InfoSec at Palantir
At Palantir, we’re passionate about solving real-world problems. Our software has been used to stop terrorist attacks, develop new medicines, gain an edge in global financial markets, combat child trafficking, and more.
Given the critical work performed on our platforms, information security is our lifeblood.
Our industry-leading InfoSec team works tirelessly to stay ahead of adversaries by hunting for sophisticated threats, thwarting changes in their tactics, and immediately eradicating risks.
The Information Security Program at Palantir has three core objectives.
01/ 02/ Make our customers safer.
03/ Make the world safer.
Compliance and Accreditation
Our customers rely on Palantir to power their most critical work, and we’re dedicated to building platforms they can trust. Our cloud offerings are managed, standardized, tested, and externally audited, with robust access controls that scale to meet customer demand.
Palantir is an active member of the Vendor Security Alliance, an organization improving information security across vendors and PaaS and SaaS solution providers, and a partner with SpecterOps, a leader in red team operations.
For more information on compliance, accreditation, and trust, please visit our Trust Portal.
Compliance Overview
Our cloud platform’s infrastructure, applications, and operations have been developed to comply and align with some of the most rigorous legal and regulatory requirements in industries today, including:
SSAE 18/ISAE 3000 Service Organization Control (SOC):
SOC 1, Type 2 (Computer Operations, Information Security, Change Control, Data Communications)
SOC 2, Type 2 (Security, Confidentiality, and Availability)
SOC 3
International Organization for Standardization (ISO), including but not limited to:
ISO 27001
ISO 27017
ISO 27018
ISO 9001
NIST 800-53 and NIST 800-171, including control sets for the following baselines:
FedRAMP High
FISMA High
Impact Level 2 DoD SRG
Impact Level 5 DoD SRG
Impact Level 6 DoD SRG
CMMC
And others, including:
Cyber Essentials Plus
NCSC Cloud Security Principles
NHS Digital Data Security and Protection Toolkit
GDPR
Web Content Accessibility Guidelines (WCAG) 2.1 and Section 508
ENS (Spain)
TISAX (Germany)
Additionally, Palantir has extensive experience helping our customers meet specific regulatory and industry requirements. Our software provides functionality that customers can configure and operate to meet requirements such as those arising from:
SOC 1 / ISAE 3402
GxP
CCPA
CJIS
HIPAA
ITAR
Accreditation Reports
Palantir can provide reports to prospective customers attesting to compliance with the following standards and frameworks:
SOC 1, Type 2 (Computer Operations, Information Security, Change Control, Data Communications)
SOC 2, Type 2 (Security, Confidentiality, and Availability)
SOC 3
ISO 27001, ISO 27017 and 27018
ISO 9001
Cyber Essentials Plus
NCSC Cloud Security Principles
FedRAMP Moderate / IL2 DoD SRG
IL5 DoD SRG
ENS (Spain)
Please visit palantir.safebase.us for compliance certifications and audit reports.
Open Source Contribution
As part of our commitment to make the world safer, our InfoSec team embraces an open-source first policy to help the larger InfoSec community better guard against attacks on their own software.
Our software and internal tools are built around open-source tools, and we contribute prolifically to the open-source community through bug fixes, improvements, and developer tooling.
We're also proud to partner with SpecterOps, a cybersecurity company that shares our commitment to OSS. We frequently tell the stories behind our open-source contributions on our company blog. The posts below offer a good starting point:
Blog Posts
Tampering with Windows Event Tracing: Background, Offense, and Defense
Auditing with osquery Part Two: Configuration and Implementation
Auditing with osquery Pary One: Introduction to the Linux Audit Framework
Github Repositories
Penetration Testing
We perform biannual penetration tests to ensure our backing infrastructure and operations meets the highest security standards.
Current or prospective customers can reach out to Palantir to learn more about our security assessments. Customers who would like to perform their own penetration tests can do so under certain conditions, provided the tests are scheduled at least seven days before the start of an engagement.
The following types of customer-initiated security-assessment activities are permitted:
Port scanning and banner grabbing.
Fuzzing, automated vulnerability scanners, or manually run tools against your own Palantir deployment infrastructure.
Fuzzing, automated vulnerability scanners, or manually run tools against your own Palantir deployment web applications.
Testing alerting and detection strategies in your tenant, assuming dedicated tenancy.
Attempting to break out from process sandboxing or containerization
The following types of security assessment activities are strictly prohibited:
Attempting to perform any denial of service attacks.
Targeting resources or data unrelated to your tenant.
Social engineering, phishing, or other employee-targeted attacks.
Performing attacks against non-tenant infrastructure, resources, personnel, or data.
Moving beyond proof of concepts for code execution, container escape, or lateral movement scenarios.
Reporting Security Issues
If you've identified a potential security flaw in our infrastructure or software, please let us know within 24 hours using GPG encryption. We'll triage the issue and get back to you within three business days.
Careers
The Information Security team is Palantir's first line of defense. We're engineers, analysts, and operators committed to making the world a safer place — and we're hiring.
