Security at PlanPal

Last Updated: March 17, 2026

Our Security Commitment

At PlanPal, security is not an afterthought -- it is foundational to everything we build. As a cloud-based equity compensation compliance platform, we understand that our customers trust us with highly sensitive financial, tax, and employee data. We take that responsibility seriously.

Our security program is built on the principles of defense in depth, least privilege, and continuous improvement. We invest in people, processes, and technology to ensure your data remains protected at every layer of our platform.

Working Toward SOC 2 Type II

PlanPal is designed to meet SOC 2 Type II standards, which evaluate an organization's controls related to security, availability, processing integrity, confidentiality, and privacy over a sustained period. We have built our platform with end-to-end encryption, role-based access controls, and a complete audit trail to support this goal.

• Our platform architecture and internal processes are built to align with SOC 2 Trust Services Criteria.
• We are working toward independent audits to validate the design and operating effectiveness of our controls.
• Audit reports will be made available to customers and prospective customers under NDA upon request once completed.

Data Encryption

All data processed by PlanPal is protected with industry-standard encryption, both at rest and in transit.

• In Transit: All communications between your browser and our servers are encrypted using TLS 1.2 or higher. We enforce HTTPS across the entire platform with HSTS headers to prevent downgrade attacks.
• At Rest: Data stored in our databases and file systems is encrypted using AES-256, one of the strongest block cipher algorithms available.
• Encryption keys are managed through a dedicated key management service with automatic rotation and strict access controls.
• Sensitive fields such as social security numbers and tax identifiers receive additional application-level encryption.

Access Controls

PlanPal enforces strict access controls to ensure that only authorized individuals can access the data and functionality they need.

• Role-Based Access Control (RBAC): Administrators can define granular roles and permissions, ensuring team members only see the data relevant to their responsibilities.
• Multi-Factor Authentication (MFA): MFA is available for all accounts and can be enforced organization-wide by administrators.
• Single Sign-On (SSO): Enterprise customers can integrate PlanPal with their existing identity provider via SAML 2.0 or OpenID Connect for seamless and centralized authentication.
• Session Management: Sessions are automatically expired after periods of inactivity, and users can view and revoke active sessions at any time.
• Internal Access: PlanPal employees access production systems only through secured, audited channels with multi-factor authentication and just-in-time provisioning.

Infrastructure Security

Our infrastructure is built on leading cloud providers that maintain the highest levels of physical and network security.

• Cloud Hosting: PlanPal runs on enterprise-grade cloud infrastructure with SOC 2, ISO 27001, and FedRAMP certifications.
• Network Isolation: Our production environment is segmented using virtual private clouds (VPCs), security groups, and network access control lists to prevent unauthorized lateral movement.
• DDoS Protection: We employ multi-layered DDoS mitigation services to ensure platform availability even during volumetric or application-layer attacks.
• Firewalls and Intrusion Detection: Web application firewalls (WAF) and intrusion detection systems (IDS) continuously monitor traffic for suspicious activity.
• Patch Management: Infrastructure components are kept up to date with the latest security patches through automated deployment pipelines.

Application Security

Security is embedded into every stage of our software development lifecycle.

• Secure Development Lifecycle (SDLC): All code is developed following secure coding guidelines based on OWASP best practices. Security requirements are defined at the design phase and validated before release.
• Code Reviews: Every code change undergoes mandatory peer review with a focus on security implications before it can be merged into the codebase.
• Penetration Testing: We engage independent, third-party security firms to conduct regular penetration tests against our application and infrastructure. Findings are triaged and remediated on an expedited timeline.
• Static and Dynamic Analysis: Automated security scanning tools are integrated into our CI/CD pipeline to catch vulnerabilities before they reach production.
• Dependency Management: Third-party libraries and dependencies are continuously monitored for known vulnerabilities and updated promptly.

Audit Trails

Comprehensive audit logging is critical for equity compensation compliance, and PlanPal provides complete visibility into platform activity.

• Every user action on the platform -- including logins, data access, configuration changes, report generation, and exports -- is logged with a timestamp, user identity, and contextual details.
• Audit logs are immutable and tamper-resistant, stored separately from application data.
• Administrators can search, filter, and export audit logs directly from the platform to support internal reviews, external audits, and regulatory inquiries.
• Logs are retained in accordance with applicable regulatory requirements and customer-configured retention policies.

Data Residency

We understand that regulated industries and multinational organizations may have specific requirements around where their data is stored and processed.

• PlanPal offers data residency options that allow customers to specify the geographic region where their data is hosted.
• PlanPal maintains data residency options for regulated industries, and available regions are intended to support customer obligations under frameworks such as GDPR, CCPA, and other local data protection regulations. We have implemented controls intended to support GDPR compliance.
• Cross-border data transfers, where necessary, are governed by appropriate legal mechanisms such as Standard Contractual Clauses (SCCs).
• Contact us to discuss data residency requirements specific to your organization.

Incident Response

PlanPal maintains a formal incident response program to rapidly detect, contain, and resolve security events.

• Dedicated Security Team: Our security team monitors systems around the clock and is trained to respond to incidents swiftly and effectively.
• Incident Response Plan: We maintain a documented and regularly tested incident response plan that covers identification, containment, eradication, recovery, and post-incident review.
• Notification Procedures: In the event of a confirmed security incident affecting customer data, we will notify impacted customers promptly and in accordance with applicable laws and contractual obligations. Notifications include a description of the incident, the data involved, remediation steps taken, and recommended actions for affected parties.
• Post-Incident Reviews: Every significant incident is followed by a thorough post-mortem to identify root causes and implement preventive measures.

Business Continuity

PlanPal is engineered for resilience so that your team can rely on uninterrupted access to critical compliance data.

• Backup Procedures: All customer data is backed up automatically on a regular schedule. Backups are encrypted and stored in geographically separate locations to protect against regional failures.
• Disaster Recovery: Our disaster recovery plan includes defined recovery time objectives (RTO) and recovery point objectives (RPO). We conduct regular disaster recovery drills to validate our ability to restore services.
• Uptime SLA: PlanPal commits to a 99.9% uptime service level agreement for enterprise customers. Real-time platform status is available on our status page.
• Redundancy: Critical systems are deployed across multiple availability zones to eliminate single points of failure.

Vendor Security

We hold our vendors and partners to the same high security standards we set for ourselves.

• All third-party vendors that process or store customer data undergo a security assessment before onboarding.
• Vendors are evaluated on their security certifications, data handling practices, incident response capabilities, and compliance posture.
• We maintain a vendor risk register and conduct periodic reassessments to ensure ongoing compliance.
• Contractual agreements with vendors include data protection obligations, breach notification requirements, and the right to audit.

Responsible Disclosure

We value the work of the security research community and welcome responsible disclosure of potential vulnerabilities.

• If you believe you have discovered a security vulnerability in PlanPal, please report it to security@planpal.io.
• Include a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence such as screenshots or proof-of-concept code.
• We will acknowledge receipt of your report within two business days and work with you to understand and address the issue.
• We ask that you give us reasonable time to investigate and remediate before making any public disclosure.
• We will not pursue legal action against researchers who act in good faith and comply with this policy.

Contact

If you have questions about our security practices, want to learn more about our progress toward SOC 2 Type II, or want to discuss your organization's specific security requirements, please reach out to us at hello@planpal.io. Our team is happy to help.