At UKG,
we are committed to protecting our products and services from security threats, whether internal or external, deliberate, or accidental.

Our Commitment to Our Customers

Enterprise security, risk, and technology are priorities embedded in our leadership teams. Our digital teams collaborate closely with our engineering and product teams to ensure the overall security and resiliency of UKG systems and solutions.

Enterprise Security

Our Enterprise Security team integrates all security activities within UKG to provide for the security of entrusted information and data, and the effective operation of our enterprise networks. The Enterprise Security team manages the UKG Security Policy, which describes the management of security of information assets, responsibilities of various teams in securing information assets, and the various administrative, physical, and technical safeguards that are put in place to protect information assets. This policy applies to all UKG information assets, personnel (including contractors), and technology systems and environments, including the UKG private and public cloud environments.

Role-Based Security Training

In line with continuously enhancing our security procedures, we continue to expand role-based security training, which equips a user with tools and skills to meet the security requirements of their specific job function. This training is designed to address the unique challenges that an employee (U Krewer) can face daily in their role. Additionally, the UKG Enterprise Security team offers specialized training sessions for teams across UKG for an even more tailored education, particularly for our developers.

Ensuring Compliance Through Standards Alignment

To evidence these safeguards, UKG provides our customers with independent third-party audit reports, such as AICPA SOC 2, as well as certifications of ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018, as applicable to the UKG solution.

SOC 2 and 3 — ISAE3402/SSAE 18 Audit Reports

For our core solutions, UKG complies with ISAE3402/SSAE 18 AICPA Trust Principles for Security, Confidentiality, and Availability (and, where in scope, Privacy and Processing Integrity), and undergoes an audit each year to examine the relevant controls. These audits are performed by an independent, certified third party and the resulting reports are provided to our customers upon request within our UKG customer due diligence package.

The SOC 2 report demonstrates controls in place to meet the AICPA’s SOC 2 Trust Services Criteria (TSC) for the following principles:

• Security: the system is protected against unauthorized access, both physical and logical.
• Availability: the system is available for operation and use in accordance with UKG’s commitments.
• Confidentiality: information that is designated “confidential” is protected according to policy or agreement.
• Privacy: personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria outlined in the Generally Accepted Privacy Principles issued by the AICPA.
• Processing Integrity: system processing is complete, accurate, and authorized.

UKG also provides a consolidated SOC 3 report for our core solutions, which are distributed to the public and can be found in the table below.

ISO 27001, 27017, and 27018

ISO 27001 is an information security standard originally published in 2005, and revised in 2013, by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s information security management system (ISMS).

ISO 27017, published in 2015, is a complementary standard to ISO 27001. This standard provides controls and implementation guidance for information security applicable to the provision and use of cloud services.

ISO 27018 is a complementary standard, published by ISO/IEC in 2014, that contains guidelines applicable to cloud service providers that process personal data.

UKG ensures compliance with ISO 27001, 27017, and 27018 as outlined below. UKG also ensures our data centers maintain a recognized security program such as ISO 27001 or a comparable industry-standard security framework. The audits are carried out by an independent, certified third party, and, upon request, UKG provides the certificates to our customers.

BELOW IS A DETAILED SUMMARY OF UKG SOLUTIONS AND RELATED ISO/SOC CERTIFICATIONS: