JAGGAER is committed to having comprehensive security standards across our applications and business units that meet or exceed industry best practices and customers’ expectations. Our technical and organizational security measures are designed to protect your personal data against (i) accidental or unlawful destruction, loss or alteration, (ii) unauthorized disclosure and (iii) unauthorized access.
JAGGAER classifies all data based on risk and treats all customer information as confidential. Some data is categorized as sensitive information and is managed using additional safeguards, including encryption requirements.
JAGGAER utilizes identity and access network management and role-based access to ensure that employees’ privileges are limited to only that data necessary for performing their job functions. All employees are subject to confidentiality agreements and receive annual training on JAGGAER’s information security policies and procedures, including appropriate data handling, storage and disposal practices. JAGGAER also thoroughly vets and manages all third-party service providers to ensure our service providers are protecting and managing any personal data they access in compliance with (i) JAGGAER’s privacy and security standards, (ii) requirements set forth in our customer agreements and (iii) all applicable data privacy laws. All JAGGAER offices and data storage locations are protected by physical security measures that meet or exceed industry best practices.
All of JAGGAER’s computer systems are configured in accordance with current technical standards and procedures, including anti-virus software; other standard security controls, including preventative controls and detective controls; and approved operating system version and software patches. JAGGAER’s systems are regularly updated and these updates are automatically installed on all company devices. Additional security measures employed by JAGGAER include: password requirements; perimeter controls; data and network segmentation; encryption; data and media disposal procedures; log management; retention procedures; and disaster preparedness procedures. Employees are prohibited from accessing company data from unencrypted personal devices and the use of personal electronic devices to connect to the JAGGAER network or to access company email accounts is restricted to devices with appropriate security features. All remote access to the network requires a secure connection.
These policies and procedures are regularly reassessed and updated to reflect the current state of technology and relevant risks.
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements — Certified by A-LIGN
Overview
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
The Information Security Management System is applicable to the JAGGAER Services:
JAGGAER ONE (formerly known as JAGGAER Direct, JAGGAER Indirect and JAGGAER Advantage)
ISO/IEC 27018:2019 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors — Certified by A-LIGN
Overview
ISO/IEC 27018:2019 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2019 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
The Information Security Management System is applicable to the JAGGAER Services:
JAGGAER ONE (formerly known as JAGGAER Direct, JAGGAER Indirect and JAGGAER Advantage)
ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements — Certified by A-LIGN
Overview
ISO 22301:2019 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from disruptive incidents when they arise.
The Business Continuity Management System is applicable to the following JAGGAER Services:
JAGGAER ONE (formerly known as JAGGAER Direct, JAGGAER Indirect and JAGGAER Advantage)
ISO 9001: 2015 Quality management systems — Requirements — Certified by NQA
Overview
ISO 9001:2015 specifies requirements for a Quality Management System when an organization:
- needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements.
- aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
The Quality Management System is applicable to the following JAGGAER Services:
JAGGAER ONE (formerly known as JAGGAER Direct, JAGGAER Indirect and JAGGAER Advantage)
SOC 1 and SOC 2 Reports
The American Institute of Certified Public Accountants (AICPA) has established Service Organization Controls (SOC) reporting options for service organizations. The SOC 1 report focuses on controls that impact JAGGAER platform users’ internal control over financial reporting, and JAGGAER’s services in scope for this report are Research Materials Management (RMM), and Advanced Sourcing Optimizer (ASO).
The SOC 2 Report evaluates JAGGAER’s controls against the AICPA’s Trust Services criteria: Type 2 Report covers a period of time, and JAGGAER services in scope for this report are JAGGAER ONE (JAGGAER Direct, JAGGAER Indirect, JAGGAER Advantage), while Type 1 covers a single point of time, and JAGGAER service in scope for this report are JAGGAER ONE (JAGGAER Direct, JAGGAER Indirect, JAGGAER Advantage), and JAGGAER Collaborative Sourcing (JCS).
These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight.
Product | Report |
JAGGAER ONE (Formerly known as JAGGAER Indirect, JAGGAER Direct (US & EU), and JAGGAER Advantage (US & EU) JAGGAER ONE (Formerly known as JAGGAER Indirect, JAGGAER Direct (US & EU), and JAGGAER Advantage (US & EU) |
Type I Type II SOC 2 |
JAGGAER Collaborative Sourcing (JCS) (US-only) | Type I SOC 2 |
Advanced Sourcing Optimizer (ASO) (US only), and Research Materials Management (RMM) | Type I SOC 1 |
The use of these reports is restricted to the management of the service organization (JAGGAER), user entities of the JAGGAER Platforms and user auditors. The reports are available on request to prospects that sign a nondisclosure agreement with JAGGAER and to existing customers under their agreements with JAGGAER, which contain confidentiality obligations.
JAGGAER 2023 Payment Card Industry (PCI) Data Security Standard (DSS) Attestation of Compliance (AOC)
PCI DSS compliance is adherence to the set of policies and procedures to protect credit, debit and cash card transactions and prevent the misuse of cardholders’ personal information. JAGGAER has received a PCI DSS AOC for the JAGGAER Indirect eProcurement product.