Security
Read through all security policies and certifications Panaseer undertakes to bring trust.
FAQs
These FAQs address the issues that matter to our customers and prospects. If you can’t find what you’re looking for, then get in touch.
Has Panaseer achieved ISO27001 certification?
Yes, we have. We were re-certified in November 2023 and a copy of our Statement of Applicability; ISO certificate is displayed in this section of the website and our external audit report summary is available upon request under NDA.
Does Panaseer have a risk management framework?
Yes, we are aligned to ISO31000.
Does Panaseer have formal information security policies that are reviewed at least annually?
Yes, we have policies covering all aspects of information security that form a part of our ISMS (Information Security Management System). At a high level, these policies include; Starters and leavers; Cryptography; BYOD; Anti-virus; Cloud security; Supplier management; Risk management; Vulnerability management; Incident management; Asset management; and more.
Is Panaseer cloud-based and what cloud service provider do you use?
Yes, our solution is SAAS (Software as a Service) and is hosted in AWS (Amazon Web Services). We have regions in the EU (European Union), US, and Canada which provides digital sovereignty for our clients operating out of those regions.
Will my organization’s data be encrypted?
Yes, all data is encrypted at rest (AES 256) and in transit (TLS – Transport Layer Security – 1.2).
Does Panaseer conduct disaster recovery tests at least annually?
Yes, annually. These summarized reports are available upon request under a MNDA.
Does Panaseer have somebody managing its Information Security Management System full-time?
Yes, our ISMS is managed by our full-time Information Security Manager.
Does Panaseer perform regular backups and are they encrypted and tested?
Yes, we perform regular backups, and are fully encrypted and tested.
Does Panaseer have a Secure Development Lifecycle program?
Yes, we follow OWASP10 best practices and our SSDLC (Secure system development lifecycle) is fully embedded in our development workflow and all developers are trained both on the SSDLC and the OWASP10.
Does Panaseer conduct mandatory security training for all staff?
Yes, all staff are trained twice a year, and the training is mandatory. The training covers all the core aspects of information security and privacy.
Does Panaseer have a business continuity plan?
Yes, and it is tested over the course of three years in full. We also conduct yearly tabletop exercises as well as yearly disaster recovery testing.
Does Panaseer conduct vulnerability scans?
Yes, we conduct regular DAST (Dynamic application security testing), SAST (Static application security testing) and dependency scanning across our environments and all findings are subject to our remediation policy. We have a dedicated team that tracks open vulnerabilities.
Does Panaseer conduct regular internal and external audits?
Yes, we have our own technical internal audits, we also hire specialized consultants to audit our ISMS and we have external auditors for our ISO27001 certification.
Is there an incident management process and will Panaseer disclose a serious breach in a timely manner?
Yes, we have a very thorough incident management process which is tested and audited. We would notify a customer in the event of a breach within 24 hours.
Is Panaseer compliant with privacy laws/regulations?
Yes, we are, and we conducted a full GDPR (General Data Protection Regulation) gap analysis in 2022.
Is Panaseer covered by cyber insurance?
Yes, we are. We have adequate multi-layered cyber insurance in place with reputable insurers.
Does Panaseer conduct regular penetration testing?
Yes, annually, or when a major change occurs. These reports are available upon request under NDA, and any findings are subject to our remediation policy.
Does Panaseer monitor its suppliers for security-related risk?
Yes, we have a supplier relationship process whereby we screen all suppliers and monitor them.
Do Panaseer employees undergo background checks?
Yes, all Panaseer employees who handle client data undergo full background checks.
Does Panaseer have a change control policy?
Yes, this is covered in our SSDLC. In short, all changes must have approval.
Are Panaseer’s endpoints protected from malware and other security risks?
Yes, our entire estate is protected from malware, patched regularly, encrypted, and has MFA (Multi-Factor Authentication) and SSO.
Which sub-processors does Panaseer use and how is my data processed with them?
We use AWS as our Cloud Service Provider, Snowflake as our data warehouse, and Pendo as our User Analytics platform. These are essential sub-processors to ensure our Platform is delivered as efficiently as possible. All sub-processors have undergone due diligence and a data protection impact assessment has been conducted. These are available upon request under a mutual non-disclosure agreement.
AWS hosts our Infrastructure (IAAS), Snowflake mirrors this environment and Pendo collects usernames and user behavior, it does not collect any vulnerability data.