Security and Quality Certifications and Standards
JAGGAER is committed to having comprehensive security standards across our applications and business units that meet or exceed industry best practices and customers’ expectations. Our technical and organizational security measures are designed to protect your personal data against (i) accidental or unlawful destruction, loss or alteration, (ii) unauthorized disclosure and (iii) unauthorized access.
JAGGAER classifies all data based on risk and treats all customer information as confidential. Some data is categorized as sensitive information and is managed using additional safeguards, including encryption requirements.
JAGGAER utilizes identity and access network management and role-based access to ensure that employees’ privileges are limited to only that data necessary for performing their job functions. All employees are subject to confidentiality agreements and receive annual training on JAGGAER’s information security policies and procedures, including appropriate data handling, storage and disposal practices. JAGGAER also thoroughly vets and manages all third-party service providers to ensure our service providers are protecting and managing any personal data they access in compliance with (i) JAGGAER’s privacy and security standards, (ii) requirements set forth in our customer agreements and (iii) all applicable data privacy laws. All JAGGAER offices and data storage locations are protected by physical security measures that meet or exceed industry best practices.
All of JAGGAER’s computer systems are configured in accordance with current technical standards and procedures, including anti-virus software; other standard security controls, including preventative controls and detective controls; and approved operating system version and software patches. JAGGAER’s systems are regularly updated and these updates are automatically installed on all company devices. Additional security measures employed by JAGGAER include: password requirements; perimeter controls; data and network segmentation; encryption; data and media disposal procedures; log management; retention procedures; and disaster preparedness procedures. Employees are prohibited from accessing company data from unencrypted personal devices and the use of personal electronic devices to connect to the JAGGAER network or to access company email accounts is restricted to devices with appropriate security features. All remote access to the network requires a secure connection.
These policies and procedures are regularly reassessed and updated to reflect the current state of technology and relevant risks.
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems
ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
IISO/IEC 27017:2015 offers comprehensive guidelines for information security controls tailored to cloud services. It includes:
- Enhanced implementation guidance for relevant controls outlined in ISO/IEC 27002.
- Specific additional controls and implementation guidance directly related to cloud services.
This standard provides valuable controls and guidance for both cloud service providers and customers, ensuring a robust framework for information security in the cloud.
ISO/IEC 27018:2019 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
ISO/IEC 27018:2019 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2019 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
ISO 22301:2019 Security and resilience — Business continuity management systems
ISO 22301:2019 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from disruptive incidents when they arise.
ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system
ISO/IEC 42001 specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations. It is designed for entities providing or utilizing AI-based products or services, ensuring responsible development and use of AI systems.
ISO 9001:2015 Quality management systems
ISO 9001:2015 helps organizations of all sizes and sectors to improve their performance, meet customer expectations and demonstrate their commitment to quality. Its requirements define how to establish, implement, maintain, and continually improve a quality management system (QMS).
Implementing ISO 9001 means your organization has put in place effective processes and trained staff to deliver flawless products or services time after time.
SOC 1 and SOC 2 Reports
The American Institute of Certified Public Accountants (AICPA) has established Service Organization Control (SOC) reporting frameworks for service organizations.
The SOC 1 Report focuses on controls that impact JAGGAER platform users’ internal control over financial reporting.
The SOC 2 Report evaluates JAGGAER’s controls based on the AICPA’s Trust Services Criteria which include Security, Availability, and Confidentiality.
A Type I report describes the design of controls at a specific point in time, while a Type II report evaluates the operating effectiveness of those controls over a defined period.
These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance, risk management processes, and regulatory oversight.
The use of these reports is restricted to the management of the service organization (JAGGAER), user entities of the JAGGAER Platforms and user auditors. The reports are available on request to prospects that sign a nondisclosure agreement with JAGGAER and to existing customers under their agreements with JAGGAER, which contain confidentiality obligations.
Payment Card Industry Data Security Standard (PCI DSS) v4.0
PCI DSS compliance refers to adherence to the Payment Card Industry Data Security Standard—a set of security policies and procedures designed to protect credit, debit, and prepaid card transactions and prevent the misuse of cardholders’ personal data.
JAGGAER has received a PCI DSS AOC for the JAGGAER eProcurement product.
Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is a UK Government-backed certification scheme that helps organisations protect their and their customers’ data from the most common cyber-attacks.
There are two levels of Cyber Essentials certificates: Cyber Essentials Standard (CE) and Cyber Essentials Plus (CE +):
- Cyber Essentials: A combination of self-assessment and independent audit.
- Cyber Essentials Plus: The same protections, but with more rigorous, independent technical testing.
