Last Updated: 13th January 2025
This Security Policy (“Policy”) details Panaya’ security program, and is updated from time to time to ensure accuracy of this Policy, provided that the levels of security will not be reduced in a material way. This Policy is an overview of the means taken by Panaya to ensure compliance with various security requirements and applicable regulations.
This Policy may be referred from the agreement signed between Panaya Ltd. or its subsidiaries and affiliated companies (together, herein after “Panaya”) and the Customer using the Panaya Services (“Agreement”) and shall be a binding governing policy to ensure Panaya’ security obligations are met. This Security Policy is an integral part of the Agreement governing the use of the Panaya Services.
Definitions used herein, however not defined, shall have the meaning assigned to it in the applicable Agreement, or can be viewed in the Panaya EULA or MSA, as the case may be.
This Policy provides an overview of the security, technical and organizational measures taken by Panaya. Computer information systems and networks are an integral part of business at Panaya. Panaya has made a substantial investment in human, financial and technological resources to develop and support these systems. The security policies and guidelines have been established in order to:
The security policies apply to all employees, contractors and temporary workers. Certain policies also apply to subcontractors.
1.1. Panaya’s operations, policies and procedures are audited regularly to ensure that it meets all standards expected of it as a SaaS system provider. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.
1.2. Panaya is audited and verified the System and Organization Controls (SOC2). If you wish to be provided with certification and report, please contact us at: [email protected].
2.1. Panaya data security practices are anchored in a robust control environment, defined by a strong awareness and attitude towards internal controls from its management under the supervision of the board. Authority and responsibility are clearly defined and communicated through organizational structures and policies.
2.2. Management, including CISO, routinely assesses risks and compliance, emphasizing security and confidentiality. Human resources policies strengthen this framework, focusing on hiring competent personnel, providing necessary training, and ensuring compliance with security policies.
3.1. Physical access to the offices is restricted to authorized personnel. Recertification for physical access rights to the office will be on a quarterly basis. Physical access is controlled both at the perimeter and at building entrance points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means.
3.2. Visitors are required to be always accompanied by a Panaya employee during their stay. Employees encountering an unfamiliar or suspicious person wandering around the office are expected to ask them politely about the nature of their business and if necessary, accompany them to their host. Visitors are not allowed to access or connect to Panaya network or equipment.
3.3. Panaya data center security is reinforced through its reliance on well-known major cloud services providers’ global infrastructure, which encompasses facilities, networks, hardware, and operational software. Currently Panaya uses AWS. This infrastructure adheres to stringent security best practices and complies with various security standards and regulations.
3.4. The data center’s facilities provide redundant power, redundant backup generators, and redundant cooling systems. Physical access to data center floor space housing Panaya cloud-based Services is secured according to industry-standard best.
4.1. Panaya implements stringent access control and user permissions management to ensure the security of its information assets. Access is strictly limited to a “need to know” basis. Proper on/off-boarding processes are initiated by the HR department. Once a user has been disabled, they are denied access to all systems. Access permissions are aligned with job descriptions and responsibilities. Access permissions are regularly reviewed and approved.
4.2. Panaya enforces robust password standards, including requirements for character complexity and password history. Specifically, under systems and applications that access Customer Data Panaya will enforce high standard password requirements.
4.3. Additional security measures include controlled system resource access, especially for higher privilege accounts, and enforced security settings on company laptops such as encryption, and remote wipe capabilities.
4.4. Panaya shall implement and enforce multi-factor authentication for applications and systems where technically feasible and legally required (i.e., due to sensitivity of the data of importance of the feature).
5.1. Panaya maintains rigorous access controls within its production environment to safeguard system integrity and data security. Access to the production environment is heavily restricted, with 2FA, ensuring that only authorized personnel gain entry.
5.2. For backup access, alterations and deletions are strictly controlled, accessible only to authorized users and again protected by 2FA. The same level of security applies to source control and sensitive database access, ensuring robust protection against unauthorized changes or data breaches.
6.1. Panaya will maintain baseline configurations for infrastructure deployed and used within the production environment. Panaya will maintain mechanisms in place to ensure that baseline configurations are applied and maintained. All data transmitted and processed within the networks will be encrypted in transit and at rest.
6.2. Panaya will not use Customer Data in non-production environments or for testing.
6.3. Panaya employs a managed configuration system for server and patch management, maintaining hardened security settings across devices. This is complemented by endpoint protection on employee devices through the utilization of an EDR system, and restricted software installation, ensuring a secure and controlled application environment (i.e., generally, no admin authorizations at host-level).
