compliance score task
• Utilizing Pega Predictive Diagnostic Cloud
• Pega Software Maintenance Program
• Pega Extended Support Program
• Pega Cloud Services update process for Pega Infinity release 8.4.2 and later
• Service and Data Health Limits for Pega Customer Decision Hub