Protecting client information through governance, secure design and independent assurance
Palmer is entrusted with sensitive financial and personal information. Protecting that information is fundamental to how we operate as a regulated fund services provider.
Security and privacy are embedded into our governance, systems, data workflows and operational processes. They are supported by formal controls, ongoing oversight and independent assurance to meet the expectations of clients, regulators and counterparties.
Our Approach
Privacy and security by design
Palmer applies Privacy by Design and Privacy by Default principles across all services systems and processes.
Data protection and information security are considered from the outset of service design and technology implementation rather than applied retrospectively. This approach supports regulatory compliance, operational resilience and consistent service delivery.
Our framework aligns with:
Protecting Client Information
Controls across the data lifecycle
Palmer applies layered technical and organisational controls to protect client information throughout its lifecycle.
Collection
Personal data is collected only where necessary for defined and legitimate purposes. Data minimisation and purpose limitation are applied by default.
Storage
Client data is encrypted at rest and logically segregated within secure environments. Primary data processing and storage occur within the EU.
Access
Access to systems and data is restricted based on role and responsibility. Multi factor authentication and single sign on are mandatory and access rights are reviewed regularly.
Deletion
Data retention periods are defined and enforced. When data is no longer required it is securely deleted in line with regulatory and contractual requirements.
Secure Architecture
Cloud based and resilient by design
Palmer operates a secure SaaS based cloud architecture designed to support confidentiality, integrity, availability and resilience.
Key characteristics include:
Encryption of data in transit and at rest
Centralised identity and access management
Resilient infrastructure with backup and disaster recovery arrangements
Continuous monitoring of system activity and security events
Security controls are applied consistently across environments and are reviewed as part of ongoing risk management and assurance activities.
Governance and Oversight
Clear accountability and independent challenge
Information security and data protection are governed through Palmer's formal ICT governance framework.
This includes:
Management Body oversight of ICT and security risk
A CTO led ICT function responsible for design and operation of controls
Defined responsibility for cloud and outsourcing arrangements
Independent internal control reviews and testing
These arrangements ensure that security and privacy risks are identified, managed and escalated appropriately.
Vendor and Sub Processor Management
Extending security across the supply chain
Where Palmer relies on third party service providers or sub processors, a structured vendor governance framework is applied.
This includes:
Security and data protection due diligence prior to engagement
Contractual obligations aligned with GDPR requirements
Independent assurance for critical vendors
Defined exit and data return arrangements
A register of sub processors is maintained and made available to clients.
Incident Management and Resilience
Prepared tested and accountable
Palmer maintains documented procedures for identifying, managing and escalating information security incidents.
In the event of a material incident:
The incident is promptly investigated and contained
Clients are notified in line with contractual and regulatory obligations
Remediation actions are tracked and implemented
Business continuity and disaster recovery arrangements are maintained and tested to support the ongoing delivery of critical services.
Independent Assurance
Objective validation of controls
Palmer's control environment is subject to independent assessment and ongoing review.
This includes:
Annual ISAE 3402 audits
Periodic internal and external control reviews
Independent testing of security controls
Ongoing vendor assurance reviews
Assurance reports are available to clients and prospective clients on request, subject to confidentiality requirements.
Client Partnership and Transparency
Working securely with clients
Effective security and privacy rely on clear roles and shared responsibility.
Palmer works with clients to:
Support secure information exchange
Enable the exercise of data subject rights
Provide transparency over data processing and sub processors
Our security and privacy framework is reviewed and enhanced as regulatory expectations, technology and risks evolve.