6.4. Panaya protect both data in transit and data at rest by using encryption strategy. All traffic between the Customer and the Panaya Platform is encrypted through TLS using a 128-bit AES cipher. Stored data is encrypted using a 256-bit AES cipher. Any data transfer between the different Panaya servers is sent over encrypted connections, such as IPsec and SSH.
6.5. Moreover, Customer Data stored at rest is automatically encrypted using multiple encryption mechanisms to protect Customer’s secrets, in a layered encryption approach that ensures a high level of security for stored data, mitigating risks and enhancing Customer trust.
7.1. Panaya maintains a Change Management Policy which outlines the procedures that address the types of changes, required documentation for the changes, peer review, approvals for changes, and emergency changes.
7.2. Production and non-production environments will be kept separate. Panaya will use a test environment separate from the production environment for testing changes.
7.3. Panaya will publish release notices for each new major and minor release of the products.
8.1. Panaya conducts risk assessments, focusing on identifying, analyzing, and mitigating risks that could impact its Services.
8.2. Patches are applied on an ongoing basis.
8.3. External and internal vulnerability scans are performed on a monthly basis. Their reports are sent to relevant personnel for risk analysis & remediation and serve as input for the monthly risk meetings. In addition, Panaya is subscribed to several relevant bulletins and notifications services which are monitored by the CISO. When a relevant vulnerability has been discovered, the CISO will alert the incident response forum to determine the appropriate response.
8.4. Panaya’s security team acknowledges that keeping the Customer Data secure is the top priority. Therefore, we encourage responsible reporting of any vulnerabilities that may be found in our site or application. Panaya is committed to working with the security community to verify and respond to any potential vulnerabilities.
9.1. An external web application penetration test is conducted on a regular basis by an internationally acclaimed information security consultancy group on Panaya’s application and infrastructure in compliance with market practice on a semi-annual basis.
9.2. Panaya conducts penetration testing to prevent unauthorized access to confidential information, or harm to its systems, with regular external tests and prompt resolution of critical issues. Panaya also implements robust vulnerability management, conducting regular internal scans and production network scans, ensuring timely remediation depending on the risk detected.
10.1. Panaya will conduct log review through manual and automated processes. Panaya will log critical information system activity. At a minimum, Panaya systems shall record and retain the following audit logging information: activity was performed and by whom (credentials), status or outcome, failure vs success, time stamp and date.
10.2. Panaya has implemented and will maintain a logging system aligned with industry standards to continuously monitor for unauthorized access, validation of the accuracy and integrity of received log events. Panaya does not allow Customers to access log events. However, in case of a court order or official investigation, Panaya will provide the required information.
10.3. Log data and logging systems will be maintained and configured to prevent changes or tampering of logs and will be kept for as required under applicable law.
10.4. Panaya will implement and maintain specific technical controls to ensure non-repudiation of all log files, including limiting the number of administrators with access to logs and disabling administrator ability to delete or modify audit logs.
11.1. Panaya will implement and maintain a Security Incident Policy, which will be managed and run by Panaya’s CISO.
11.2. Panaya requires personnel to report any known or suspected security incidents immediately without delay.
11.3. In the event of an incident that affects Customer Data, Panaya will utilize industry standard efforts to respond to the incident and mitigate the risk to Customer and Customer Data.
11.4. In the event of a confirmed security breach affecting Customer Data within Panaya Services, and taking into account the scope of the Services provided by Panaya, Panaya will report to affected Customers an Incident Notification immediately after becoming aware and confirming the incident occurred, and in any event no later than 72 hours or as set forth in the Agreement between Panaya and the Customer. In the event Panaya does not have all the necessary information at time of notification, it will provide follow ups and updates upon becoming aware.
11.5. Panaya will reasonably cooperate with Customer in mitigation of the incident and in technical implementation, and if required will ensure the Sub-processors cooperate with Customer as well, to the extent needed.
12.1. Panaya maintains a Business Continuity Plan (“BCP”), which defines the processes and procedures which need to be taken after an event, such as a natural disaster, that impacts the resources required to support the performance of its critical business processes. The BCP sets out necessary measures that need to be taken (and are taken by Panaya) to ensure a continuous, undisturbed use of the Panaya Services by Customers. The BCP is compliant with applicable standards and requirements.
