Skip to content
Palisai

Security at Palisai

5 July 2026

Palisai is a security product — so we hold ourselves to the same standards we scan for. Here you can see how the platform is secured, and how to report a vulnerability responsibly.

How we secure Palisai

Palisai runs on Hetzner infrastructure in Germany (EU). All data is processed and stored within the EU/EEA.

  • Strict Content Security Policy with nonces and strict-dynamic — inline scripts and foreign sources are blocked.
  • HSTS with preload — all traffic is forced over HTTPS.
  • Fail-closed access control — if access cannot be verified, it is denied.
  • Self-hosted authentication and database on our own servers, reachable only over a private network.
  • Cookieless analytics (Plausible) — no tracking cookies, no third-party adtech.

Report a vulnerability

If you have found a vulnerability in Palisai, our tools or our infrastructure, we would very much like to hear from you. Write to security@palisai.com.

Please describe: what you found, how it can be reproduced (steps or proof-of-concept), and the impact you assess it to have.

We aim to acknowledge your report within 3 business days and keep you informed while we investigate. Fixes are prioritized by severity.

We do not run a bug bounty program, but we are happy to credit your work publicly if you wish.

Safe harbor

We will not pursue legal action against security research conducted in good faith and within the scope on this page. Responsible reporting should feel safe.

Good faith means: you access only what is needed to demonstrate the issue, you avoid harming the service and other people's data, and you give us reasonable time to fix before sharing details publicly. Out of scope:

  • Exfiltrating data beyond a minimal proof-of-concept
  • Disrupting the service (DoS, spam, volume testing)
  • Social engineering or phishing of people
  • Physical attacks and attacks on third-party services

security.txt

We publish a machine-readable security.txt per RFC 9116 at /.well-known/security.txt with contact details and a pointer to this policy.