Security Overview

Keeping customer data safe and secure is a top priority for us. We use our own services just like our customers do. And, just like our customers, we don't want our data compromised. So, our goals are the same as our customers: to ensure that all of our important data is as secure as it possibly can be.

We protect your data.

All data are written to multiple disks instantly, backed up daily, and stored in multiple locations. Data that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.

Your data is sent using HTTPS.

Whenever your data is in transit between you and us, everything is encrypted, and sent using HTTPS. All account passwords are hashed so that our own staff can't even see them. If you lose a password, it must be reset.

Protection from data loss.

All our servers all operate at full redundancy. Our systems are engineered to stay up, even if multiple servers fail. All databases are replicated in real-time and backed up regularly off site.

Data center security.

Our data centers manage physical security 24/7 with biometric scanners and the usual high tech stuff that data centers always brag about. We use Amazon AWS for our data centers and they submit themselves to regular SOC 2 audits.

Regularly-updated infrastructure.

Our software infrastructure is updated regularly with the latest security patches. Our products run on a dedicated network which is locked down with firewalls and carefully monitored. While perfect security is a moving target, we work with security researchers to keep up with the state-of-the-art in web security.

We protect your billing information.

All credit card transactions are processed using secure encryption—the same level of encryption used by leading banks. Our credit card processing vendor is a validated Level 1 PCI DSS compliant service provider and uses advanced security measures to protect your information both during the transaction and after it is complete. Our vendor is certified as compliant with card association security initiatives, including the Visa Cardholder Information Security and Compliance (CISP), MasterCard® Site Data Protection Program (SDP), and Discovery Information Security and Compliance (DISC).

Audits, security policies, and standards.

We submit a self assessment (SAQ A 3.2) for PCI compliance, which is good for a year each time. A copy of our PCI compliance certificate is available upon request, after completing an NDA. We can also provide a copy of the SOC reports for the data centers we use after completing an NDA.

We run regular, automated security scans to ensure that our networks and applications are secure. A copy of a recent scan is available upon request, after completing an NDA.

We also contract with third-party penetration testers to run regular reviews of our security measures and help us discover and fix vulnerabilities.

Our people.

We train our team on best security practices, including how to identify social engineering, phishing scams, and hackers. All employees sign a confidentiality agreement that outlines their responsibility in protecting customer data. Our teams also monitor all of our systems continuously for signs of intrusion.

Report a Vulnerability.

If you believe you have found a security issue with our applications or on our websites, please let us know right away. You can submit your report through our HackerOne responsible disclosure program, or just email us directly at security@paloalto.com. Our security team will investigate all reports and we'll fix legitimate issues as quickly as we can.

Want to know more?

If you have additional questions about our security, please submit a support request and we will respond as quickly as possible.