Security Statement

Last Modified: January 29, 2024

At Planhat, we prioritize the security and confidentiality of our customers and users’ information as a fundamental aspect of our operations. As part of our commitment, Planhat has implemented processes to maintain security of customer and user data.

Planhat is SOC 2 certified. Should you require a copy of the SOC 2 report, or if you have any other security or compliance related questions, please contact compliance@planhat.com.

In the case of a discovered vulnerability, please refer to our Vulnerability Disclosure Policy.

Below, we have summarized key security processes at Planhat.

Regular Audits and Monitoring

We conduct regular security audits and monitoring activities, in the form of a private bug bounty program, both in-house and third-party penetration tests, weekly vulnerability scans and continuous threat hunting, to identify and address potential vulnerabilities. This proactive approach allows us to stay ahead of emerging threats and maintain the security of our systems.

Logging and Monitoring

Planhat uses an industry standard enterprise application management solution to monitor systems 24×7, trigger alerts based on event logs, and to facilitate alerting, trend analysis, and risk assessment.

Incident Process/Response

In the event of a security incident, Planhat has a comprehensive Incident Response Plan in place. Our team is trained to respond swiftly and effectively to mitigate any potential impact on data security. The Incident Response Plan describes how the team is deployed, documents the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements, and establishes contact information.

Security incidents are escalated from the initial responders to the relevant Account Manager for customer notification. All critical issues confirmed are remediated immediately. Issues of lesser severity are evaluated for resolution as part of the standard development process.

Deployed Environment

Planhat makes sure to harden their deployed environment according to the Center for Internet Security (“CIS”). The Planhat SaaS is deployed on Google Cloud's ISO 27001 certified services.

Business Continuity and Disaster Recovery

Business Continuity Planning (“BCP”) and Disaster Recovery (“DR”) activities prioritize critical functions supporting the delivery of Planhat’s SaaS Solutions to its customers. The development and scope of BCP and DR in each business function reflects the criticality of each function and/or facility in order to maximize the effectiveness of these efforts.

Backup

Planhat stores all customer data in fully redundant databases. Daily and intraday data is backed up on a scheduled basis, encrypted using Advanced Encryption Standard (AES) algorithm, AES-256, and stored in a geographically separated location.

Scalability

Planhat's distributed architecture for data collection and processing allows it to scale horizontally as the number of customers and volume of traffic increase. Planhat uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications and capacity. Systems are scaled up when predetermined capacity thresholds are reached.

Redundancy

Planhat’s SaaS Solutions architecture utilizes redundancy through the entire infrastructure, from load balancers, storage units and processing engines, to power and telecommunication providers. No system or device has a single point of failure. Data is always written to two separate locations when stored.

Continuous Improvement

We are committed to a culture of continuous improvement in our security measures. This involves staying current with the latest technological advancements and security trends, and updating our practices accordingly.

Data Protection and Privacy

Planhat adheres to stringent data protection and privacy standards to protect personal and sensitive information. Our practices are aligned with applicable data protection laws and regulations, and we continually strive to exceed industry standards.

Risk Management

Planhat has practices in place as part of its Business Continuity Plan to assist management in identifying and managing risks that could affect the organization’s ability to provide reliable services to its customers. These practices are used to identify significant risks for the organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.

Encryption

All data transmission and storage within our systems utilize robust encryption protocols to prevent unauthorized access and maintain the confidentiality of information.

All data in transit is encrypted using Transport Layer Security (TLS / HTTPS).

Data at rest, provided by Planhat’s customers within the Planhat application is stored using industry-standard AES-256.

Production Environment

Planhat employs a cloud deployment model for its software-as-a-service (“SaaS”) solution. All software maintenance and configuration activities are conducted by Planhat employees. The same databases are never used to store data from different customers (tenants), which is the safest and most robust approach for a multi-tenant enterprise solution. Planhat employs industry standard practices for security controls such as firewalls, Google Cloud Armor web application firewall with adaptive protection, system hardening, cloud security posture management and change management.

Documentation and Change Management

All critical and repeatable processes and security checks in Planhat’s production environment are either documented in procedures or implemented as automation scripts.

Planhat maintains and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves), are tracked and documented.

Both scheduled and emergency changes are tested in separate environments, reviewed and approved by Engineering, and Technical Support before deployment to the production environment.

All relevant business owners such as Support, Engineering, DevOps, and Security are represented at regular change management meetings.

Development and Support Process

Planhat follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security and security testing are implemented throughout the entire software development methodology. Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities.

Policies

Planhat maintains and annually updates various standard policies including Information Security Policy, Anti-Money Laundering Policy, Anti-Harassment Policy, and Employee Handbook, which details employee’s responsibilities toward confidentiality of customer data and acceptable use of resources. All employees must review and acknowledge all applicable policies.

Employee Screening

Planhat employees are required to undergo background checks and provide specific documents verifying identity at the time of employment.

Employee Training

General information security training is provided to all new employees (both full time and temporary) as part of their onboarding.

Furthermore, our employees undergo regular security awareness training to stay informed about the latest security threats and best practices. This ensures a collective effort to maintain a secure environment.

Terms of Employment

General information security responsibilities are documented in Planhat Information Security Policy, which all employees must sign as part of their onboarding.

Termination of Employment

Planhat manages a formal termination process, which includes removal of any potential access to Planhat and related data. The exit interview reminds ex-employees of their remaining employment restriction and contractual obligations.

PREVIOUS VERSIONS

Security Statement, December 6, 2022

Learn more about Planhat