Security at Palm

Our customers trust Palm with sensitive business and identity data. Securing that data — and the systems that process it — is foundational to our product and our business. This page describes how we approach that responsibility.

For deeper documentation, certification artifacts, and the latest compliance reports, request access by emailing security@getpalm.com

Governance

How our teams handle security

Palm's Security and Privacy teams establish policies and controls, monitor compliance, and prove our security posture to third-party auditors. The program is reviewed annually and built on a small set of principles that show up in every system we build:

  • Least privilege: People and services receive the minimum access required to do their jobs, and access is reviewed on a recurring cadence.
  • Defense in depth: Controls are layered so that a single failure does not result in a breach. Our defenses are validated through recurring independent penetration testing and a coordinated vulnerability disclosure program.
  • Continuous monitoring: Compliance and security posture are tracked continuously — not just at audit time — through Vanta and AWS-native tooling.
  • Document-then-enforce: Every control is grounded in a written policy, reviewed at least annually, and acknowledged by every employee at hire and on policy change.

Data protection

How we protect data

  • Encryption in transit: All data flowing in and out of Palm — between customer systems, our APIs, and our internal services — is encrypted in transit using TLS 1.2 or higher. We require modern cipher suites graded A or above on SSL Labs.
  • Encryption at rest: Customer data and other confidential information is encrypted at rest using AES-256. Database storage, object storage, and backups are all encrypted.
  • Endpoint encryption: All employee workstations are required to use full-disk encryption, enforced through MDM and verified during onboarding.
  • Password storage: User credentials are never stored in plaintext. Passwords are hashed using one-way algorithms (bcrypt, PBKDF2, scrypt, or Argon2) with per-credential salt and a global pepper stored separately.
  • Secrets management: Application secrets and cryptographic keys are stored in AWS Secrets Manager and AWS Parameter Store. Access is granted on a least-privilege basis and is audited.
  • Cryptography Policy: Approved encryption algorithms, key lengths, and rotation policies are documented in our internal Cryptography Policy and follow NIST SP 800-series guidance.

Product security

How we protect our products

Vulnerability scanning

We continuously scan our code, dependencies, containers, and infrastructure for vulnerabilities:

  • Dependency scanning: Runs continuously via GitHub Dependabot. Identified vulnerabilities are remediated against documented severity-based SLAs.
  • Container and infrastructure scanning: Container images and runtime infrastructure are continuously scanned using AWS-native services; findings are remediated against the same severity-based SLAs.
  • Static analysis (SAST): Runs in CI on every pull request.

Penetration testing

We engage an independent third party to perform a penetration test at least annually. Findings are remediated against documented SLAs.

Vulnerability disclosure

Security researchers and customers can report suspected vulnerabilities to security@getpalm.com. We acknowledge reports promptly and coordinate disclosure responsibly.

Infrastructure security

How we protect our infrastructure

Cloud

Palm runs on Amazon Web Services (AWS). We rely on AWS's compliance posture (SOC 2, ISO 27001, and others) for the underlying physical and environmental controls of our data center facilities.

Network

  • Production networks are logically segregated from development and corporate networks.
  • Inbound and outbound traffic is restricted by network access controls and firewalls.
  • Production access requires authentication through Okta single sign-on with multi-factor authentication; long-lived credentials for human users are not issued.
  • An intrusion detection system continuously monitors network activity, with automated alerts for anomalous behavior.
  • Service-to-service authentication uses IAM roles and short-lived AWS STS credentials; no static AWS keys are issued for production workloads.

Logging and monitoring

Production infrastructure produces detailed logs for user activity, security-relevant events, and system faults. Logs are centralized, retained, and reviewed both manually and by automated alerting.

Backups and disaster recovery

  • Daily backups of production data are taken automatically and stored in a separate AWS region from the primary data location.
  • Backup integrity and restoration are tested at least annually.
  • A documented Disaster Recovery Plan governs response to incidents that affect availability. Recovery objectives are defined per system.

Status page

Real-time service availability is published at status.getpalm.com

Enterprise security

How we protect enterprise

Identity and access management

  • All employees authenticate to corporate and production systems through Okta single sign-on with mandatory multi-factor authentication.
  • Access is provisioned based on role and on documented business need, and is reviewed quarterly.
  • Access is revoked within 24 hours of termination through a documented offboarding checklist.

Endpoint security

  • All employee workstations are managed and require full-disk encryption.
  • Endpoint detection and response (EDR) is deployed on every workstation, with automatic updates and centralized alerting.
  • Devices that are lost, stolen, or no longer issued to an active employee are wiped or reclaimed.

Personnel security

  • Background checks are conducted on new hires, including criminal history and employment verification, where permitted by local law.
  • Every employee acknowledges a Code of Conduct, Acceptable Use Policy, and Information Security Policy at hire and annually thereafter.
  • Every employee completes security awareness training annually.
  • Confidentiality obligations are codified in employment agreements.

Vendor management

We maintain an inventory of vendors and assess them based on the type of data they access and the criticality of the services they provide. Critical vendors' compliance reports (such as SOC 2) are reviewed at least annually.

  • 1) All vendors are reviewed before onboarding for security posture and data handling practices, with the depth of review scaled to risk.
  • 2) Vendors that handle customer data are required to execute a Data Processing Agreement (DPA) with privacy and security commitments.

Data privacy

How we handle data privacy

We process personal data in accordance with our Privacy Policy and applicable privacy and data protection laws.

  • Data subject rights (e.g. access, correction, deletion, portability) are exercised through our Privacy Policy - submit requests to privacy@getpalm.com.
  • To opt out of the sale or sharing of personal data, see our Do Not Sell or Share My Data page.
  • Production data is not permitted in development or test environments; engineering uses synthetic and anonymized data sets.

A list of subprocessors is available below and updated as the list changes.

Subprocessors

Our subprocessors

Palm relies on the following subprocessors for production services that handle customer data. Each is contractually obligated to apply security and privacy protections consistent with our own.

SubprocessorPurposeRegion
Amazon Web Services (AWS)Cloud infrastructure, compute, storage, networking; customer data storeUnited States
FrontCustomer support ticketingUnited States
JustCallCustomer support phone conversationsUnited States
ElasticSecurity event and log storageUnited States

For a full list of categories of third parties Palm engages — including website analytics, advertising, and visitor identification providers — see our Privacy Policy.

Customers will be notified of material changes to this list.

Incident response

How we manage incidents

We maintain a documented Incident Response Plan that defines roles, severity levels, and procedures for detecting, containing, eradicating, and recovering from security incidents. The plan is tested at least annually.

In the event of a security incident affecting customer data, we will notify affected customers without undue delay, in accordance with applicable law and our contractual commitments.

To report a suspected incident: security@getpalm.com.

Contact

How to contact us

For security, privacy, and compliance inquiries, use the appropriate channel below.

  • Security incidents, vulnerability reports, compliance reports, and vendor-assessment requests: security@getpalm.com (Compliance reports may be provided under NDA)
  • Privacy and data subject requests: privacy@getpalm.com
  • Mailing address: 2 Embarcadero Center, 8th Floor, San Francisco, CA 94111

Last updated: 2026-05-05.