Trust and Security Portal

Get access to this Trust and Security Portal
Had access before? Reclaim access

Overview

Palantir is a software company that builds the world's leading software for data-driven operations and decision-making. For more than a decade, we’ve worked with customers in the most secure and highly-regulated industries and built software for their most sensitive data. Today, security remains the cornerstone of our product development, company culture, and internal operations.

Palantir cares deeply about the security outcomes of our customers, and we’re committed to transparency about our security practices and program. We stand resolute in continuously improving our security, data protection, and privacy controls to give you the most effective means of protecting your data possible.

Compliance

CCPA Logo
CCPA
CSA STAR Logo
CSA STAR
Cyber Essentials Plus Logo
Cyber Essentials Plus
DISP Logo
DISP
DoD IL5 Logo
DoD IL5
DoD IL6 Logo
DoD IL6
FedRAMP Moderate Logo
FedRAMP Moderate
FISMA High Logo
FISMA High
GDPR Logo
GDPR
HIPAA Logo
HIPAA
ISO 27001 Logo
ISO 27001
ISO 27017 Logo
ISO 27017
ISO 27018 Logo
ISO 27018
ISO 9001 Logo
ISO 9001
SOC 2 Logo
SOC 2
SOC 3 Logo
SOC 3
Get access to this Trust and Security Portal
Had access before? Reclaim access
16 Documents
Network Diagram
Pentest Report
Security Whitepaper
Cyber Essentials Plus
DISP
ISO 27001
ISO 27017
ISO 27018
ISO 9001
SOC 2
SOC 3
CAIQ Lite

Product Security

Role-Based Access Control
Audit Logging
Data Security
See more

Reports

Network Diagram
Pentest Report
Security Whitepaper

Self-Assessments

CAIQ
CAIQ Lite

Data Security

Access Monitoring
Backups Enabled
Data Erasure
See more

App Security

Bot Detection
Responsible Disclosure
Code Analysis
See more

Access Control

Data Access
Logging
Password Security

Infrastructure

Anti-DDoS
Amazon Web Services
Azure
See more

Endpoint Security

Disk Encryption
DNS Filtering
Endpoint Detection & Response
See more

Network Security

Data Loss Prevention
Firewall
IDS/IPS
See more

Corporate Security

Email Protection
Employee Training
HR Security
See more

Policies

Acceptable Use Policy
Access Control Policy
Anti-Malicious Software Policy
See more

Security Grades

HSTS Preload List
palantir.com
Qualys SSL Labs
palantir.com
A+
Security Headers
palantir.com
A

Trust Center Updates

Palantir Security Bulletin - PALSEC-2022-07

Security Bulletin

A security bulletin has been publicly disclosed for our software.

PALSEC-2022-07

An information disclosure issue was discovered in Rubixbeat, a logging component of Palantir Apollo, when receiving logs originating from the Foundry Code-Workbooks service.

More Information

Full details of this security bulletin can be found in our GitHub repository.

Published at 11/10/2022, 4:30 PM

Palantir Security Bulletin - PALSEC-2022-05

Security Bulletin

A security bulletin has been publicly disclosed for our software.

PALSEC-2022-05

The delivery-metadata service in Palantir Apollo was found to permit API endpoints that did not adequately require authentication to query, potentially granting read access to metadata such as deployed software version numbers to unintended recipients. The subsequent investigation uncovered insufficient authentication controls in the team-ownership service as well, which is responsible for metadata pertaining to package installations. These vulnerabilities are resolved in apollo-deployment-state version 4.714.0, delivery-metadata version 2.565.0, and team-ownership version 0.171.0, respectively. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest version of all relevant Apollo services.

More Information

Full details of this security bulletin can be found in our GitHub repository.

Published at 11/04/2022, 7:56 PM

Palantir Security Bulletin - PALSEC-2022-04

Security Bulletin

A security bulletin has been publicly disclosed for our software.

PALSEC-2022-04

The Blobster service was found to have a cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Foundry to launch attacks against other users. This vulnerability is resolved in Blobster 3.228.0, which has been automatically deployed to all Apollo-managed Foundry instances. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest version of Blobster.

More Information

Full details of this security bulletin can be found in our GitHub repository.

Published at 11/04/2022, 6:15 PM

Palantir Security Bulletin - PALSEC-2022-03

Security Bulletin

A security bulletin has been publicly disclosed for our software.

PALSEC-2022-03

The Foundry Magritte plugin osisoft-pi-web-connector was found to be logging in a manner that captured authentication requests. This vulnerability is resolved in osisoft-pi-web-connector version 0.44.0. Magritte sources which leverage this plugin using HTTP Basic Authentication should change their OSISoft PI System account credentials.

More Information

Full details of this security bulletin can be found in our GitHub repository.

Published at 11/04/2022, 3:32 PM*

Palantir response to OpenSSL CVE-2022-3786 and CVE-2022-3602

Security Response

CVE-2022-3786 and CVE-2022-3602:

Background

On October 25th, the OpenSSL maintainers published an announcement to the community of a forthcoming release of version 3.0.7 which contained a patch for a CRITICAL vulnerability set to be released on November 1. Upon receiving the notification, the Palantir CIRT (Computer Incident Response Team) opened an investigation to determine the overall exposure to Palantir platforms and infrastructure. Subsequent notices from the OpenSSL maintainers indicated that only the 3.0.x branch contained the CRITICAL fix and so, in conjunction with our product development teams, we began to investigate and understand the usage of OpenSSL 3.0.x across our organization. By Friday October 28th we concluded our assessment and stood by for the November 1 release.

Yesterday, OpenSSL 3.0.7 was released which resolved two HIGH CVEs: CVE-2022-3786 and CVE-2022-3602. After the initial announcement on October 25th, the OpenSSL maintainers conducted further analysis of the issues and determined they were not as exploitable as initially thought. Regardless, the Palantir InfoSec Team treats all software issues of this nature with the utmost importance, regardless of the surrounding circumstances.

Palantir is not affected

Palantir is not affected by the OpenSSL vulnerabilities in CVE-2022-3786 and CVE-2022-3602:

After a comprehensive search for usage of the offending libraries we have no reliance on and have found no evidence of OpenSSL 3.0.x in our hosted infrastructure and products. There is no action required for any of our customers.

Published at 11/02/2022, 7:12 PM*

If you think you may have discovered a vulnerability, please send us a note.