PagerDuty In Scope Services

PagerDuty incorporates generally available services into our compliance efforts based on anticipated use cases, feedback, and demand. Some services are available that are not currently listed in the scope of our most recent assessment, customers must evaluate before choosing to use those services, considering the associated risks with their data.

Determining the data you transmit to the PagerDuty Operations Cloud is a shared responsibility. Depending on the services you utilize and the data transmitted, you should assess if the service offers adequate controls to safeguard your data processing and storage, and how this may affect your compliance with customer data environment requirements.

PagerDuty and FedRAMP Authority to Operate: In Process Status

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP leverages a standardized set of requirements based on NIST controls, including NIST 800–53. Established in accordance with the Federal Information Security Management Act (FISMA), compliance with these published controls provides transparency and confidence in the security of cloud solutions.

The PagerDuty Operations Cloud is In Process for a FedRAMP Low Impact Authorization. PagerDuty has been assessed as providing appropriate controls to protect Low Impact data, where the Confidentiality, Integrity and Availability of the data would result in limited adverse effects on the agency’s (or customers') operations, assets, or individuals. Services not yet authorized by FedRAMP but offered by PagerDuty require customers to assess the risk to their data and environment before use.

PageDuty Shared Responsibility Model

Security and compliance are shared responsibilities between PagerDuty and the customer. PagerDuty operates and manages the Operations Cloud services, while the customer selects, configures, and uses these services. In addition, customers are responsible for access management, user management, and managing data elements processed by the Operations Cloud. This shared responsibility allows customization of the Operations Cloud to meet a customer’s unique risk tolerance and regulatory compliance needs.

The security of data transmitted to the PagerDuty Operations Cloud is a shared responsibility. It's important to assess whether the services you use provide sufficient controls to protect your data during transmission, processing, and storage. Consider how this may impact your compliance with internal policy, local regulations, and customer commitments.

PagerDuty responsibility “Security of the Operations Cloud” — PagerDuty is accountable for safeguarding the Operations Cloud and the data it handles, ensuring confidentiality, integrity, and availability. This includes protecting customer–provided information through encryption, access control, secure backup, ongoing monitoring, and robust logging. PagerDuty ensures that third–party service providers meet its security requirements.

PagerDuty’s Cloud Hosting Provider — PagerDuty's Cloud Hosting Provider (AWS) is responsible for safeguarding the infrastructure that runs Operations Cloud services, including hardware, software, networking, and facilities.

Customer responsibility “Security in the Cloud” — Customer responsibility involves configuring and managing their Operations Cloud account, including user identification, authentication, authorization, and using PagerDuty Operations Cloud services. Customers are also responsible for determining and managing data elements entered or transmitted to PagerDuty.

Product / Features SOC2 Type II Compliance FedRAMP “In Process”
Incident Management
Email and push notifications
Domestic SMS/Phone notifications
International SMS/Phone notifications
On-call Schedules
Escalation policies
Max users per escalation level
Alert Severity
Custom Incident Actions
Service Directory
Business and Technical Services and Dependencies
Dynamic Service Graph
Alert Triage & Deduplication
Incident Urgencies
Incident Timeline
Incident Priority
Global Search
Advanced and Scalable Incident Handling
ChatOps (Slack, Teams) * *
Monitoring and Developer Integrations (ex: Datadog, CloudWatch, Splunk, SumoLogic, etc) * *
Audio and Video Conference Integrations * *
Ticketing (Jira Software, Jira Service Management) * *
Advanced Ticketing Integrations (ServiceNow, Cherwell) * *
Dynamically Add Additional Responders
Postmortems
Jeli Service X
Round Robin Scheduling
Incident Workflows * *
Custom Fields
One Touch to Join to Conference Bridge * *
Status Update Notification Templates
Incident Tasks
Incident Roles
Business Service Subscription
Analytics API and Data Export
Operational Reviews, On-call Readiness Analytics and Administration
Analytics Dashboard
Incident Activity and Service Performance Reports
Responder and Team Reports
Escalation Policy Report
User Onboarding Report
Team On-Call Handoff Reviews
Service Performance Reviews
Business Performance Reviews
Operational Maturity
Out-of-the-box Integrations, Plus Workflow Extensions * *
Unlimited Open and Flexible APIs
Full-Featured Mobile App for iOS and Android
Role-based permissions
Single Sign-on
Audit Trail Reporting
Team-based Organizing and Advanced Permissions
Stakeholder Users
Live Call Routing * *
Internal Status Pages
External Status Pages
Private Status Pages X X
AIOps
Global Integration Key
Alert Deduplication
Service Rules
Routing Rules
Basic Conditions
If/else statements
Basic Enrichment (priority, severity, event_action)
Event Rule Notes
Dynamic Field Enrichment and Extraction
Threshold Conditions
Recurring Conditions
Schedule Conditions
Rule Nesting
Paused Incident Notifications
Event Triggered Webhooks * *
Service Orchestration Rules * *
Global Event Orchestration * *
Auto-Pause Transient Events
Alert Suppression
Auto-Pause Incident Notifications
Time-Based Alert Grouping
Intelligent Alert Grouping (w/ Flexible Time Window)
Content-Based Alert Grouping
Change Events
Custom Change Event Transformer
Past Incidents
Related Incidents
Outlier Incidents
Change Correlation
Probable Origin
Visibility Console
PagerDuty Runbook Automation X
PagerDuty Process Automation X
PagerDuty Workflow Automation X
PagerDuty Advance X X
In scope
*

Involves the use/integration with third-party technologies that are not in PagerDuty's control; PagerDuty ensures data is protected utilizing SOC 2 and FedRAMP compliant security / controls until provided to the third-party service provider

X Not in scope