Security & compliance

The physical infrastructure for Paligo is provided by Amazon Web Services (AWS) and all services are hosted in data centers in the United States, Japan, or European Union.

All AWS data centers have been certified as ISO 27001, PCI DSS Service Provider, and/or SOC 2 compliant

AWS has implemented several on-site security measures, these include measures such as physical access restrictions, security guards, fencing, surveillance, intrusion detection, and many more security measures.

Paligo leverages AWS data centers in the United States, Europe, and East Asia. Therefore, Paligo offers data locality choices including the United States, Japan, or European Union.

Paligo has configured networks with a security architecture which consists of multiple security zones. Database servers are protected in our most trusted zones and other less sensitive systems are housed in zones proportionate to their sensitivity, information classification, and risk level. Depending on the zone, additional security monitoring and access controls are applied. DMZs are utilized between the Internet, and internally between the different trust zones.

Paligo has deployed scheduled vulnerability scanning to detect and mitigate any found vulnerabilities, to stop them from entering production. The vulnerability scanning also detects common vulnerabilities, such as OWASP Top 10 and known CVE’s.

Penetration tests are performed regularly by an independent third party.

Paligo uses intrusion detection and prevention measures to detect malicious behaviors, this includes alerting administrators of malicious activity and policy violations, as well as identifying and taking action against attacks.

Access to Paligo systems are restricted to only authorized users or processes, based on the principle of strict need to know and least privilege. All Paligo employees must use a separate, unique password for each of their work related accounts. Passwords must not be shared with anyone, including managers and coworkers. All passwords are treated as sensitive, secret Paligo information.

The technical content uploaded and created by the customer’s end users in Paligo may be accessed for support purposes depending on approval by the customer. The technical content can be for example graphical content, drawings, specifications, details, text, communications and other material.

Security events and incidents are managed through a dedicated team. Escalation to customers follows the procedures in agreements, and incident response plans are tested regularly. Major incidents follow a reporting and escalation procedure led by Incident Managers. In case of major technical breakdowns there is a tested disaster recovery process. Paligo offers different support SLA depending on the license plan. For the Enterprise plan, target response time is 2 hours for urgent (highest priority) issues, 4 hours for high priority issues. Enterprise plan also has a 24/7 emergency response phone number for serious incidents.

All communication to and from the Paligo service is encrypted with AES-256 encryption (https, TLS 1.2). Paligo‘s service has enabled encryption at rest with AES-256 for all plans.

Paligo uses Pingdom for uptime monitoring. A public uptime report site is available. http://status.paligoapp.com/.

Paligo has an established Business Continuity Plan and a Disaster Recovery Plan. Paligo also has a trained Crisis Management Team for managing any serious incidents.

Security is applied at every phase of our software development life cycle (SDLC).

The aim of an secure SDLC is to make security a part of the developer’s responsibilities and enable them to create secure applications from the beginning.

We employ third-party security tooling to continuously scan our service against common web application security risks, including, but not limited to the OWASP Top 10.

We also scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed

Testing and staging environments are logically separated from the production environment. No production data is used in our development or test environments.

The Paligo service is a multi-tenant web application. Customer databases are separated from each other and secured by customer-specific authentication credentials. Customer file storage and other systems that handle data are secured by application logic that ensures that only the relevant customer is granted access.

After subscription termination, the account is deactivated after 30 days, data is archived after 120 days and then data is deleted after being archived for 180 days. The customer can request deletion of data at any time before that.

Multi-factor authentication is available to all users, and on Enterprise plan it can be centrally enforced. Also on Enterprise, SSO based on SAML 2.0 is available.

Paligo stores full backups every hour of customer databases and files. Backups are stored in Amazon S3 and are version-managed. For the entire database server point-in-time recovery is available. Restore procedures are tested regularly.

Sessions are terminated on cookie clearance, or at auto-logout, which is configurable by admins in the Paligo service.

We utilize AWS KMS and apply industry best practice according to AWS.

Paligo will notify in advance of any major changes that will cause service downtime. Paligo will however, intermittently update the system with upgrades, bug fixes, and patches, which are done without notification if the customer is not specifically affected. The communication is done by email.

Paligo performs background checks of all employees and contractors (always aligned with local laws, regulations, ethics, and contractual requirements) before giving access to Paligo network, assets and resources.

Non-disclosure agreements are signed with all employees and relevant third parties before gaining access to sensitive information. The NDAs are valid during and after contract termination.

Participation in Paligo’s security Awareness training is mandatory for all employees and relevant third parties.

