Legal
Security
- Effective
- May 20, 2026
- Last updated
- May 20, 2026
Security is a first-class engineering concern at Planoda. We document our controls openly so customers can validate them — no surprises, no asterisks.
1. Tenant isolation
Every workspace is logically isolated via Postgres Row-Level Security. Every query runs inside a transaction that pins app.workspace_id as a session setting; RLS policies reject any row that does not match. Application bugs cannot bypass isolation — the boundary lives in the database, not in code.
2. Encryption
- TLS 1.2+ for every connection in transit.
- AES-256 at rest for the database, S3, and Redis.
- OAuth tokens encrypted with libsodium
secretboxkeys, rotated quarterly. - Stripe handles all card data; we never see the full PAN, only a tokenized reference.
3. Authentication
Authentication is handled by Clerk. We support email + password, Google, GitHub, and Microsoft. Enterprise customers can enable SSO (SAML 2.0) and SCIM provisioning. We support optional 2FA via TOTP and Web Authn.
4. Defense in depth
- Strict CSP with Trusted Types enforcement and host allowlisting.
- Vercel BotID on sign-in, sign-up, and webhook endpoints.
- Per-user + per-procedure rate limits via Upstash.
- Signed outbound webhooks (HMAC-SHA-256) with replay protection.
- Stripe webhook signature verification with no exception path.
- Audit log for every privileged action, retained for 12 months.
- File uploads sniff magic bytes; SVG is explicitly excluded.
5. Backups & recovery
Neon Postgres point-in-time recovery is enabled with a 30-day window. Backups are encrypted and geo-redundant, and restore drills will be run quarterly. Production secrets are stored in Vercel and Doppler — never in Git.
6. Compliance
- SOC 2 Type II in progress (target Q4 2026).
- GDPR-compliant; DPA available on request.
- EU hosting available on Business and Enterprise plans.
- HIPAA-compliant deployment on Enterprise with a BAA.
7. Vulnerability disclosure
Email security@planoda.com with details. We respond within 24 hours on weekdays and plan to offer rewards for verified findings at launch. A PGP key for encrypted reports is available on request via security@planoda.com. We follow a 90-day coordinated-disclosure policy.