If you or your team have specific questions about how Plain is built, our processes or how we store and handle data please get in touch at firstname.lastname@example.org. We are very happy to answer any questions you have.
- We use Amazon Web Services to host Plain
- All data is stored in Amazon Web Services
- All data is encrypted in transit and at rest
- All data is backed up regularly and encrypted at rest
- We apply the following security best practices:
- All changes to our infrastructure, permissions, and code happen via code reviews
- We grant the least amount of privileges to IAM roles, systems, and engineers to perform their duties
- Administrator privileges are only used in the case of serious incidents, for our routine maintenance tasks we provision IAM roles with fine-grained permissions.
- We use the following third parties, for full legal terms, please see the Data Processing Addendum
- Auth0: as our identity provider for internal Support App users. No customer data is sent to Auth0.
- Postmark: to send and receive emails for users and customers.
- Segment: to measure product usage. We only send anonymised data.
- Mixpanel: to measure product usage. We only send anonymised data.
Security is a core value of Plain, and we value the input of all external security researchers acting in good faith to help us maintain the security and privacy of our users and systems.
Any vulnerabilities or suspected vulnerabilities should be reported to the contact details below.
Guidelines for security researchers
We require that all security researchers to:
- Act in good faith to avoid privacy violations, degradation of our services, disruption to production systems, and destruction of data during security testing (including denial of service).
- When reporting issues be clear, succinct, and provide a proof-of-concept if possible.
- Only interact with your own accounts or test accounts for security research purposes. Do not access or modify our data or our users' data, without the explicit permission of us.
- Keep information about any vulnerabilities you've discovered confidential between us until we've had 30 days to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 24 hours of submission)
We currently don't operate a bug bounty or security program, but we may use our discretion to reward security researchers who have adhered to this policy and found a confirmed high severity vulnerability on a case by case basis.
If you think you found a security issue or have any questions related to security please email all or one of the following:
- Security team (email@example.com)
- CTO: Matt Vagni (firstname.lastname@example.org)
- CEO: Simon Rohrbach (email@example.com)
We will reply to security related questions within 24 hours.