Paligo Information Security: Technical and Organisational Measures

Updated, March 2025

This document outlines Paligo’s Technical and Organisational Measures designed to protect the confidentiality, integrity, and availability of information processed within our services. These Security Measures are fundamental to our operations and commitment to data protection, and they serve as a comprehensive reference for our customers and partners.

  1. DEFINITIONS
    1. “Customer Data” means information as defined in the main agreement between Customer and Paligo.
    2. “Personal Data” should mean any information related to any identified or identifiable natural person that Paligo has received or collected pursuant to a Customer agreement. Such information includes, without limit, names, contact information, e-mail addresses, and other categories of information as agreed upon for the Paligo Service.
    3. “Security Incident” should mean: (i) the loss, misuse or breach, by any means, of Customer Data, (ii) the inadvertent, unauthorized, and/or unlawful Processing of any Customer Data that compromises its security, confidentiality, or integrity.
    4. “Service” means those part(s)/feature(s) of Paligo’s end-to-end component content management system (CCMS) solution for technical documentation, policies and procedures, and knowledge management that are included in a Subscription purchased by the Customer under this Agreement.
  1. SCOPE AND APPLICABILITY
    The Security Measures detailed in this document apply to all aspects of Paligo’s service delivery and internal operations that impact the security of customer data. This includes all information technology infrastructure, software, and physical facilities owned or operated by Paligo, as well as all Paligo employees, contractors, and agents.
  2. SECURITY REQUIREMENT
    1. Information Security Policies
      1. Policies for Information Security. Paligo’s policies for information security should be documented by Paligo, approved by Paligo’s management, published, and communicated to Paligo’s personnel, contractors, agents and relevant external third parties.
      2. Review of the Policies for Information Security. Paligo information security policies should be reviewed by Paligo at least annually, or promptly after material changes to the policies occur, to confirm applicability and effectiveness.
      3. Information Security Reviews. The Paligo’s approach to managing information security and its implementation (i.e., control objectives, controls, policies, processes, and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur.
    2. Organization of Information Security
      1. Security Accountability. Paligo should assign one or more security officers who will be responsible for coordinating and monitoring Paligo’s information security function, policies, and procedures.
      2. Security Roles and Responsibility. Paligo personnel, contractors and agents who are involved in providing Paligo Services should be subject to confidentiality agreements with Paligo.
      3. Risk Management. Appropriate information security risk assessments should be performed by Paligo as part of an ongoing risk governance program that is established with the objective to recognize risk; to assess the impact of risk; and where risk reducing or mitigation strategies are identified and implemented, to effectively manage the risk with recognition that the threat landscape constantly changes.
    3. Human Resource Security
      1. Security Training. Appropriate security awareness, education and training should be provided to all Paligo personnel.
    4. Asset Management
      1. Asset Inventory. Paligo should maintain an asset inventory of all media and equipment where Customer Data is stored. Access to such media and equipment should be restricted to authorized personnel of the Paligo.
      2. Asset Handling
        1. Paligo should classify Customer Data so that it is properly identified and access to Customer Data should be appropriately restricted.
        2. Paligo should maintain an acceptable use policy with restrictions on printing Customer Data and procedures for appropriately disposing of printed materials that contain Customer Data when such data is no longer needed to provide the Paligo Services under the Agreement.
        3. Paligo should maintain an appropriate approval process whereby such approval is provided to personnel, contractors, and agents prior to storing Customer Data on portable devices; remotely accessing Customer Data; or processing such data outside of Paligo facilities. If storing Customer Data on portable devices is approved and granted, Paligo should enforce the use of current Industry Standard encryption on the portable device. If mobile devices are used to access or store Customer Data, Paligo personnel, contractors and agents should use a mobile device management (MDM)/mobile application management (MAM) solution that enforces encryption, passcode, and remote wipe settings to secure Customer Data. Paligo will prohibit the enrollment of mobile devices that have been “jail broken.”
    5. Access Control
      1. Access Control Policy. Paligo should maintain an appropriate access control policy that is designed to restrict access to Customer Data and Paligo assets to authorized personnel and contractors.
      2. Authorization
        1. Paligo should maintain user account creation and deletion procedures for granting and revoking access to all assets, Customer Data, and all internal applications while providing Paligo Services under the Agreement. The Paligo will assign an appropriate authority to approve creation of user accounts or elevated levels of access for existing accounts.
        2. Paligo should maintain and update records of personnel who are authorized to access Paligo systems that are involved in providing Paligo Services and review such records at least quarterly.
        3. Paligo should ensure the uniqueness of user accounts and passwords for each individual. Individual user accounts must not be shared.
        4. Paligo should remove access rights to assets that store Customer Data for personnel, contractors and agents upon termination of their employment, contract or agreement within fourteen (14) business days, or access should be appropriately adjusted upon change (e.g., change of personnel role).
        5. Paligo will perform periodic access reviews for system users for all supporting systems requiring access control.
      3. Least Privilege Access
        1. Paligo should restrict access to Paligo systems involved in providing Paligo Services, to only those individuals who require such access to perform their duties using the principle of least privilege access.
        2. Administrative and technical support personnel or contractors should only be permitted to have access to such data when required.
        3. Paligo should support segregation of duties between its environments so that no individual person has access to perform tasks that create a security conflict of interest.