12.2. Panaya will test the effectiveness of its BCP on a regular basis, at least once per year as well as after implementation of a change with substantial impact on the BCP. The BCP was audited by an independent external auditor (during the SOC annual audits, among others). Panaya will provide a copy of such auditor report to its Customers (or its representative, or if required a regulator investigating the Customer), upon receiving reasonable written request and subject to signing an NDA with Panaya.
13.1. Panaya maintains backup policies and associated measures. Such backup policies include the constant monitoring of operational parameters, as relevant to the backup operations. Notwithstanding the above, Panaya does not provide any back up services and it is Customer’s sole responsibility to back up Customer Data.
13.2. Panaya will create and maintain disaster recovery plans to restore customer-facing cloud products to customers. Disaster recovery plans will define Recovery Time Objectives (“RTO”) and Recovery Point Objectives (“RPO”) for the Services. RTO of the Customer Data: 2 hours, RPO of the Customer Data: 15 minutes.
14.1. Prior to the engaging with third party contractors, and sub-contractors (including sub-processors) as listed here https://www.panaya.com/subcontractor-list/
(hereinafter, “Subcontractors”) Panaya performs a reasonable due diligence check, including on such Subcontractors security standards, to ensure it complies with Panaya’ standard for data security protection. This may include a review of risk assessments, audits, and physical, technical, organizational, and administrative controls. Panaya reviews its Subcontractors on an annual basis.
14.2. Subcontractors are required to sign a data processing agreement, and confidentiality provisions. The Subcontractor agreements will include, audit rights (conducted either by Panaya, its Customer, or Supervisory Authority), and applicable service level commitments which comply with applicable laws.
14.3. Panaya agrees to notify Customer of any change in the Subcontracting Chain (as defined below) that may have a material impact on the Services. Notification on any change to the Subsector will be provided electronically (either by providing notice of such page, through the Account or by email, if and to the extent applicable).
15.1. Panaya undertakes to cooperate and respond to reasonable security audits, conducted through questionnaires provided by Customer or a regulatory authority or to provide (subject to confidentiality obligations) the SOCII report or other reasonable information.
15.2. If required under applicable laws, or required by a regulator or authority, and to the extend the section above does not satisfy Customer’s or regulator’s inspection needs, and to the extent the parties contractually agreed, Panaya will allow on-prem audits subject to: (a) prior written notice was provided; (b) the third party auditor is approved by Panaya and the Customer ensures that whoever is performing the audit has appropriate and relevant skills and knowledge to perform the audit; (c) the audit shall be limited to solely the audit purposes and conducted solely during business hours; (d) the Customer undertakes to take extra care and not disrupt any operations during the audit; and (e) will not be conducted more than once per year.
16.1. All employees and contractors sign industry standard confidentiality clauses and data protection clauses (or data processing agreement, as applicable), prior to accessing any data or information. These clauses and agreement, include, among others, the employees/contractor’s commitment to not disclose proprietary or confidential information, including Customer information, to unauthorized parties or to use any such information for any other purpose other than performing Panaya’ obligations under the Agreement.
16.2. Each employee is subject to Panaya’ security policies and specifically the acceptable use policy which restricts and governs the use of the Panaya systems.
16.3. Panaya ensures security awareness and training are conducted at least once a year. A mandatory annual security awareness training program is in place for all employees. The training covers critical areas such as common security risks and threats, compliance with regulations, understanding of the internal policies, information security practices, data protection and customer privacy and awareness including fraud and phishing.
16.4. Workstations are secured using industry standard technology and practices, including, at minimum, firewalls, anti-virus software, password protected lock screens, any remote access to Panaya resources and data assets is regulated behind MFA mechanisms, in order to enforce and ensure stringent security measures, clear desk and clear screen policy, and revoke access after failed attempts.
17.1. The parties confirm that if the locations from where the Service is being provided or the location(s) where Customer Data is processed either by the Panaya or by any of its Subcontractors are changed, Panaya will electronically (i.e., by email, notice in the account, website pop notification or other means) notify Customer.
18.1. Panaya confirms that it does not process any personal data on behalf of Customer, except as otherwise specified in the Agreement which is subject to the https://www.panaya.com/data-processing-agreement/
18.2. Panaya shall comply with applicable laws and regulations, applicable to its Services, and shall adapt to any changes required under such laws.
