JAGGAER Trust Center


Here at JAGGAER, the privacy and security of our customers’ data is our absolute priority. That is why we have developed a security program that meets or exceeds national and international best practices and our customers’ expectations. Our commitment to the privacy and security of our customers’ data is demonstrated by our numerous certifications and standards.



Security and Quality Certifications and Standards


ISO 27001:2013 Information technology — Security techniques — Information security management systems

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

JAGGAER has earned ISO 27001:2013 certifications for the systems, applications, services, people, technology, processes and data centers for our JAGGAER Direct platform.

JAGGAER has earned ISO 27001:2013 certifications for the design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER Advantage platform.


ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

JAGGAER has been certified compliant with ISO 27018:2014 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER Advantage platform.


ISO 22301:2012 Societal Security – Business Continuity Management Systems

ISO 22301:2012 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from disruptive incidents when they arise.

JAGGAER has been certified compliant with ISO 22301:2012 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER Advantage platform.


ISO-20000-2011

ISO 20000-1:2011 Information technology — Service management

ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.

JAGGAER has been certified compliant with ISO 20000:-1:2011 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER Advantage platform.


ISO 9001:2015 Quality management systems

ISO 9001:2015 specifies requirements for a quality management system when an organization:

a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and

b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

JAGGAER has been certified compliant with ISO 9001:2015 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER Advantage platform.


ISO 37001:2016 Anti-bribery management systems

ISO 37001:2016 specifies requirements and guidance for establishing, implementing, maintaining and improving an anti-bribery management system.

JAGGAER has been certified compliant with ISO 37001:2016 for its design and provision of JAGGAER Software as a Service and JAGGAER Application Appliance solutions for enterprise supply management and spend management processes with related consulting activities and professional services for our JAGGAER Advantage platform.


SOC 1 and SOC 2 Reports

 The American Institute of Certified Public Accountants (AICPA) has established Service Organization Controls (SOC) reporting options for service organizations.  JAGGAER’s Indirect platform has been subject to both SOC 1 and SOC 2 examinations.  The SOC 1 report focuses on controls that impact JAGGAER Indirect platform users’ internal control over financial reporting and the SOC 2 report evaluates JAGGAER’s controls against the AICPA’s Trust Services criteria, specifically Security, Availability and Confidentiality.  These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight.

Both the SOC 1 and SOC 2 examinations completed by JAGGAER were performed as Type 2 engagements.  Type 2 reports include the service auditor’s opinion on management’s description of the system, the suitability of design and operating effectiveness of the controls throughout the review period specified.

The use of these reports is restricted to the management of the service organization (JAGGAER), user entities of the JAGGAER Indirect Platform and user auditors.  The reports are available on request to prospects that sign a nondisclosure agreement with JAGGAER and to existing customers under their agreements with JAGGAER, which contain confidentiality obligations.


JAGGAER & the General Data Protection Regulation


Effective May 25, 2018, the EU General Data Protection Regulation (“GDPR”) replaced the 1995 EU Data Protection Directive. GDPR (i) strengthens the rights that individuals have with respect to their Personal Data and (ii) imposes new obligations on processing the personal data of individuals residing in the EU. JAGGAER is committed to helping ensure our customers’ compliance with GDPR. For more information on JAGGAER’s GDPR compliance program and how we help ensure our customers’ compliance with GDPR, please see our GDPR page.


JAGGAER EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework


JAGGAER has certified its compliance with the provisions of the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information transferred to the United States from the European Union and Switzerland, respectively.  To view JAGGAER’s certification or learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/Program-Overview.


Privacy


Our approach to privacy centers on giving you control of and access to your personal data while being transparent about the specific policies, operational practices and technologies that govern our collection, use and security of your personal data.


Security


JAGGAER is committed to having comprehensive security standards across our applications and business units that meet or exceed industry best practices and customers’ expectations. Our technical and organizational security measures are designed to protect your personal data against (i) accidental or unlawful destruction, loss or alteration, (ii) unauthorized disclosure and (iii) unauthorized access.

JAGGAER classifies all data based on risk and treats all customer information as confidential. Some data is categorized as sensitive information and is managed using additional safeguards, including encryption requirements.

JAGGAER utilizes identity and access network management and role-based access to ensure that employees’ privileges are limited to only that data necessary for performing their job functions. All employees are subject to confidentiality agreements and receive annual training on JAGGAER’s information security policies and procedures, including appropriate data handling, storage and disposal practices. JAGGAER also thoroughly vets and manages all third-party service providers to ensure our service providers are protecting and managing any personal data they access in compliance with (i) JAGGAER’s privacy and security standards, (ii) requirements set forth in our customer agreements and (iii) all applicable data privacy laws. All JAGGAER offices and data storage locations are protected by physical security measures that meet or exceed industry best practices.

All of JAGGAER’s computer systems are configured in accordance with current technical standards and procedures, including anti-virus software; other standard security controls, including preventative controls and detective controls; and approved operating system version and software patches. JAGGAER’s systems are regularly updated and these updates are automatically installed on all company devices. Additional security measures employed by JAGGAER include: password requirements; perimeter controls; data and network segmentation; encryption; data and media disposal procedures; log management; retention procedures; and disaster preparedness procedures. Employees are prohibited from accessing company data from unencrypted personal devices and the use of personal electronic devices to connect to the JAGGAER network or to access company email accounts is restricted to devices with appropriate security features. All remote access to the network requires a secure connection.

These policies and procedures are regularly reassessed and updated to reflect the current state of technology and relevant risks.


JAGGAER Sub-processors


While JAGGAER performs a majority of the activities required to provide the JAGGAER applications, we may at times engage a third-party service provider to perform services for our customers using the JAGGAER software applications and services. JAGGAER accepts responsibility for ensuring that our service providers comply (i) with our security and privacy policies and standards, (ii) contractual obligations to our customers and (iii) applicable laws related to personal data.

Service providers are contractually obligated to maintain the confidentiality of our customers’ data and are prohibited from using customer data for any purpose other than to provide our software applications and services to our customers. Additionally, service providers go through a rigorous selection process to ensure they have the appropriate level of security and privacy controls when providing services to our customers.

Click here to view a list of service providers currently utilized by JAGGAER that are authorized to access personal data provided by our customers in our software applications.

To read more about JAGGAER’s commitments to our customers relating to service providers accessing customer data, including any personal data, please see our Data Processing Addendum.