SECURITY AND QUALITY CERTIFICATIONS AND STANDARDS

JAGGAER-Everywhere

JAGGAER is committed to having comprehensive security standards across our applications and business units that meet or exceed industry best practices and customers’ expectations. Our technical and organizational security measures are designed to protect your personal data against (i) accidental or unlawful destruction, loss or alteration, (ii) unauthorized disclosure and (iii) unauthorized access.

JAGGAER classifies all data based on risk and treats all customer information as confidential. Some data is categorized as sensitive information and is managed using additional safeguards, including encryption requirements.

JAGGAER utilizes identity and access network management and role-based access to ensure that employees’ privileges are limited to only that data necessary for performing their job functions. All employees are subject to confidentiality agreements and receive annual training on JAGGAER’s information security policies and procedures, including appropriate data handling, storage and disposal practices. JAGGAER also thoroughly vets and manages all third-party service providers to ensure our service providers are protecting and managing any personal data they access in compliance with (i) JAGGAER’s privacy and security standards, (ii) requirements set forth in our customer agreements and (iii) all applicable data privacy laws. All JAGGAER offices and data storage locations are protected by physical security measures that meet or exceed industry best practices.

All of JAGGAER’s computer systems are configured in accordance with current technical standards and procedures, including anti-virus software; other standard security controls, including preventative controls and detective controls; and approved operating system version and software patches. JAGGAER’s systems are regularly updated and these updates are automatically installed on all company devices. Additional security measures employed by JAGGAER include: password requirements; perimeter controls; data and network segmentation; encryption; data and media disposal procedures; log management; retention procedures; and disaster preparedness procedures. Employees are prohibited from accessing company data from unencrypted personal devices and the use of personal electronic devices to connect to the JAGGAER network or to access company email accounts is restricted to devices with appropriate security features. All remote access to the network requires a secure connection.

These policies and procedures are regularly reassessed and updated to reflect the current state of technology and relevant risks.

ISO 27001:2013 Information technology — Security techniques — Information security management systems

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

JAGGAER has earned ISO 27001:2013 certifications for the systems, applications, services, people, technology, processes and data centers for our JAGGAER Direct platform.
JAGGAER has earned ISO 27001:2013 certifications for the design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER platform.

ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

JAGGAER has been certified compliant with ISO 27018:2014 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER platform.

ISO 22301:2012 Societal Security – Business Continuity Management Systems

ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from disruptive incidents when they arise.

JAGGAER has been certified compliant with ISO 22301:2012 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER platform.

ISO 20000-1:2011 Information technology — Service management

ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.

JAGGAER has been certified compliant with ISO 20000:-1:2011 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER platform.

ISO 9001:2015 Quality management systems

ISO 9001:2015 specifies requirements for a quality management system when an organization:

a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and

b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

JAGGAER has been certified compliant with ISO 9001:2015 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER platform.

ISO 37001:2016 Anti-bribery management systems

ISO 37001:2016 specifies requirements and guidance for establishing, implementing, maintaining and improving an anti-bribery management system.

JAGGAER has been certified compliant with ISO 37001:2016 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER platform.

SOC 1 and SOC 2 Reports

The American Institute of Certified Public Accountants (AICPA) has established Service Organization Controls (SOC) reporting options for service organizations.  JAGGAER’s Indirect platform has been subject to both SOC 1 and SOC 2 examinations.  The SOC 1 report focuses on controls that impact JAGGAER Indirect platform users’ internal control over financial reporting and the SOC 2 report evaluates JAGGAER’s controls against the AICPA’s Trust Services criteria, specifically Security, Availability and Confidentiality.  These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight.

Product Report
JAGGAER ONE formerly known as JAGGAER Indirect (US & EU)

(includes Spend Analytics, Supplier Management, Sourcing, Contracts+, eProcurement, Invoicing, Inventory Management and Savings Management)

2019 Type II SOC 1

2019 Type II SOC 2

Advanced Sourcing Optimizer (ASO) (US only) 2019 ASO Type I SOC 1
JAGGAER ONE formerly known as JAGGAER Direct (US & EU)

(includes Direct Supplier Management, Direct Category Management, Direct Sourcing, Direct eProcurement, Supply Chain Collaboration, and Quality Management modules)

2019 Type I SOC 1

2019 Type I SOC 2

JAGGAER ONE formerly known as JAGGAER Advantage (US & EU)

(includes Spend Analytics+, Category Management, Supplier Management+, Sourcing+, Contracts, Savings Management+ modules)

2019 JA Type I SOC 1

2019 JA Type I SOC 2

JAGGAER Collaborative Sourcing (JCS) (US-only) 2019 JCS Type I SOC 1

The use of these reports is restricted to the management of the service organization (JAGGAER), user entities of the JAGGAER Indirect Platform and user auditors.  The reports are available on request to prospects that sign a nondisclosure agreement with JAGGAER and to existing customers under their agreements with JAGGAER, which contain confidentiality obligations.