I'm in the process of filling out a document for our security team. Pega has already provided answers to all the questions, but there are a few that had follow-up questions from our security team.

1. Pega Cloud ensures all system components and software are protected from known vulnerabilities by installing the latest vendor-supplied security patches, including BIOS and firmware updates. Pega Cloud performs continuous vulnerability remediation activities and applies patches according to a risk-based approach, addressing critical vulnerabilities within 7 days and high vulnerabilities within 30 days.
   1. Does the vulnerability remediation timeline provided apply to just Pega's application, or everything within Pega's infrastructure? In other words, if Pega relies on "app x" for the service they provide, and "app x" has a critical vulnerability discovered, will Pega patch that within 7 days?
2. Pega requires TLS 1.2. How do we confirm that weak TLS 1.2 ciphers are all disabled?
3. How do we confirm that the SIEM logs are retained for 12 months?