Brand Compliance B.V. declares that the management system for information security of Paligo A.B. has been assessed and found to be in compliance with the requirements of the standard ISO 27001:2017.
312/V6 – Certificate number: LN 1422.1.1
Cloud Security
Data Center Security (at AWS)
The physical infrastructure for Paligo is provided by Amazon Web Services (AWS) and all services are hosted in data centers in the United States, Japan, or European Union.
All AWS data centers have been certified as ISO 27001, PCI DSS Service Provider, and/or SOC 2 compliant
AWS has implemented several on-site security measures, these include measures such as physical access restrictions, security guards, fencing, surveillance, intrusion detection, and many more security measures.
Data Hosting Locality
Paligo leverages AWS data centers in the United States, Europe, and East Asia. Therefore, Paligo offers data locality choices including the United States, Japan, or European Union.
Network Security
Paligo has configured networks with a security architecture which consists of multiple security zones. Database servers are protected in our most trusted zones and other less sensitive systems are housed in zones proportionate to their sensitivity, information classification, and risk level. Depending on the zone, additional security monitoring and access controls are applied. DMZs are utilized between the Internet, and internally between the different trust zones.
Vulnerability Scanning and Management
Paligo has deployed scheduled vulnerability scanning to detect and mitigate any found vulnerabilities, to stop them from entering production. The vulnerability scanning also detects common vulnerabilities, such as OWASP Top 10 and known CVE’s.
Penetration Tests
Penetration tests are performed regularly by an independent third party.
Intrusion Detection and Prevention
Paligo uses intrusion detection and prevention measures to detect malicious behaviors, this includes alerting administrators of malicious activity and policy violations, as well as identifying and taking action against attacks.
Access Management/Restriction
Access to Paligo systems are restricted to only authorized users or processes, based on the principle of strict need to know and least privilege. All Paligo employees must use a separate, unique password for each of their work related accounts. Passwords must not be shared with anyone, including managers and coworkers. All passwords are treated as sensitive, secret Paligo information.
The technical content uploaded and created by the customer’s end users in Paligo may be accessed for support purposes depending on approval by the customer. The technical content can be for example graphical content, drawings, specifications, details, text, communications and other material.
Incident Detection and Response
Security events and incidents are managed through a dedicated team. Escalation to customers follows the procedures in agreements, and incident response plans are tested regularly. Major incidents follow a reporting and escalation procedure led by Incident Managers. In case of major technical breakdowns there is a tested disaster recovery process. Paligo offers different support SLA depending on the license plan. For the Enterprise plan, target response time is 2 hours for urgent (highest priority) issues, 4 hours for high priority issues. Enterprise plan also has a 24/7 emergency response phone number for serious incidents.
Encryption (at rest and in transit)
All communication to and from the Paligo service is encrypted with AES-256 encryption (https, TLS 1.2). Paligo‘s service has enabled encryption at rest with AES-256 for all plans.
Availability
Paligo uses Pingdom for uptime monitoring. A public uptime report site is available. http://status.paligoapp.com/.
Continuity
Paligo has an established Business Continuity Plan and a Disaster Recovery Plan. Paligo also has a trained Crisis Management Team for managing any serious incidents.
Application Security
Secure SDLC
Security is applied at every phase of our software development life cycle (SDLC).
The aim of an secure SDLC is to make security a part of the developer’s responsibilities and enable them to create secure applications from the beginning.
We employ third-party security tooling to continuously scan our service against common web application security risks, including, but not limited to the OWASP Top 10.
We also scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed
Separation of Environments
Testing and staging environments are logically separated from the production environment. No production data is used in our development or test environments.
Data Isolation
The Paligo service is a multi-tenant web application. Customer databases are separated from each other and secured by customer-specific authentication credentials. Customer file storage and other systems that handle data are secured by application logic that ensures that only the relevant customer is granted access.
Data Retention
After subscription termination, the account is deactivated after 30 days, data is archived after 120 days and then data is deleted after being archived for 180 days. The customer can request deletion of data at any time before that.
Authentication
Multi-factor authentication is available to all users, and on Enterprise plan it can be centrally enforced. Also on Enterprise, SSO based on SAML 2.0 is available.
Back-up and Rollbacks
Paligo stores full backups every hour of customer databases and files. Backups are stored in Amazon S3 and are version-managed. For the entire database server point-in-time recovery is available. Restore procedures are tested regularly.
Session Management
Sessions are terminated on cookie clearance, or at auto-logout, which is configurable by admins in the Paligo service.
Key Management
We utilize AWS KMS and apply industry best practice according to AWS.
Maintenance
Paligo will notify in advance of any major changes that will cause service downtime. Paligo will however, intermittently update the system with upgrades, bug fixes, and patches, which are done without notification if the customer is not specifically affected. The communication is done by email.
Human Resource Security
Background Checks
Paligo performs background checks of all employees and contractors (always aligned with local laws, regulations, ethics, and contractual requirements) before giving access to Paligo network, assets and resources.
NDAs
Non-disclosure agreements are signed with all employees and relevant third parties before gaining access to sensitive information. The NDAs are valid during and after contract termination.
Awareness Training
Participation in Paligo’s security Awareness training is mandatory for all employees and relevant third parties.
Disciplinary Process
Paligo has implemented a disciplinary procedure. Employees that do not comply with security requirements and that violate security policies are subject to disciplinary actions.
Compliance
Risk Management
Paligo has an established risk management process. The Paligo risk management process includes following steps:
- Risk Identification
- Risk Assessment
- Risk Evaluation
- Risk Treatment
The Paligo management has the authority to accept risks. Risk related to customer data and the Paligo service are included in the risk assessment.
Audit
Paligo is subject to several audits, both internal and external, each year to ensure security is upheld and continuously improved.
Governance
Paligo’s Information Security Policy, and its subordinate information security documents, apply to all employees, consultants, contractors, and other third-party users involved in any way with the application, design, development, and support of Paligo’s service. At Paligo, adherence to governance documentation is both an individual and corporate responsibility.
Legal and Regulatory compliance
Paligo is committed to maintaining compliance with all regulatory, legislative, and contractual requirements and continually assess relevant rules and legislations affecting our business.
AI in Paligo
AI Features Availability
All customers, regardless of their chosen pricing tier, may be granted the opportunity to take advantage of our AI feature via our Closed Beta program.
Content Usage for Training Purposes
Our AI setup values your privacy and security, so it won’t use your data, inputs, and outputs to train the AI.
Encryption
The same level of data encryption is used for our CCMS and AI capabilities, both at rest (using AES-256) and in transit (using TLS 1.2+).
AI Biases
We acknowledge the possibility of bias in algorithms and make efforts to minimize its effects. All features that utilize AI models must adhere to fair and impartial algorithms, taking into account any imbalances in data that may result in discriminatory results.
AI / LLM Privacy Policy
We are using OpenAI’s LLM; their privacy policy can be found here.