Ensuring data privacy at Panorays is a core value, which guides our product infrastructure, data collection and usage methods, and company processes. As a company focused on the security aspect of third-party risk management, we understand the criticality of maintaining the highest user privacy standards.
Given that responding to security questionnaires reveals information about your internal company policies and procedures, it is only natural that you want to ensure your data is protected. This data sheet explains how we process data, who owns different data types, and how your data is secured.
What types of data are processed by Panorays?
Panorays' customers assess the cybersecurity risk of their third parties using external attack surface assessments, automated security questionnaires (known as Smart Questionnaires), and the business context of each vendor relationship. Your organization, as well as each company evaluated using the platform, has a security risk profile on Panorays, reflecting the results of the different evaluation components mentioned above. Here's a short explanation about each one of the components in your evaluation:
External Attack Surface Assessments
Panorays evaluates each company’s attack surface in a non-intrusive manner, through the analysis of externally available data. To ensure a comprehensive view of an organization's digital perimeter, Panorays performs hundreds of tests to assess three different layers:
Network & IT: Web servers, e-mail and DNS servers, TLS protocols, asset reputation, cloud solutions, and other exposed services.
Application: Web applications, CMS, domain attacks, etc.
Human: Employees’ attack surface, social posture, presence of a dedicated security team, etc.
Results are aggregated and used by our engine as another component that will determine your company's risk score.
As the assessment is external and not intrusive, it is performed by Panorays without engaging with the assessed company itself. That being said, you and your third parties can easily dispute irrelevant assets or findings through the platform. This external mechanism enables quick results, typically within hours, while maintaining an extremely high accuracy rate.
We recently added a new Endpoint Security category testing the Network & IT layer. The Endpoint findings are based on browsing data that we get from an external partner. Our partner has snippets in hundreds of millions of URLs and collects OS and Browser information on any IP that accesses these URLs. Panorays detects the assets (IPs, IP Ranges) of assessed companies -- so we can correlate it to the browsing information and identify companies that are using end-of-life or vulnerable OSs/Browsers. The data is continuously updated, and we only show findings on detections from the last 30 days.
Who owns the different data types?
| External Attack Surface Assessments | Smart Questionnaires | Business Context |
Data Controller |
Proprietary data | You (evaluated company) and the evaluating company are shared controllers | Evaluating company |
Data Processor |
| ||
| As Panorays performs the external assessment in a non-intrusive way, with no involvement of the evaluated company, Panorays is the only data controller. The assessment is conducted by Panorays' engine, which is our company's intellectual property. | Once you register on Panorays, you and the company evaluating you become shared controllers of your questionnaire response data. Panorays is the data processor. | The information regarding the business relationship is completed by the evaluating company, meaning they are the data controllers. Panorays is the data processor. |
How do we ensure your data is secure?
Compliance with various privacy regulations
Panorays follows the GDPR guidelines and other privacy regulations such as CCPA and NYDFS to ensure the data of both our customers and companies evaluated by Panorays is secured.
Security Practices
Panorays takes many security measures to ensure high standards of platform security and users' data protection, such as compliance with ISO-27001, SOC2 Type II, etc. The activity in question is a legitimate and standard component of the Panorays third-party security assessment process.
All scanning and analysis performed by Panorays are conducted in accordance with our Terms of Service and Data Collection Policy, using only non-intrusive methods and publicly available information.
Panorays does not perform any intrusive testing, vulnerability exploitation, or access to non-public systems or data.
Our assessments are strictly external and leverage passive reconnaissance techniques and open-source intelligence (OSINT). This approach fully complies with all applicable legal and regulatory requirements and aligns with recognized industry best practices.
Importantly, the goal of this process is not only to support your organization’s third-party risk management but also to help companies evaluate their own digital assets and potential exposure areas. In many cases, our assessments highlight previously unknown internet-facing assets or misconfigurations, enabling those companies to improve their overall security posture.
For more information visit Panorays' Security Overview
For more information about data privacy at Panorays, contact us at [email protected]