Paligo has implemented a disciplinary procedure. Employees that do not comply with security requirements and that violate security policies are subject to disciplinary actions.

Paligo has an established risk management process. The Paligo risk management process includes following steps:

1. Risk Identification
2. Risk Assessment
3. Risk Evaluation
4. Risk Treatment

The Paligo management has the authority to accept risks. Risk related to customer data and the Paligo service are included in the risk assessment.

Paligo is subject to several audits, both internal and external, each year to ensure security is upheld and continuously improved.

Paligo’s Information Security Policy, and its subordinate information security documents, apply to all employees, consultants, contractors, and other third-party users involved in any way with the application, design, development, and support of Paligo’s service. At Paligo, adherence to governance documentation is both an individual and corporate responsibility.

Paligo is committed to maintaining compliance with all regulatory, legislative, and contractual requirements and continually assess relevant rules and legislations affecting our business.

We understand the importance of security and privacy when it comes to utilizing AI. That’s why our AI features are equipped with strict security and privacy measures to safeguard your data at all times.

The same level of data encryption is used for our CCMS and AI capabilities, both at rest (using AES-256) and in transit (using TLS 1.2+).

We do not retain your inputs, prompts, or the generated outputs after the transaction is complete.

This means that Paligo ensures user inputs and AI outputs are not kept by the AI provider beyond the immediate processing time needed to deliver the feature’s output. Our providers have no separate retention period for the AI-specific interaction data outside of the Paligo CCMS itself.

For our AI translation feature, there is a history of the last 20 queries which is stored in the user’s browser session storage and not by Paligo. The session storage is separate for each browser tab and the browser clears it when you close the tab. During a chat instance, previous queries will be included in the request with the AI service in order to provide context to the LLM.

We recognize that the data you manage is critical, sensitive, and proprietary. Therefore, the architectural design of our AI integration ensures that your trust is maintained and reinforced. We adhere to a stringent policy that dictates: your data, inputs, and outputs will not be used to train third-party AI models.

The source content, documentation, and topics you manage remain confidential. The AI operates on your content to assist you, but this interaction does not permit the content to be ingested into the AI’s long-term learning or knowledge base.

Any prompts, queries, or specific instructions you provide to the AI are processed for the immediate task but are not logged or utilized for future model training or refinement.

The generated or refined text that the AI produces based on your inputs remains isolated and is never fed back into the training data loop.

Paligo ensures content quality and compliance through mandatory human review at several stages, explicitly stating that AI-generated text is only a starting point.

Authors submit topics, initiating review assignments for human experts to provide comments and approval. Paligo treats auto-translation as a draft, not a final product. Users are advised to never rely on the quality of machine translated text as it will almost always need to be edited to get good end results.

Following any translation (AI, internal, or service), content undergoes human checking in this dedicated status.

All assignment types Review, Contribution, Translation, and Translation Review are meticulously tracked. This provides visibility into the responsible person, deadlines, and completion status.

Content is only moved to Released after successfully passing all required human checks, signifying completion and locking it against further unauthorized edits.

We acknowledge the possibility of bias in algorithms and make efforts to minimize its effects. All features that utilize AI models must adhere to fair and impartial algorithms, taking into account any imbalances in data that may result in discriminatory results. Mechanisms to detect and respond to biases or ethical issues in AI models have been implemented by the AI provider and include:

• Bias Detection: Utilizing tools and techniques to identify biases, such as analyzing model outputs across different demographic groups to detect disparities.
• Diverse Datasets: Collecting diverse datasets for training to mitigate biases and ensure models are representative and inclusive.
• Ethical Review: Conducting ethical reviews of models and projects to assess potential implications and risks, consulting with ethicists and stakeholders.
• Fairness Metrics: Defining and using fairness metrics to evaluate model performance and identify biases that may disproportionately affect certain populations.
• Stakeholder Engagement: Engaging with researchers and advocacy groups to solicit feedback on ethical considerations and promote responsible AI development.
• Transparency and Accountability: Documenting potential biases, ethical considerations, and mitigation strategies to foster trust with users and stakeholders.

Our AI vendors, like all third-party vendors involved in our service delivery, are subject to regular audits to ensure compliance with standards such as SOC 2 and ISO 27001.

Paligo conducts regular penetration testing of our own application. Regarding AI features, Paligo is not authorized to perform penetration tests against the AI providers’ services without explicit permission. However, the AI providers themselves have performed penetration testing on the systems and services that are utilized by Paligo’s AI features. Permission is required from the provider to perform penetration testing on the AI features.