> Panto Wall of Defence

What is the Wall of Defence?

In traditional SDLC (Software Development Life Cycle) processes, code generation typically begins in IDEs such as VS Code or similar tools. Developers rely on linters within these environments to ensure adherence to coding standards. These linters are usually developer-specific, but organizations can establish custom rules and guidelines to enforce consistency across teams.

The next step involves human oversight during the pull request (PR) review process. This is a critical checkpoint where peers or leads review the code for logic errors, adherence to design principles, and potential bugs. Post-PR review, tools like SonarQube, Semgrep, or other static analysis solutions are employed for deeper statistical analysis. These tools scan for vulnerabilities, maintainability issues, and compliance with organizational or industry standards. The code is then either approved for deployment or subjected to additional checks, depending on the organization's culture and requirements. The presence, absence, or sequence of these steps may vary across organizations to accommodate their specific workflows and priorities.

security-diagram

> Security Policies

1. Introduction

At Panto Technologies Pvt Ltd, our utmost priority is the security of our customers' data. Our AI-powered Automated Pull Request (PR) Review System is designed with robust security measures to protect sensitive information throughout the Software Development Lifecycle (SDLC). This document outlines the key security controls and practices we employ to safeguard data and maintain client trust.

2. Purpose and Scope

This Information Security Policy establishes the framework for securing data processed by our PR review system. It applies to all employees, contractors, and third-party service providers involved in the development, operation, or maintenance of the system. The policy covers data handling, system architecture, access controls, incident response, and compliance with legal and regulatory requirements.

3. Roles and Responsibilities

  • IT Team: Manages technical infrastructure and ensures compliance with security standards.
  • Employees and Contractors: Adhere to all security policies and report any incidents or vulnerabilities.
  • Third-Party Providers: Must comply with our security requirements and are subject to regular audits.

4. System Architecture Overview

Our system automates PR reviews by integrating with version control systems (VCS) like GitHub, GitLab, and Bitbucket. The multi-layered architecture includes:

  • Pre-processing Layer: Utilizes Abstract Syntax Trees (AST), Tree-sitter, and Language Server Protocol (LSP) to securely pre-process code
  • Pano Proprietary Filters: Applies organization-specific filters for contextually relevant checks.
  • LLM Layers: We use Open AI for all purpose LLMs. TnC for data here.
  • Maker Layer: Uses Large Language Models to generate automated PR comments.security-diagram
  • Checker Layer: Verifies outputs for adherence to security standards and reduces false positives.
  • Wall of Defence: This is the dashboard layer that represents all of the reviews in one place for stakeholders to visualize the severity and impact of detected flaws.

5. Data Security Measures

Data Collection and Minimization

We collect only the necessary code snippets required for PR reviews and do not store it. No additional data is accessed or stored without explicit authorization, adhering to the principle of data minimization.

Encryption

  • Data in Transit: All data exchanged with VCS platforms is encrypted using TLS 1.2 or higher to protect against interception
  • Data at Rest: Any temporary data storage employs AES-256 encryption to prevent unauthorized access.

Data Retention and Deletion

Processed data is retained only for the duration necessary to complete the PR review. All temporary data is securely deleted post-review in compliance with data protection regulations. In case of our customers using dashboard/wall of defence, we will be storing the data for a duration of 24 hours and then purge the data from our system. We also extend direct access on the dashboard to purge all customer specific data from Panto servers on demand.

6. Access Control

Role-Based Access Control (RBAC)

  • Internal Access: Access rights are granted based on job responsibilities, following the principle of least privilege.
  • Customer Data Access: Only authorised personnel can access customer repositories, with all access attempts logged and monitored.Authentication and Authorization
  • Multi-Factor Authentication (MFA): Required for all system access to enhance security.
  • Regular Access Reviews: Periodic audits ensure access rights remain appropriate and updated.

Physical Security

  • Secure Facilities: Data centres and offices are equipped with access controls, surveillance systems, and environmental protection.

7. AI and Model Security

Secure Data Processing

We utilize OpenAI’s models under strict data processing agreements. Customer data is transmitted securely and is not used for model training or retention.

LLM Layer Security

  • Maker Layer: Generates initial automated comments using AI models.
  • Checker Layer: Validates and sanitises outputs to ensure compliance with security policies and accuracy.

8. Organizational Security Filters

Our proprietary filters enforce client-specific security and compliance guidelines, ensuring that organizational policies are consistently applied across all PR reviews.

9. Incident Response and Monitoring

Proactive Monitoring

Advanced monitoring tools detect security breaches, anomalies, and system performance issues. Automated alerts enable immediate response to potential threats..

Incident Response Plan

In the event of a security incident:

  1. 1.Isolation: Promptly isolate affected systems.
  2. 2.Notification: Inform impacted customers and regulatory bodies within 24 hours.
  3. 3.Investigation: Conduct a thorough analysis to identify the cause and extent.
  4. 4.Remediation: Implement measures to mitigate the issue and prevent recurrence.
  5. 5.Documentation: Record the incident details and response actions for future reference.

Data Retention and Deletion

Processed data is retained only for the duration necessary to complete the PR review. All temporary data is securely deleted post-review in compliance with data protection regulations. In case of our customers using dashboard/wall of defence, we will be storing the data for a duration of 24 hours and then purge the data from our system. We also extend direct access on the dashboard to purge all customer specific data from Panto servers on demand.

10. Employee Training and Awareness

All personnel receive regular training on security policies, data protection laws, and best practices. Training includes:

  • Onboarding Sessions: Introduction to security protocols for new hires.
  • Annual Refreshers: Updates on the latest security trends and policy changes.
  • Phishing Simulations: Practical exercises to enhance threat recognition skills.

11. Third-Party Security

We ensure that all third-party services, including OpenAI and cloud providers, adhere to industry-standard security measures. This includes:

  • Compliance Verification: Regular audits of third-party compliance with data protection standards.
  • Data Processing Agreements: Legal contracts that enforce data security obligations.
  • Access Restrictions: Limiting third-party access to only what is necessary for their services.

12. Compliance and Legal Considerations

We are committed to complying with all applicable laws and regulations, including but not limited to:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Industry Standards: OWASP, ISO/IEC 27001, NIST frameworks

Regular reviews ensure our policies are aligned with legal requirements and industry best practices.

13. Future Security Enhancements

We are pursuing ISO 27001 and SOC 2 certifications to demonstrate our commitment to security excellence. Planned initiatives include:

  • Security Assessments: Regular penetration testing and vulnerability scanning.
  • Policy Updates: Continuous improvement of security policies and procedures.
  • Technology Upgrades: Adoption of advanced security tools and technologies.

14. Policy Review and Maintenance

This policy is reviewed annually or when significant changes occur in our operations or regulatory environment. All updates are communicated to relevant stakeholders to ensure ongoing compliance and awareness.

LinkedIn
X

@ 2025 Pantomax Technologies Private Limited

All Rights Reserved