PALO Framework Security Policy
GDPR Compliant NIS2 Aligned WCAG 2.1 AA Last updated: December 17, 2024
At PALO Framework, we are committed to ensuring the security and privacy of our users and their data. This Security Policy outlines our approach to security, how we handle vulnerabilities, and how you can report security issues to us.
1. Scope
This policy applies to:
- The PALO Framework website (paloframework.org)
- All PALO Framework tools and applications
- Any data processed through our services
2. Our Security Commitment
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with:
- GDPR (Regulation EU 2016/679) - Article 32: Security of processing
- NIS2 Directive (EU 2022/2555) - Cybersecurity risk management measures
- ISO/IEC 27001 - Information security management principles
- HTTPS/TLS encryption for all communications
- No collection of personal data without explicit consent
- Local-only data processing (data stays in your browser)
- Regular security reviews and updates
- Secure hosting infrastructure
3. Responsible Disclosure Policy
We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, we ask that you:
3.1 How to Report
📧 Email: info@paloframework.org
🔐 PGP Key: Available upon request
📋 security.txt: /.well-known/security.txt
3.2 What to Include
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Your contact information (optional, for follow-up)
3.3 Our Commitment to You
- We will acknowledge receipt within 48 hours
- We will provide an initial assessment within 5 business days
- We will keep you informed of our progress
- We will credit you (if desired) when the issue is resolved
- Access data that does not belong to you
- Perform actions that could harm our systems or users
- Disclose the vulnerability publicly before we've had a chance to address it
- Use automated scanning tools without permission
4. Data Processing Security
In accordance with GDPR Article 32, we implement:
| Measure | Description |
|---|---|
| Pseudonymization | Data cannot be attributed to a specific user without additional information |
| Encryption | TLS 1.3 for data in transit; local storage encryption where applicable |
| Confidentiality | Access controls and need-to-know principles |
| Integrity | Checksums and validation to prevent unauthorized modifications |
| Availability | Regular backups and disaster recovery procedures |
| Resilience | Ability to restore access to data in a timely manner |
5. Incident Response
In the event of a security incident, we follow a structured response process aligned with NIS2 requirements:
- Detection & Identification - Continuous monitoring and alerting
- Containment - Immediate action to limit impact
- Eradication - Root cause analysis and remediation
- Recovery - Restoration of normal operations
- Lessons Learned - Post-incident review and improvement
In accordance with GDPR Article 33, we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, where feasible. Affected individuals will be notified without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
6. Third-Party Security
We carefully select and monitor any third-party services we use:
- All third parties are assessed for security compliance
- Data Processing Agreements (DPAs) are in place where required
- We minimize data sharing with third parties
7. Your Rights
Under GDPR, you have the right to:
- Access - Request a copy of your data
- Rectification - Request correction of inaccurate data
- Erasure - Request deletion of your data ("right to be forgotten")
- Portability - Receive your data in a machine-readable format
- Object - Object to processing of your data
- Restrict - Request limitation of processing
To exercise these rights, contact us at info@paloframework.org.
8. Contact Information
Security Issues: info@paloframework.org
Privacy Inquiries: info@paloframework.org
General Contact: info@paloframework.org
Website: https://paloframework.org
9. Policy Updates
This Security Policy may be updated from time to time. We will notify users of significant changes through our website. We encourage you to review this policy periodically.
This policy was developed in alignment with European Union regulations including GDPR (Regulation EU 2016/679) and the NIS2 Directive (EU 2022/2555).