The following minimum security measures reflect a baseline of security controls across the Genesys environment and the data that is managed by Genesys for services that are outside the scope of our Genesys Cloud certification program (e.g., HIPAA, ISO27001, ISO27018, PCI, SOC2). Sub-processors each enforce controls, audits, and certifications for data once it is under their control.

Genesys minimum security controls

This Appendix describes the minimum security requirements generally applicable to Customer’s use of Genesys Services. Additional controls for specific services or modules can be found in the applicable licensing agreement or Master Agreement. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Therefore, Processor will use necessary reasonable technical, organizational, and security measures designed to protect personal Data of Customer in possession of Processor or otherwise processed by Processor against unauthorized access, alteration, disclosure, or destruction, as further described in this Appendix:

1. Security program

Genesys has implemented and will maintain an information security program that follows generally accepted system security principles embodied in the SOC-2 standard designed to protect the Customer Data as appropriate to the nature and scope of the Services provided. The information security program includes at least the following elements:

a. Security awareness and training

Genesys has implemented and will maintain an information security and awareness program that is delivered to employees and appropriate contractors at the time of hire or contract commencement and annually thereafter. The awareness program is delivered electronically and includes a testing aspect with minimum requirements to pass. Additionally, development staff members are provided with secure code development training.

b. Policies and procedures

Genesys maintains policies and procedures to support the information security program. Such policies and procedures are reviewed annually and updated as necessary.

c. Malware prevention

Genesys uses industry standard practices to avoid the inclusion of any program, routine, subroutine, or data (including malicious software or “malware,” viruses, worms, and Trojan Horses) in applications running within Genesys services.

2. Network security

Genesys will employ effective network security controls based on industry standards to ensure that Customer Data is protected.

3. User access control

Genesys will implement appropriate access controls to ensure only authorized users have access to Customer Data.

4. Business continuity and disaster recovery

Genesys will maintain a corporate business continuity plan designed to ensure that ongoing monitoring and support services will continue in the event of a disruption event involving the corporate environment.

5. Security incident response

Genesys maintains a Security Incident response program based on industry standards designed to identify and respond to suspected and actual Security Incidents involving Customer Data. The program will be reviewed, tested and, if necessary, updated on at least an annual basis. “Security Incident” means a confirmed event resulting in the unauthorized use, deletion, modification, disclosure, or access to Customer Data.

Modified date
(YYYY-MM-DD)
Revision
2022-08-09

Article created.