Brand Compliance B.V. declares that the management system for information security of Paligo A.B. has been assessed and found to be in compliance with the requirements of the standard ISO 27001:2017.

312/V6 – Certificate number: LN 1422.1.1

Cloud Security

Data Center Security (at AWS)

The physical infrastructure for Paligo is provided by Amazon Web Services (AWS) and all services are hosted in data centers in the United States, Japan, or European Union.

All AWS data centers have been certified as ISO 27001, PCI DSS Service Provider, and/or SOC 2 compliant

AWS has implemented several on-site security measures, these include measures such as physical access restrictions, security guards, fencing, surveillance, intrusion detection, and many more security measures.

Data Hosting Locality

Paligo leverages AWS data centers in the United States, Europe, and East Asia. Therefore, Paligo offers data locality choices including the United States, Japan, or European Union.

Network Security

Paligo has configured networks with a security architecture which consists of multiple security zones. Database servers are protected in our most trusted zones and other less sensitive systems are housed in zones proportionate to their sensitivity, information classification, and risk level. Depending on the zone, additional security monitoring and access controls are applied. DMZs are utilized between the Internet, and internally between the different trust zones.

Vulnerability Scanning and Management

Paligo has deployed scheduled vulnerability scanning to detect and mitigate any found vulnerabilities, to stop them from entering production. The vulnerability scanning also detects common vulnerabilities, such as OWASP Top 10 and known CVE’s.

Penetration Tests

Penetration tests are performed regularly by an independent third party.

Intrusion Detection and Prevention

Paligo uses intrusion detection and prevention measures to detect malicious behaviors, this includes alerting administrators of malicious activity and policy violations, as well as identifying and taking action against attacks.

Access Management/Restriction

Access to Paligo systems are restricted to only authorized users or processes, based on the principle of strict need to know and least privilege. All Paligo employees must use a separate, unique password for each of their work related accounts. Passwords must not be shared with anyone, including managers and coworkers. All passwords are treated as sensitive, secret Paligo information.

The technical content uploaded and created by the customer’s end users in Paligo may be accessed for support purposes depending on approval by the customer. The technical content can be for example graphical content, drawings, specifications, details, text, communications and other material.

Incident Detection and Response

Security events and incidents are managed through a dedicated team. Escalation to customers follows the procedures in agreements, and incident response plans are tested regularly. Major incidents follow a reporting and escalation procedure led by Incident Managers. In case of major technical breakdowns there is a tested disaster recovery process. Paligo offers different support SLA depending on the license plan. For the Enterprise plan, target response time is 2 hours for urgent (highest priority) issues, 4 hours for high priority issues. Enterprise plan also has a 24/7 emergency response phone number for serious incidents.

Encryption (at rest and in transit)

All communication to and from the Paligo service is encrypted with AES-256 encryption (https, TLS 1.2). Paligo‘s service has enabled encryption at rest with AES-256 for all plans.

Availability

Paligo uses Pingdom for uptime monitoring. A public uptime report site is available. http://status.paligoapp.com/.

Continuity

Paligo has an established Business Continuity Plan and a Disaster Recovery Plan. Paligo also has a trained Crisis Management Team for managing any serious incidents.

Application Security

Secure SDLC

Security is applied at every phase of our software development life cycle (SDLC).

The aim of an secure SDLC is to make security a part of the developer’s responsibilities and enable them to create secure applications from the beginning.

We employ third-party security tooling to continuously scan our service against common web application security risks, including, but not limited to the OWASP Top 10.

We also scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed

Separation of Environments

Testing and staging environments are logically separated from the production environment. No production data is used in our development or test environments.

Data Isolation

The Paligo service is a multi-tenant web application. Customer databases are separated from each other and secured by customer-specific authentication credentials. Customer file storage and other systems that handle data are secured by application logic that ensures that only the relevant customer is granted access.

Data Retention

After subscription termination, the account is deactivated after 30 days, data is archived after 120 days and then data is deleted after being archived for 180 days. The customer can request deletion of data at any time before that.

Authentication

Multi-factor authentication is available to all users, and on Enterprise plan it can be centrally enforced. Also on Enterprise, SSO based on SAML 2.0 is available.

Back-up and Rollbacks

Paligo stores full backups every hour of customer databases and files. Backups are stored in Amazon S3 and are version-managed. For the entire database server point-in-time recovery is available. Restore procedures are tested regularly.

Session Management

Sessions are terminated on cookie clearance, or at auto-logout, which is configurable by admins in the Paligo service.

Key Management

We utilize AWS KMS and apply industry best practice according to AWS.

Maintenance

Paligo will notify in advance of any major changes that will cause service downtime. Paligo will however, intermittently update the system with upgrades, bug fixes, and patches, which are done without notification if the customer is not specifically affected. The communication is done by email.

Human Resource Security

Background Checks

Paligo performs background checks of all employees and contractors (always aligned with local laws, regulations, ethics, and contractual requirements) before giving access to Paligo network, assets and resources.

NDAs

Non-disclosure agreements are signed with all employees and relevant third parties before gaining access to sensitive information. The NDAs are valid during and after contract termination.

Awareness Training

Participation in Paligo’s security Awareness training is mandatory for all employees and relevant third parties.

Disciplinary Process

Paligo has implemented a disciplinary procedure. Employees that do not comply with security requirements and that violate security policies are subject to disciplinary actions.

Compliance

Risk Management

Paligo has an established risk management process. The Paligo risk management process includes following steps:

  1. Risk Identification
  2. Risk Assessment
  3. Risk Evaluation
  4. Risk Treatment

The Paligo management has the authority to accept risks. Risk related to customer data and the Paligo service are included in the risk assessment.

Audit

Paligo is subject to several audits, both internal and external, each year to ensure security is upheld and continuously improved.

Governance

Paligo’s Information Security Policy, and its subordinate information security documents, apply to all employees, consultants, contractors, and other third-party users involved in any way with the application, design, development, and support of Paligo’s service. At Paligo, adherence to governance documentation is both an individual and corporate responsibility.

Legal and Regulatory compliance

Paligo is committed to maintaining compliance with all regulatory, legislative, and contractual requirements and continually assess relevant rules and legislations affecting our business.