      4. Authentication
        1. Paligo will use current, and at a minimum, Industry Standard capabilities to identify and authenticate personnel and contractors who attempt to access information systems and assets.
        2. Paligo should maintain current Industry Standard practices to deactivate passwords that have been corrupted or disclosed.
        3. Paligo should monitor for repeated access attempts to information systems and assets.
        4. Paligo should maintain current Industry Standard password protection practices that are designed and in effect to maintain the confidentiality and integrity of passwords generated, assigned, distributed, and stored in any form.
        5. Paligo should maintain and enforce a password policy that is aligned to current Industry Standards (e.g., ISO/IEC 27001, NIST Cyber Security Framework, PCI DSS (Payment Card Industry Data Security Standard), Center for Internet Security) and default passwords must be changed before deploying any new asset.
        6. Paligo personnel, agents and contractors should use multi-factor authentication and encrypted sessions for access to Paligo systems.
    6. Cryptography.
      1. Cryptographic Controls. Paligo should maintain policies and standards regarding the use of cryptographic controls that are implemented to protect Customer Data. Paligo should implement Industry Standard key management policies and practices designed to protect and generate encryption keys for their entire lifetime.
    7. Physical and Environmental Security
      1. Physical Access to Facilities. Paligo should limit access to facilities (where systems that are involved in providing the Paligo Services are located) to identified personnel, agents and contractors.
      2. Physical Access to Components. Paligo should maintain records of incoming and outgoing media containing Customer Data, including the type of media, the authorized sender/recipient, the date and time, the number of media, and the type of data the media contains. Paligo should ensure that backups (including remote and cloud service backups) are properly protected via physical security or encryption when stored, as well as when they are moved across the network.
      3. Protection from Disruptions. The Paligo should protect equipment from power failures and other disruptions caused by failures in supporting utilities. Telecommunications and network cabling must be protected from interception, interference, and/or damage.
      4. Secure Disposal or Reuse of Equipment. Paligo should verify equipment containing storage media, to confirm that all Customer Data has been deleted or securely overwritten using Industry Standard processes, prior to disposal or re-use.
      5. Clear Desk and Clear Screen Policy. Paligo should adopt a clear desk policy for papers and removable storage media and a clear screen policy.
    8. Operations Security
      1. Operations Policy. Paligo should maintain appropriate operational and security operating procedures and such procedures should be made available to all personnel who require them.
      2. Logging and Monitoring of Events
        1. Paligo must enable logging and monitoring on all operating systems, databases, applications, and security and network devices that are involved in providing Paligo Services. Logs must capture the access ID, the authorization granted or denied, the date and time, the relevant activity, and be regularly reviewed. All relevant information processing systems should synchronize time to a single reference time source.
        2. Logging capabilities should be protected from alteration and unauthorized access.
      3. Protections from Malware. Paligo should maintain anti-malware controls that are designed to protect systems from malicious software, including malicious software that originates from public networks. Paligo should maintain software at the then current major release for Paligo owned anti-malware software and should maintain appropriate maintenance and support for new releases and versions of such software.
      4. Encrypted Backup. Paligo should maintain an encrypted backup and restoration policy that also protects Customer Data from exposure to ransomware attacks, and should back up Customer Data, software, and system images in accordance with Paligo policy unless other such requirements are agreed upon. Paligo should regularly test restoration procedures.
      5. Control of Software and Utilities. Paligo should enforce policies and procedures that govern the installation of software and utilities by personnel.
      6. Change Management. Paligo should maintain and implement procedures to ensure that only approved and secure versions of code, configurations, systems, utilities, and applications will be deployed for use.
  3. SECURITY AUDITS AND COMPLIANCE
    1. Customer should have the right to request security audit reports or conduct security assessments.
    2. Paligo’s Technical and Organisational Measures are regularly audited by independent third-party assessors to ensure ongoing compliance with industry standards and best practices. Findings from these audits are reviewed and addressed promptly to maintain the effectiveness of our security posture.
  4. INCIDENT MANAGEMENT
    1. Response Plans. Paligo will maintain security incident response plans.
    2. Paligo’s security incident response team will be staffed and be responsible for investigating and responding to information-security related events escalated to their attention and determining if a Security Incident has taken place. Upon confirmation of a Security Incident, Paligo will promptly, but in no event later than 48 hours thereafter, notify Customer of such Security Incident and provide Customer with information about the Security Incident including, where possible, (i) the categories and approximate number of affected Customer Data records and, if applicable, the categories and approximate number of affected Data Subjects, (ii) the impact and likely consequences of the Security Incident to Customer and, if applicable, the affected Data Subjects, and (iii) the corrective action or remediation efforts taken or to be taken by Paligo.
    3. Following any Security Incident, Paligo will consult in good faith with Customer regarding remediation efforts that may be necessary and reasonable.
    4. Incident Notification. Any notifications to Customers or employees of Customer regarding Security Incidents will be handled exclusively by Customer, unless otherwise directed by Customer. Paligo will reasonably cooperate in connection with notices to Customers and employees of Customer regarding a Security Incident.
  5. TERMINATION AND DATA DESTRUCTION
    1. Upon termination of the contract, Paligo should securely delete all Customer Data and, upon request, provide confirmation of deletion unless otherwise instructed or agreed to the main agreement between Customer and Paligo.