Your roadmap data is safe with us.
ProductPlan is trusted by thousands of companies worldwide, including many of the Fortune 100. We're built for enterprise-grade security, with SOC 2 Type II attestation, annual audits, and the infrastructure to keep teams safe.
Compliance. Certified. Audited. Accountable
ProductPlan holds SOC 2 Type II attestation and conducts annual audits. This certification covers security, availability, and confidentiality, demonstrating our deep commitment to data protection.
ProductPlan runs on Amazon Web Services (AWS) in the US-East-1 region (N. Virginia). Amazon's infrastructure is accredited under ISO 27001, SOC 1 / SOC 2 / SOC 3 (SSAE 16 / ISAE 3402), and PCI DSS Level 1. AWS also maintains compliance with FISMA Moderate, Sarbanes-Oxley (SOX), HIPAA, FEDRAMP, and GDPR.
The ProductPlan application runs on AWS Fargate within Amazon ECS, providing serverless container orchestration with built-in workload isolation — each task runs in its own dedicated compute environment without shared tenancy. Application containers operate in private subnets with no public IP addresses, fronted by an Application Load Balancer across multiple Availability Zones (us-east-1a, us-east-1b). Network access is controlled via VPC security groups, and container images are automatically deployed with rolling updates and deployment circuit breakers for automatic failure detection.
Customer data is stored in a dedicated Amazon RDS PostgreSQL instance (Multi-AZ deployment) that is not publicly accessible and resides within a private subnet secured by VPC security groups. All data at rest is encrypted using AES-256 via AWS KMS (Key Management Service) with an AWS-managed symmetric encryption key. Automated backups are retained for 35 days, and automatic minor version upgrades ensure the database receives the latest security patches.
Encrypted in transit. Encrypted at rest.
.svg)
All data in transit is encrypted using TLS 1.2 / AES-128. Data at rest is protected with AES-256 block-level storage encryption. Both layers are active at all times.
ProductPlan personnel cannot access your roadmaps unless you explicitly share them. You control who sees your data. Roadmaps are restricted by default and can only be shared via secure login or a private link you can revoke at any time. We do not share your roadmap data with third parties.
We proactively test for vulnerabilities through internal and external assessments, system patch monitoring, and third-party mailing lists. Each vulnerability is ranked by risk and assigned for resolution. Our isolated environments mean core system updates never impact your running application.
We're committed to protecting your personal information. Read our Privacy Policy for full details.
Built for the regulations your team answers to.
ProductPlan is committed to Europe's General Data Protection Regulation (GDPR). We've implemented technical and organizational security measures to protect your personal data and support your GDPR data security and privacy obligations.
ProductPlan maintains 99.9% uptime with fast support response times. Current application status and historical incidents are available on our status page. Enterprise Plans include Single Sign-On (SSO), Enhanced Password Security, Advanced Admin Management, and Restriction on Sharing via Private Links.
ProductPlan Security Certifications & Compliance
ProductPlan is certified and compliant with the following security and regulatory standards:
- SOC 2 Type II: Annual attestation by AICPA, covering security, availability, and confidentiality
- GDPR: General Data Protection Regulation (EU) compliant
ProductPlan runs on Amazon Web Services (AWS) in the US-East-1 region (N. Virginia). Amazon's infrastructure is accredited under ISO 27001, SOC 1 / SOC 2 / SOC 3 (SSAE 16 / ISAE 3402), and PCI DSS Level 1. AWS also maintains compliance with FISMA Moderate, Sarbanes-Oxley (SOX), HIPAA, FEDRAMP, and GDPR.
To report security issues, contact security@productplan.com.
Frequently Asked Questions
Yes. ProductPlan holds SOC 2 Type II attestation, audited annually by an independent third party. The audit covers security, availability, and confidentiality. A copy of our report is available to enterprise customers upon request.
Yes. ProductPlan is committed to full compliance with the EU General Data Protection Regulation (GDPR). We've implemented technical and organizational security measures to protect personal data and can support your organization's GDPR obligations.
ProductPlan's infrastructure is hosted directly on Amazon Web Services (AWS) in the US-East-1 region (N. Virginia). AWS data centers are accredited under ISO 27001, SOC 2, and PCI DSS Level 1.
All data in transit is encrypted using TLS 1.2 / AES-128. All data at rest is encrypted using AES-256 block-level storage encryption. Both layers are always active — no configuration required.
No. ProductPlan personnel do not have access to your roadmaps unless you explicitly share them with us. Roadmaps are restricted by default. You control sharing — including the ability to revoke private links at any time.
Yes. Single Sign-On (SSO) is available on Professional and Enterprise Plans, along with Enhanced Password Security, Advanced Admin Management, and Restriction on Sharing via Private Links.
ProductPlan maintains 99.9% uptime. Current application status and historical incident logs are publicly available on our status page.
ProductPlan's infrastructure is hosted on AWS, which maintains HIPAA compliance. If your organization has specific HIPAA requirements, please contact us to discuss your needs.
To report a security or privacy issue affecting ProductPlan or our web servers, please contact us directly at security@productplan.com. We review every report and respond promptly.
ProductPlan's infrastructure and application support the following compliance frameworks: SOC 2 Type II, ISO 27001, PCI DSS Level 1, GDPR, HIPAA, FISMA Moderate, Sarbanes-Oxley (SOX), FEDRAMP, and CSA STAR Level One.
.svg)