Security
We know your data is extremely important to you and your business, and we're very protective of it. We employ defense in depth to keep data secure and private.
SOC 2 Type 2
Independently Audited Every Year
PlaidCloud undergoes an annual SOC 2 Type 2 audit that ensures we have sufficient policies, monitoring, and controls covering security, availability, and confidentiality. If you would like a copy of our SOC 2 report, please contact us. You can also view our real-time security report.
Data Centers
PlaidCloud's physical infrastructure is hosted and managed within Google's secure data centers and uses several Google Cloud Platform services. Google's data center operations are accredited under:
Physical Security
PlaidCloud utilizes certified data centers managed by Google, which incorporate multiple layers of physical security protections. Access is limited to a very small fraction of Google employees and protected by biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection. Access is granted only on legitimate business need, revoked immediately when no longer required, and all physical and electronic access is logged and audited routinely.
Hardware Security
Both the server boards and networking equipment in Google data centers are custom-designed. Google vets component vendors, chooses components with care, and designs custom chips. Including a hardware security chip deployed on servers and peripherals. To securely identify and authenticate legitimate devices at the hardware level.
Boot Security
Google servers use cryptographic signatures over low-level components like the BIOS, bootloader, kernel, and base OS image, validated on each boot or update. Each machine has a specific identity tied to a hardware root of trust, used to authenticate API calls. Automated systems keep servers on up-to-date, patched software stacks and remove machines from service when necessary.
Network Security
Firewalls
Firewalls restrict access to systems from external networks and between systems internally. By default all access is denied; only explicitly allowed ports and protocols are permitted based on business need. Each system is assigned to a firewall security group based on its function to mitigate risk.
Kubernetes Network Policies
PlaidCloud operates within a Kubernetes cluster, adding a layer of networking security through policies that restrict communication between pods.
Data Security
Files
File-based content is stored in Google Storage Service, encrypted at rest. Workspace and Project data is stored in Git repositories as well as in Google Cloud Storage.
Workflow Execution
Workflows execute within their own isolated environment and cannot interact with other workflows. Limited communication policies enforced by Kubernetes networking policies provide an additional layer of security, ensuring isolation of user-defined code and expressions.
System Security
All system configurations and deployments use automated processes defined by Kubernetes and Helm. Manual changes are not permitted and are actively rolled back automatically. PlaidCloud relies on a self-healing compute environment that limits human interaction, enforces security policies automatically, and prevents circumventing security processes.
Software Security
PlaidCloud specialists are available 24/7/365 to keep our software and its dependencies updated. Engineers review each line of code before deploying to production and are trained to find and fix security vulnerabilities. We employ a wide range of monitoring solutions plus all of Google’s threat detection and mitigation tools, focused on reducing attack surface area.
Communications
All data exchanged with PlaidCloud is transmitted over encrypted connections (HTTPS using modern SSL/TLS); we do not accept unencrypted connections. User access is controlled by multiple authentication processes including single sign-on, OpenID, Multi-Factor, and password. Configurable by Workspace or individual.
Employee Access
PlaidCloud employees never access private workspace data unless required for support reasons. Support staff may sign in to access settings related to your issue and, in rare cases and only with your consent, pull a clone of your data. We access only what is needed to resolve your issue, and all copied data is deleted as soon as the issue is resolved.
Maintaining Security
We protect sign-in from brute-force attacks with rate limiting. Passwords are filtered from all logs and one-way encrypted with bcrypt. We support two-factor authentication (phone or Yubikey) and SAML single sign-on. Full-time security staff identify and prevent new attack vectors, and we test all new features for potential attacks. For customers who cannot host data outside their firewall, we offer PlaidCloud Firewall. A full version installable within the company’s network so no data leaves the firewall.
Credit Card & ACH Account Safety
We do not store or process credit card, purchasing card, debit card, or ACH account information. We use Stripe for all payments and also support direct invoicing for enterprise customers.
Need to Report a Security Vulnerability?
Please submit a PlaidCloud Responsible Vulnerability Disclosure report through the help page. We will make every attempt to address the issue as quickly as possible.
Questions about our security posture?
Contact us for a copy of our SOC 2 report or a walkthrough of our controls.