Supported security standards
Genesys Cloud supports various industry standard security practices and operational controls. It is certified to meet the requirements of several industry-specific standards listed below.
| Industry Standards / Certifications | Genesys Cloud Support | Region | Description |
|---|---|---|---|
| PCI DSS | Yes | Global * | Payment Card Industry Data Security Standards. PCI DSS is the globally recognized standard for security policies, technologies, and ongoing processes that protect payment systems from breaches and theft of cardholder data. |
| SOC 1 Type 2 | Yes | Global | SOC 1 Type 2 is an independent report on management’s description of the Genesys Cloud CX platform and on the suitability of the design and operating effectiveness of controls in accordance with SSAE 18. SOC 1 reports are primarily concerned with controls that are relevant for the financial reporting of customers. |
| SOC 2 Type 2 | Yes | Global * | SOC 2 Type 2 is an independent report on the description of the Genesys Cloud CX platform and on the suitability of the design and operating effectiveness of its controls relevant to security, availability, and integrity, pursuant to SOC 2 Type 2 examination under ISAE 3000. |
| ISO 27001:2013 | Yes | Global * | ISO 27001:2013 is a globally recognized standard for an information security management system (ISMS). Achieving the certification demonstrates the application of the ISMS principles, as well as the application of ISO 27002:2013 controls to secure and protect organizational data within the scope of the certification. |
| ISO 27017:2015 | Yes | Global * | ISO 27017:2015 extends the security controls of ISO 27002 to cloud environments. For Genesys Cloud CX, it’s achieved in conjunction with ISO 27001, which involves external verification that the controls are applied appropriately and are managed and sustained. |
| ISO 27018:2019 | Yes | Global * | SO 27018:2019 is the globally recognized certification extension to ISO 27001:2013. Achieving the extension certification demonstrates the application of ISO 27002:2013 controls to secure Personally Identifiable Information (PII)/ privacy data in the cloud. |
| CSA CAIQ | Yes | Global | CAIQ is an industry-accepted way to document what security controls exist in our SaaS solutions, providing security control transparency through compliance with the Cloud Controls Matrix. |
| C5 | Yes | EMEA | The cloud computing compliance criteria catalogue (C5) defines a baseline security level for cloud computing. It’s used by professional cloud service providers, auditors, and cloud customers. |
| HIPAA | Yes | Americas | Compliance with the Health Insurance Portability & Accountability Act (HIPAA) demonstrates assurance through effectiveness of security controls that health information is secured and protected. |
| HITRUST | Yes | Americas ** | Health Information Trust Alliance (HITRUST) assures internal and external stakeholders of the current state of information security and compliance, with Genesys Cloud CX providing greater assurance through the attainment of the externally validated “gold standard” two-year assessment. |
| CCPA | Yes | Americas ** | The California Consumers Protection Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California in the United States. |
| LGPD | Yes | Americas ** | The Brazilian General Data Protection Law (“LGPD”) is Brazil’s primary regulation aimed at the protection of personal data. LGPD (Lei Geral de Proteção de Dados) was designed in accordance with the EU’s GDPR. |
| FedRAMP | Americas (US-East-2 only) | The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. | |
| Cyber Essentials | Yes | EMEA | Backed by the UK government and overseen by the National Cyber Security Centre (NCSC), Cyber Essentials is a certification scheme designed to show an organization has a minimum level of protection in cyber security through annual assessments to maintain certification. |
| Cyber Essentials Plus | Yes | EMEA | Cyber Essentials Plus is a technical audit of the Genesys Cloud CX™ platform against the controls of the Cyber Essentials standard. The Cyber Essentials Scheme is “an effective, (UK) Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks.” |
| GDPR | Yes | EMEA | The General Data Protection Regulation (GDPR) is a data protection law that regulates the use of personal data of EU residents and provides individuals rights to exercise control over their data. |
| AgID | Yes | EMEA | The Agency for Digital Italy (Agenzia per l’italia Digitale or AgID) is the “technical agency of the Presidency of the Council of Ministers.” AgID’s cloud strategy is intended to provide “a qualification path for public and private entities to provide Cloud infrastructures and services to the Public Administration (PA) with high standards of security, efficiency and reliability.” |
| HDS | Yes | EMEA | Introduced by the French governmental agency for health, “Agence du Numérique en Santé” (ANS), the “Hébergeur de Données de Santé” (HDS) certification imposes advanced security and privacy requirements on hosting services and cloud providers to ensure that the confidentiality and integrity of sensitive data is adequately protected. |
| IRAP (Australia) | Yes | APAC | The Infosec Registered Assessors Program (IRAP) provides a comprehensive process for the independent assessment of a system’s security against the Australian Government Information Security Manual (ISM) requirements. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology (ICT) infrastructure intended for data storage, processing, and communication. The ISM is developed with the principle of providing Australian Government agencies with a baseline of generic risks and controls associated with the storage and handling of security sensitive and classified information.
An IRAP assessment has been completed for Genesys Cloud CX up to and including the PROTECTED level. |
| TX-RAMP | Yes | Americas (US-East-2 only) |
TX-RAMP is the Texas Department of Information Resources (DIR) framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation. TX-RAMP requirements apply to Texas State agencies, institutions of higher education, and public community colleges. Genesys Cloud CX has achieved TX-RAMP Level 2 Certification. |
| DoD Impact Level 2 (IL2) | Yes | Americas (US-East-2 only) |
The Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) provides the baseline security requirements used to assess the security posture of a cloud service offering. IL2 data includes non-controlled unclassified information, which is all data cleared for public release and some low confidentiality unclassified information that is not designated as controlled unclassified information (CUI). |
Notes:
- * Roadmap for US-East-2 (FedRAMP region)
- ** Not available in US-East-2 (FedRAMP region)
