Our relationships with website visitors, customers, team members, and others.
AWS Hosting. Pano uses AWS in the United States as our external security hosting provider. AWS meets System and Organization (SOC II) standards verified by independent third-party examination reports demonstrating how the provider achieves key compliance controls and objectives. Please see the following website for further details on AWS compliance: https://aws.amazon.com/compliance/programs/.
Data ownership. Your organization owns the submission data and file upload data. In EU Data Protection Law speak, your organization is the Controller. Pano will only access your data at your request. To protect your data from unauthorized access, we have logs with alerts set to notify us of suspicious activity.
Your organization may download your information or delete your information for our application at any time.
Passwordless Login. Instead of using a password (which can be insecure), Pano sends you a unique login code each time you access.
Data at rest. All data is disk encrypted under AES-256.
Data in Transit. Data in transit is protected by TLS >=1.2 to provide end-to-end communication security
Data Backup. Pano is not to be used for data backup. For our purposes, we back up and replicate data as follows:
Data backups are also encrypted using AES-256. If the data is replicated between regions, the data will be encrypted by AWS in addition to the file encryption and/or the client form encryption.
Logging. Our application will be configured for appropriate logging of activities to enable detection of security incidents. These incidents will be reviewed, and identified anomalies will be investigated for a possible compromise.
All logs activities are sent to a centralized logging infrastructure for audit purpose.
Internal Vulnerability Scans. Pano runs internal vulnerability scans quarterly.
External Vulnerability Scans. Pano has a PCI Approved Scanning Vendor (ASV) run external vulnerability scans quarterly.
Penetration Testing. Penetration testing for our application, network, and segmentation are run on a bi-annual basis by a third-party security vendor.
No External Testing. Since we have continuous scans and tests run by third-party vendors, Pano does not allow external testing of our environment, including performance testing.
Response Plan. Pano has a business continuity and disaster recovery plan that allows customers to continue to run our application in the unlikely event of an outage at AWS-US East.
Annual Training. Our employees and contractors are provided with privacy and awareness training yearly and must pass a quiz each year.
Developer Training. Developers train annually on secure coding guidelines, avoiding common coding vulnerabilities, and understanding how sensitive data is handled.
Response Plan. Pano has documented Incident Response and Data Breach Response Plans, which outline the processes to respond to security events and incidents, and breaches of personal or protected data.
Pano's goal is to notify customers of an actual security incident within 24 hours after becoming aware of it.
Internal Risk. Our organization addresses cybersecurity risks in our risk management processes to identify critical assets, threats, and vulnerabilities.
Third-Party Risk. Pano performs risk-based due diligence on new and existing vendors to determine if the vendor is using appropriate technical controls and organization measures to protect data.