Security Policy

Last Updated: August 16, 2024

1. Introduction

Palunterdo is committed to protecting the security of its platform, systems, and the data entrusted to us by users, clients, and partners. This Security Policy describes the administrative, technical, and physical safeguards we maintain to protect information and ensure the integrity, confidentiality, and availability of our services.

2. Scope

This policy applies to all systems, applications, infrastructure, and personnel associated with the operation of palunterdo.biz, including all data processed or stored on behalf of users of the platform.

3. Information Security Principles

Our security program is built around the following core principles:
  • Confidentiality: Access to data is restricted to authorised individuals only.
  • Integrity: Data is protected against unauthorised modification or corruption.
  • Availability: Systems and services are maintained to ensure reliable access for authorised users.

4. Data Protection

4.1 Data in Transit

All data transmitted between users and our platform is encrypted using industry-standard Transport Layer Security (TLS). We enforce secure connections and do not support deprecated or insecure protocol versions.

4.2 Data at Rest

Sensitive data stored on our systems is encrypted using strong encryption algorithms. Encryption keys are managed through secure key management practices and are rotated on a regular schedule.

4.3 Data Minimisation

We collect and retain only the data necessary to deliver our services. Data that is no longer required is securely deleted or anonymised in accordance with our data retention practices.

5. Access Control

5.1 Principle of Least Privilege

Access to systems, data, and infrastructure is granted based on the minimum permissions required to perform a specific function. Access rights are reviewed regularly and revoked promptly when no longer needed.

5.2 Authentication

We require strong authentication mechanisms for all internal systems. Multi-factor authentication (MFA) is enforced for access to sensitive systems and administrative interfaces. User passwords are stored using strong one-way hashing algorithms.

5.3 User Account Security

Users are responsible for maintaining the confidentiality of their account credentials. We provide tools for users to manage their account security, including password reset and session management features. Suspicious account activity should be reported promptly to [email protected].

6. Infrastructure Security

6.1 Network Security

Our infrastructure is protected by firewalls, network segmentation, and intrusion detection systems. Access to internal networks is strictly controlled and monitored. Public-facing services are isolated from internal systems.

6.2 Vulnerability Management

We conduct regular vulnerability assessments and security reviews of our systems and applications. Identified vulnerabilities are prioritised and remediated in a timely manner based on their assessed risk level.

6.3 Patch Management

Security patches and updates are applied to operating systems, application dependencies, and third-party components on a regular schedule. Critical security patches are applied on an expedited basis.

6.4 Physical Security

Our services are hosted in facilities that maintain physical security controls including restricted access, surveillance, and environmental protections. Physical access to server infrastructure is limited to authorised personnel only.

7. Application Security

7.1 Secure Development

Security considerations are integrated into our software development lifecycle. Development practices include code review, static analysis, and security-focused testing prior to release.

7.2 Dependency Management

Third-party libraries and dependencies used in our platform are regularly reviewed for known vulnerabilities. We monitor security advisories and update components promptly when vulnerabilities are disclosed.

7.3 Input Validation

Our applications implement input validation and output encoding to protect against common web application vulnerabilities, including injection attacks and cross-site scripting.

8. Monitoring and Logging

We maintain logging and monitoring systems to detect, investigate, and respond to security events. Logs are retained for an appropriate period to support security investigations and compliance requirements. Access to logs is restricted to authorised personnel.

9. Incident Response

We maintain an incident response plan to guide our response to security incidents. In the event of a confirmed security incident affecting user data, we will:
  • Investigate and contain the incident promptly.
  • Assess the scope and impact of the event.
  • Notify affected users and relevant parties in accordance with applicable requirements.
  • Take remedial action to prevent recurrence.
  • Document lessons learned and update security controls as appropriate.
To report a security incident or concern, contact us at [email protected].

10. Third-Party Service Providers

We work with third-party service providers to deliver certain components of our platform. Third parties that process or have access to user data are evaluated for their security practices. We require third-party providers to maintain appropriate security controls consistent with this policy.

11. Employee Security

Personnel with access to platform systems or user data receive security awareness training and are bound by confidentiality obligations. Access privileges are reviewed upon changes in role and revoked upon termination of employment or engagement.

12. Business Continuity and Disaster Recovery

We maintain backup and recovery procedures to support the availability of our services in the event of system failure or disruption. Backups are performed regularly, encrypted, and tested periodically to verify recoverability.

13. Responsible Disclosure

If you believe you have discovered a security vulnerability in our platform, we encourage responsible disclosure. Please report your findings to us at [email protected] before any public disclosure. We will acknowledge receipt of your report, investigate the issue promptly, and work to remediate confirmed vulnerabilities. We ask that you refrain from accessing, modifying, or disclosing data belonging to other users during your research.

14. Policy Review

This Security Policy is reviewed periodically and updated to reflect changes in our practices, technology, and risk environment. Significant changes will be communicated through our platform or website. Continued use of our services following any update constitutes acceptance of the revised policy.

15. Contact

For questions or concerns regarding this Security Policy, please contact us:
Palunterdo
2711 38 St, Vernon, BC V1T 6H5, Canada
+1 905 688 0376
[email protected]
palunterdo.biz