Because CA 2E and CA Plex are application development tools (IDEs and code generators) rather than hosted services, we do not hold SOC-2 or SOC-3 reports for them.

 

As we understand it, SOC-2 and SOC-3 audits evaluate service organizations that host, process, or store customer data. Since CA 2E and CA Plex operate within your environment and do not directly interact with or host your client's financial data, these audits do not apply to the tools themselves. Consequently, the SOC reports required for DORA compliance would be based on your organization's own infrastructure and security controls.

 

To demonstrate a secure software supply chain, we follow a comprehensive software development lifecycle methodology. You can find more details here: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/ProductAdvisories/0/24577