Compliance

SOC 2 Type II

At ProductPlan, we continuously invest in security best practices to ensure that our customers’ data is safe. We have our SOC 2 Type II attestation and perform annual audits.

Keeping our customers’ data safe and secure is our highest priority. This report shows our ongoing commitment to protect our customers’ data so they can focus on the most important work for their businesses by having trust in our policies, procedures and security program.

Data Security

Infrastructure

ProductPlan’s physical infrastructure is hosted and managed within the Heroku cloud platform (PaaS). Heroku manages its infrastructure within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Amazon’s data center operations have been accredited under:

AWS also continually works to comply with any new or changing regulations, such as:

View the full list of Amazon AWS certifications here.

Application

The ProductPlan application runs within an isolated environment in Heroku (PaaS), a cloud application platform that manages infrastructure configuration, scaling and security. Heroku manages its infrastructure in an AWS environment (us-east-1 region, N. Virginia).

All applications run in self-contained environments that isolate processes, memory, and file systems using LXC while host-based firewalls restrict applications from establishing local network connections.

For additional technical information: https://www.heroku.com/policy/security

Database

ProductPlan stores customer data in an access-controlled Heroku Postgres database unique to our application. Customer data is encrypted at rest using AES-256 block-level storage.

Encryption/Secure Transmission

ProductPlan encrypts all data in transit using TLS 1.2/AES-128. ProductPlan also encrypts data-at-rest using AES-256, block-level storage encryption to give you even greater security.

Roadmap Security

ProductPlan is designed to help you control access to the sensitive information contained in your roadmaps. Here are some crucial points about roadmap security in ProductPlan:

ProductPlan also offers Single Sign-On and additional security features as part of our Enterprise Plans.

Penetration and Vulnerability Testing

ProductPlan processes are designed to proactively remediate security risks. ProductPlan is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to ProductPlan’s environment, ranked based on risk, and assigned to the appropriate team for resolution. New systems are deployed with the latest updates, security fixes, and Heroku configurations and existing systems are decommissioned after migrating the application to the new instances. This process allows Heroku to keep the environment up-to-date. Since ProductPlan’s application runs in isolated environments, they are unaffected by these core system updates.

Privacy

At ProductPlan, we take your privacy seriously. We’re committed to protecting the privacy of the personal information you provide us. To learn more, read our Privacy Policy.

GDPR

ProductPlan is committed to adhere to Europe’s General Data Protection Regulation (GDPR). We’ve implemented technical and organizational security measures that better protect our customers’ personal data. We’re committed to assisting our customers with satisfying their GDPR data security and privacy requirements.

PCI

ProductPlan’s infrastructure provider is PCI Level 1 compliant. We use a PCI compliant payment processor for encrypting and processing credit card payments.

Best-In-Class Service

ProductPlan is committed to providing reliable service and quick support responses to issue. Our application has 99.9% uptime; the current status of our application and any past incidents can be seen on our status page.

Our Professional and Enterprise Plans also include features and services designed to ensure that ProductPlan is managed as securely as possible at your organization. These include:

To report security or privacy issues that affect ProductPlan or our web servers, please contact security@productplan.com.