Security and Data Privacy

Left Arrow

As a company that delivers its products as a cloud service, we take a comprehensive approach to the governance of security and data privacy, embracing a security- and privacy-first mindset as we grow and invest in the products, infrastructure, personnel, best practices, and policies required to secure and protect the data entrusted to us.

Ensuring Security

We are committed to continuously updating our security program to meet ongoing and evolving threats and security challenges. Our management approach is to analyze technology developments, evolving regulatory standards, market trends, and customer needs and then embed those findings into our business. Our security risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Additionally, our security team is principally responsible for managing our security risk assessment processes, implementing and maintaining our security controls, and responding to security incidents.

Internally, our security risk management program includes risk assessments designed to help identify material security risks to our critical systems, information, products, and our broader enterprise IT environment. We also maintain an incident response plan, which includes procedures for responding to security incidents and is regularly tested through simulated emergency exercises and periodic employee phishing tests. Where appropriate, we use external service providers to assess, test, or otherwise assist with aspects of our security controls.

We have also established security standards for our technology resources, such as requiring multi-factor authentication to access our applications and mandatory, annual privacy and security training of employees, including incident response personnel, product development personnel, and senior management. We recently updated our mandatory, annual employee privacy and security training to reflect the latest threats and security best practices. Additionally, we provide our employees, including employees responsible for incident response and product development, with continuous education opportunities and engagement through learning tools and periodic communications.

We outsource our data center needs to a third-party provider, Amazon Web Services (“AWS”), utilizing its cloud-based platforms, data center security, and cloud security capabilities. Since the accuracy and availability of our services must be maintained during both normal business hours and extraordinary events, resiliency is critically important to us and our customers. Accordingly, AWS is required to comply with our third-party vendor security and infrastructure reliability requirements. Additionally, using AWS enables redundancy and disaster recovery through geographic separation of data centers.

Global Cloud Security Certifications and Frameworks

Guidewire maintains various internationally recognized security certifications and aims to adopt best practices from industry-leading frameworks and standards for cybersecurity and cloud computing, such as:

Certifications

  • ISO 27001- Information Security Management
  • ISO 27701 - Privacy Information Management
  • System and Organization Controls (SOC 1, Type II)
  • System and Organization Controls (SOC 2, Type II)
  • Payment Card Industry Data Security Standard (PCI-DSS)

Frameworks

  • U.S. NIST Cybersecurity Framework (CSF)
  • U.S. NIST Secure Software Development Framework (SSDF)
  • Statement on Standards for Attestation Engagements/Assurance on Controls at a Service Organization (SSAE) 18/International Standard on Assurance Engagements (ISAE) 3402

Contributing to Public Discourse on Security

In fiscal year 2022, Guidewire was a founding member of the critical software-as-a-service special interest group (“CSaaS-SIG”). The group operates under the framework of the Information Technology-Information Sharing and Analysis Center (IT-ISAC) and serves as a forum for CSaaS companies to collaborate on collective defense strategies to improve the security and operational resiliency of our products and share intelligence information with the industry at large.

We joined the World Economic Forum’s Centre for Cybersecurity in fiscal year 2024 and contributed to initiatives driving global public-private action to address systemic cybersecurity challenges. In fiscal year 2025, in recognition of our role in the financial services industry and interest in advancing cybersecurity and resilience in the global financial system, we joined the Financial Services Information Sharing and Analysis Center (FS-ISAC). We will continue to contribute to public discourse and SaaS industry developments through white papers on topical security issues and as a participant in industry forums and exercises.

Data Management and Privacy

We comply with all applicable laws and regulations around data protection and privacy, and continuously review our data management and privacy approaches to stay current with evolving global trends. Similarly, we proactively engage with industry peers and associations regarding upcoming legislation and, where possible, implement policies and processes ahead of legislation. Our data management policies govern usage, storage, and deletion of data, and we continually evaluate and strengthen, if needed, various data governance policies and processes. Additionally, we have committed to transparent privacy principles in our Customer Data Privacy Policy, including not sharing or selling customer data for marketing, advertising, or other commercial purposes.

 

Looking Forward

We plan to continue to review the governance structure, programs, processes, and policies that inform how we manage security, as well as data management and privacy.