Security at PagerDuty
Check out the PagerDuty Security Whitepaper to get detailed information on our security program and processes and technologies around cloud & network infrastructure, monitoring & incident response, risk management, physical security, disaster recovery, data protection, and third-party security. Request access to the whitepaper
PagerDuty annually self-certifies to the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Program, found here.
SOC 2 Certification
PagerDuty has successfully completed a SOC 2 Type II examination for our On-Call Management Platform and Event Intelligence Services. The SOC 2 report provides assurance that we have designed effective security controls as defined by the SOC 2 standards set forth by the American Institute of Certified Public Accountants (AICPA).
Third-Party Hosting Providers
PagerDuty uses state-of-the-art certified data centers. All data centers comply within leading security practices and frameworks, including SOC 2, ISO 27001, and PCI DSS. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, biometric locks, and other electronic means. Only authorized personnel have access to the data centers.
Our payment processor, Braintree, is a validated Level 1 PCI DSS Compliant Service Provider. Additionally, they are on Visa’s Global Compliant Provider List and MasterCard’s SDP List. They conduct regular automated vulnerability scans and have extended external penetration testing conducted by outside sources.
All PagerDuty employees and contractors attend mandatory Information Security Training during the on-boarding process, as well as annual training thereafter. Training is tracked and monitored and compliance is represented within PagerDuty’s SOC 2 report. The PagerDuty Security Team offers an open-sourced version of the Security Training deck, which can be found here: https://sudo.pagerduty.com/
PagerDuty maintains multiple monitoring systems to detect and alert on incidents. Incident severity is classified based on customer impact and duration of incident. Documentation on PagerDuty's Incident Response and Security Incident Response processes can be found at https://response.pagerduty.com/. PagerDuty will notify affected customers of any security incident which involves customer data without undue delay, and per legal and contractual requirements.
If you have any additional concerns, please feel free to reach out to firstname.lastname@example.org with any questions.