Your roadmap data is safe with us.
ProductPlan is trusted by thousands of companies worldwide, including many of the Fortune 100. We're built for enterprise-grade security, with SOC 2 Type II attestation, annual audits, and the infrastructure to keep teams safe.
CompliaCertified. Audited. Accountable.nce
ProductPlan holds SOC 2 Type II attestation and conducts annual audits. This certification covers security, availability, and confidentiality, demonstrating our deep commitment to data protection.
ProductPlan runs on the Heroku cloud platform (PaaS), hosted within Amazon Web Services (AWS) data centers in the US-East-1 region (N. Virginia). Amazon's infrastructure is accredited under ISO 27001, SOC 1 / SOC 2 / SOC 3 (SSAE 16 / ISAE 3402), and PCI DSS Level 1. AWS also maintains compliance with FISMA Moderate, Sarbanes-Oxley (SOX), HIPAA, FEDRAMP, and GDPR.
The ProductPlan application runs in an isolated Heroku environment with LXC process and memory isolation, host-based firewalls, and automatic security patching. New systems are deployed with the latest security fixes; decommissioned instances are fully migrated before retirement.
Customer data is stored in an access-controlled Heroku Postgres database unique to each application instance. All data at rest is encrypted using AES-256 block-level storage encryption.
Encrypted in transit. Encrypted at rest.
.svg)
All data in transit is encrypted using TLS 1.2 / AES-128. Data at rest is protected with AES-256 block-level storage encryption. Both layers are active at all times.
ProductPlan personnel cannot access your roadmaps unless you explicitly share them. You control who sees your data. Roadmaps are restricted by default and can only be shared via secure login or a private link you can revoke at any time. We do not share your roadmap data with third parties.
We proactively test for vulnerabilities through internal and external assessments, system patch monitoring, and third-party mailing lists. Each vulnerability is ranked by risk and assigned for resolution. Our isolated environments mean core system updates never impact your running application.
We're committed to protecting your personal information. Read our Privacy Policy for full details.
Built for the regulations your team answers to.
ProductPlan is committed to Europe's General Data Protection Regulation (GDPR). We've implemented technical and organizational security measures to protect your personal data and support your GDPR data security and privacy obligations.
ProductPlan's infrastructure provider is PCI DSS Level 1 compliant, the highest level of compliance in the payment card industry. We use a PCI-compliant payment processor for all billing and credit card transactions.
ProductPlan maintains 99.9% uptime with fast support response times. Current application status and historical incidents are available on our status page. Enterprise Plans include Single Sign-On (SSO), Enhanced Password Security, Advanced Admin Management, and Restriction on Sharing via Private Links.
ProductPlan Security Certifications & Compliance
ProductPlan is certified and compliant with the following security and regulatory standards:
- SOC 2 Type II: Annual attestation by AICPA, covering security, availability, and confidentiality
- ISO 27001: Information security management certification
- PCI DSS Level 1: Payment card industry data security standard (highest tier)
- GDPR: General Data Protection Regulation (EU) compliant
- HIPAA: Health Insurance Portability and Accountability Act compliant
- FISMA Moderate: Federal Information Security Modernization Act (via AWS)
- Sarbanes-Oxley (SOX): Compliant via AWS infrastructure
- FEDRAMP: Federal Risk and Authorization Management Program (via AWS)
- STAR Level One: Cloud Security Alliance Security Trust Assurance and Risk
Infrastructure is hosted on Amazon Web Services (AWS) and Heroku (PaaS). Data is encrypted in transit using TLS 1.2 / AES-128 and at rest using AES-256. ProductPlan maintains 99.9% uptime.
To report security issues, contact security@productplan.com.
Frequently Asked Questions
Yes. ProductPlan holds SOC 2 Type II attestation, audited annually by an independent third party. The audit covers security, availability, and confidentiality. A copy of our report is available to enterprise customers upon request.
Yes. ProductPlan is committed to full compliance with the EU General Data Protection Regulation (GDPR). We've implemented technical and organizational security measures to protect personal data and can support your organization's GDPR obligations.
ProductPlan's infrastructure is hosted on Amazon Web Services (AWS) in the US-East-1 region (N. Virginia) via the Heroku cloud platform. AWS data centers are accredited under ISO 27001, SOC 2, and PCI DSS Level 1.
All data in transit is encrypted using TLS 1.2 / AES-128. All data at rest is encrypted using AES-256 block-level storage encryption. Both layers are always active — no configuration required.
No. ProductPlan personnel do not have access to your roadmaps unless you explicitly share them with us. Roadmaps are restricted by default. You control sharing — including the ability to revoke private links at any time.
Yes. Single Sign-On (SSO) is available on Professional and Enterprise Plans, along with Enhanced Password Security, Advanced Admin Management, and Restriction on Sharing via Private Links.
ProductPlan maintains 99.9% uptime. Current application status and historical incident logs are publicly available on our status page.
ProductPlan's infrastructure is hosted on AWS, which maintains HIPAA compliance. If your organization has specific HIPAA requirements, please contact us to discuss your needs.
To report a security or privacy issue affecting ProductPlan or our web servers, please contact us directly at security@productplan.com. We review every report and respond promptly.
ProductPlan's infrastructure and application support the following compliance frameworks: SOC 2 Type II, ISO 27001, PCI DSS Level 1, GDPR, HIPAA, FISMA Moderate, Sarbanes-Oxley (SOX), FEDRAMP, and CSA STAR Level One.
.svg)