Supported security standards
Genesys Cloud supports various industry standard security practices and operational controls. It is certified to meet the requirements of several industry-specific standards listed below.
| Industry Standards / Certifications | Genesys Cloud Support | Region | Description |
|---|---|---|---|
| PCI DSS | Yes | Global * | Payment Card Industry Data Security Standards. PCI DSS is the globally recognized standard for security policies, technologies, and ongoing processes that protect payment systems from breaches and theft of cardholder data. |
| SOC 1 Type 2 | Yes | Global | SOC 1 Type 2 is an independent report on management’s description of the Genesys Cloud CX platform and on the suitability of the design and operating effectiveness of controls in accordance with SSAE 18. SOC 1 reports are primarily concerned with controls that are relevant for the financial reporting of customers. |
| SOC 2 Type 2 | Yes | Global * | SOC 2 Type 2 is an independent report on the description of the Genesys Cloud CX platform and on the suitability of the design and operating effectiveness of its controls relevant to security, availability, and integrity, pursuant to SOC 2 Type 2 examination under ISAE 3000. |
| ISO 27001:2013 | Yes | Global * | ISO 27001:2013 is a globally recognized standard for an information security management system (ISMS). Achieving the certification demonstrates the application of the ISMS principles, as well as the application of ISO 27002:2013 controls to secure and protect organizational data within the scope of the certification. |
| ISO 27017:2015 | Yes | Global * | ISO 27017:2015 extends the security controls of ISO 27002 to cloud environments. For Genesys Cloud CX, it’s achieved in conjunction with ISO 27001, which involves external verification that the controls are applied appropriately and are managed and sustained. |
| ISO 27018:2019 | Yes | Global * | SO 27018:2019 is the globally recognized certification extension to ISO 27001:2013. Achieving the extension certification demonstrates the application of ISO 27002:2013 controls to secure Personally Identifiable Information (PII)/ privacy data in the cloud. |
| CSA CAIQ | Yes | Global | CAIQ is an industry-accepted way to document what security controls exist in our SaaS solutions, providing security control transparency through compliance with the Cloud Controls Matrix. |
| BSI Cloud Computing Compliance Controls Catalog (C5) | Yes | Global | The cloud computing compliance criteria catalogue (C5) defines a baseline security level for cloud computing. It’s used by professional cloud service providers, auditors, and cloud customers. |
| HIPAA | Yes | Americas | Compliance with the Health Insurance Portability & Accountability Act (HIPAA) demonstrates assurance through effectiveness of security controls that health information is secured and protected. |
| HITRUST | Yes | Americas ** | Health Information Trust Alliance (HITRUST) assures internal and external stakeholders of the current state of information security and compliance, with Genesys Cloud CX providing greater assurance through the attainment of the externally validated “gold standard” two-year assessment. |
| CCPA | Yes | Americas ** | The California Consumers Protection Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California in the United States. |
| LGPD | Yes | Americas ** | The Brazilian General Data Protection Law (“LGPD”) is Brazil’s primary regulation aimed at the protection of personal data. LGPD (Lei Geral de Proteção de Dados) was designed in accordance with the EU’s GDPR. |
| FedRAMP | No | Americas (US-East-2 only) * | The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. |
| UK Cyber Essentials | Yes | EMEA | Backed by the UK government and overseen by the National Cyber Security Centre (NCSC), Cyber Essentials is a certification scheme designed to show an organization has a minimum level of protection in cyber security through annual assessments to maintain certification. |
| GDPR | Yes | EMEA | The General Data Protection Regulation (GDPR) is a data protection law that regulates the use of personal data of EU residents and provides individuals rights to exercise control over their data. |
| AgID | Yes | EMEA | The Agency for Digital Italy (Agenzia per l’italia Digitale or AgID) is the “technical agency of the Presidency of the Council of Ministers.” AgID’s cloud strategy is intended to provide “a qualification path for public and private entities to provide Cloud infrastructures and services to the Public Administration (PA) with high standards of security, efficiency and reliability.” |
| HDS | Yes | EMEA | Introduced by the French governmental agency for health, “Agence du Numérique en Santé” (ANS), the “Hébergeur de Données de Santé (HDS) certification imposes advanced security and privacy requirements on hosting services and cloud providers to ensure that the confidentiality and integrity of sensitive data is adequately protected. |
| IRAP (Australia) | Yes | APAC | Intact Security conducted an audit (known as an assessment) as defined in the Australian Signals Directorate (ASD) Information Security Manual (ISM) and in accordance with the Genesys Cloud CX SOA. The ISM is developed with the principle of providing Australian Government agencies with a baseline of generic risks and controls associated with the storage and handling of security sensitive and classified information. |
Notes:
- * Roadmap for US-East-2 (FedRAMP region)
- ** Not available in US-East-2 (FedRAMP region)