Supported security standards

Genesys Cloud supports various industry standard security practices and operational controls. It is certified to meet the requirements of several industry-specific standards listed below.

Industry Standards / Certifications Genesys Cloud Support Region Description
PCI DSS Yes Global Payment Card Industry Data Security Standards. PCI DSS is the globally recognized standard for security policies, technologies, and ongoing processes that protect payment systems from breaches and theft of cardholder data.
SOC 1 Type 2 Yes Global * SOC 1 Type 2 is an independent report on management’s description of the Genesys Cloud CX platform and on the suitability of the design and operating effectiveness of controls in accordance with SSAE 18. SOC 1 reports are primarily concerned with controls that are relevant for the financial reporting of customers.
SOC 2 Type 2 Yes Global * SOC 2 Type 2 is an independent report on the description of the Genesys Cloud CX platform and on the suitability of the design and operating effectiveness of its controls relevant to security, availability, and integrity, pursuant to SOC 2 Type 2 examination under ISAE 3000.
ISO 27001:2013 Yes Global ** ISO 27001:2013 is a globally recognized standard for an information security management system (ISMS). Achieving the certification demonstrates the application of the ISMS principles, as well as the application of ISO 27002:2013 controls to secure and protect organizational data within the scope of the certification.
ISO 27017:2015 Yes Global ** ISO 27017:2015 extends the security controls of ISO 27002 to cloud environments. For Genesys Cloud CX, it’s achieved in conjunction with ISO 27001, which involves external verification that the controls are applied appropriately and are managed and sustained.
ISO 27018:2019 Yes Global ** SO 27018:2019 is the globally recognized certification extension to ISO 27001:2013. Achieving the extension certification demonstrates the application of ISO 27002:2013 controls to secure Personally Identifiable Information (PII)/ privacy data in the cloud.
CSA CAIQ Yes Global * CAIQ is an industry-accepted way to document what security controls exist in our SaaS solutions, providing security control transparency through compliance with the Cloud Controls Matrix.
C5 Yes EMEA The cloud computing compliance criteria catalogue (C5) defines a baseline security level for cloud computing. It’s used by professional cloud service providers, auditors, and cloud customers.
HIPAA Yes Americas Compliance with the Health Insurance Portability & Accountability Act (HIPAA) demonstrates assurance through effectiveness of security controls that health information is secured and protected.
HITRUST Yes Americas ** Health Information Trust Alliance (HITRUST) assures internal and external stakeholders of the current state of information security and compliance, with Genesys Cloud CX providing greater assurance through the attainment of the externally validated “gold standard” two-year assessment.
CCPA Yes Americas ** The California Consumers Protection Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California in the United States.
LGPD Yes Americas ** The Brazilian General Data Protection Law (“LGPD”) is Brazil’s primary regulation aimed at the protection of personal data. LGPD (Lei Geral de Proteção de Dados) was designed in accordance with the EU’s GDPR.
FedRAMP

Yes

Americas (US-East-2 only)

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. Genesys Cloud is FedRAMP authorized at the Moderate Impact Level.

Cyber Essentials Yes EMEA Backed by the UK government and overseen by the National Cyber Security Centre (NCSC), Cyber Essentials is a certification scheme designed to show an organization has a minimum level of protection in cyber security through annual assessments to maintain certification.
Cyber Essentials Plus Yes EMEA Cyber Essentials Plus is a technical audit of the Genesys Cloud CX™ platform against the controls of the Cyber Essentials standard. The Cyber Essentials Scheme is “an effective, (UK) Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks.”
GDPR Yes EMEA The General Data Protection Regulation (GDPR) is a data protection law that regulates the use of personal data of EU residents and provides individuals rights to exercise control over their data.
AgID Yes EMEA The Agency for Digital Italy (Agenzia per l’italia Digitale or AgID) is the “technical agency of the Presidency of the Council of Ministers.” AgID’s cloud strategy is intended to provide “a qualification path for public and private entities to provide Cloud infrastructures and services to the Public Administration (PA) with high standards of security, efficiency and reliability.”
HDS Yes EMEA Introduced by the French governmental agency for health, “Agence du Numérique en Santé” (ANS), the “Hébergeur de Données de Santé” (HDS) certification imposes advanced security and privacy requirements on hosting services and cloud providers to ensure that the confidentiality and integrity of sensitive data is adequately protected.
IRAP (Australia) Yes APAC The Infosec Registered Assessors Program (IRAP) provides a comprehensive process for the independent assessment of a system’s security against the Australian Government Information Security Manual (ISM) requirements. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology (ICT) infrastructure intended for data storage, processing, and communication. The ISM is developed with the principle of providing Australian Government agencies with a baseline of generic risks and controls associated with the storage and handling of security sensitive and classified information.

An IRAP assessment has been completed for Genesys Cloud CX up to and including the PROTECTED level.

TX-RAMP Yes Americas (US-East-2 only)

TX-RAMP is the Texas Department of Information Resources (DIR) framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation. TX-RAMP requirements apply to Texas State agencies, institutions of higher education, and public community colleges.

Genesys Cloud CX has achieved TX-RAMP Level 2 Certification.

DoD Impact Level 2 (IL2) Yes Americas (US-East-2 only)

The U.S. Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) provides the baseline security requirements used to assess the security posture of a cloud service offering. Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.

Genesys Cloud CX has been granted a Provisional Authorization (PA) for DoD Impact Level 2 (IL2) from the Defense Information Systems Agency (DISA) leveraging Genesys’ FedRAMP Moderate Authorization. IL2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control.

EU-U.S. Data Privacy Framework (DPF) Yes US and EMEA

The EU-United States Data Privacy Framework, developed by the United States Department of Commerce and the European Commission, enables United States organizations to establish reliable mechanisms for transferring personal data from the European Union to the United States. This certification ensures data protection that is consistent with EU, UK, and Swiss law.

ENS Yes EMEA

The National Security Scheme (Esquema Nacional de Seguridad or ENS) was first developed in 2010 with its last update in 2022 (Royal Decree 311/2022). The ENS accreditation scheme has been developed by La Entidad Nacional de Acreditación (ENAC) in close collaboration with the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre).

This certification is applicable to the entire Spanish Public Sector and collaborating suppliers. It ensures the adequate protection of information and services, aligning with the ENS framework’s basic principles, requirements, and security measures.

StateRAMP Yes Americas (US-East-2 only)

StateRAMP is a program for States that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Being StateRAMP authorized means a cloud system has an established and highly secure environment that has withstood comprehensive audit review before States are authorized to engage the system. Genesys Cloud is StateRAMP authorized at the Moderate Impact Level.

Notes:
  • * Roadmap for US-East-2 (FedRAMP region)
  • ** Not available in US-East-2 (FedRAMP region)