SOC 2 Type II

At ProductPlan, we continuously invest in security best practices to ensure that our customers’ data is safe. We are pleased to announce that we’ve successfully completed our SOC 2 Type II attestation.

Keeping our customers’ data safe and secure is our highest priority. This report shows our ongoing commitment to protect our customers’ data so they can focus on the most important work for their businesses by having trust in our policies, procedures and security program.

Data Security


ProductPlan’s physical infrastructure is hosted and managed within the Heroku cloud platform (PaaS). Heroku manages its infrastructure within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1, SOC 2 and SOC 3 / SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI DSS Level 1

AWS also continually works to comply with any new or changing regulations, such as:

  • FISMA Moderate
  • Sarbanes-Oxley (SOX)
  • GDPR

View the full list of Amazon AWS certifications here.


The ProductPlan application runs within an isolated environment in Heroku (PaaS), a cloud application platform that manages infrastructure configuration, scaling and security. Heroku manages its infrastructure in an AWS environment (us-east-1 region, N. Virginia).

All applications run in self-contained environments that isolate processes, memory, and file systems using LXC while host-based firewalls restrict applications from establishing local network connections.

For additional technical information:


ProductPlan stores customer data in an access-controlled Heroku Postgres database unique to our application. Customer data is encrypted at rest using AES-256 block-level storage.

Encryption/Secure Transmission

ProductPlan encrypts all data in transit using TLS 1.2/AES-128. ProductPlan also encrypts data-at-rest using AES-256, block-level storage encryption to give you even greater security.

Roadmap Security

ProductPlan is designed to help you control access to the sensitive information contained in your roadmaps. Here are some crucial points about roadmap security in ProductPlan:

  • ProductPlan personnel do not have access to your roadmap unless you share it with us.
  • You have full control of how and when you share a roadmap. Sharing a roadmap with another user requires a secure login. ProductPlan restricts all roadmaps to only the people you explicitly share with by default.
  • We provide the ability for a roadmap owner to share a roadmap with others with a private link. This link does not require a login. However, as the roadmap owner, you are in control of whether this feature is used. You can deactivate the link at any time.
  • We do not share your roadmap data with third parties.
  • We back up our servers regularly to guarantee against the loss of information.

ProductPlan also offers Single Sign-On and additional security features as part of our Enterprise Plans.

Penetration and Vulnerability Testing

ProductPlan processes are designed to proactively remediate security risks. ProductPlan is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to ProductPlan’s environment, ranked based on risk, and assigned to the appropriate team for resolution. New systems are deployed with the latest updates, security fixes, and Heroku configurations and existing systems are decommissioned after migrating the application to the new instances. This process allows Heroku to keep the environment up-to-date. Since ProductPlan’s application runs in isolated environments, they are unaffected by these core system updates.


At ProductPlan, we take your privacy seriously. We’re committed to protecting the privacy of the personal information you provide us. To learn more, read our Privacy Policy.


ProductPlan is committed to adhere to Europe’s General Data Protection Regulation (GDPR). We’ve implemented technical and organizational security measures that better protect our customers’ personal data. We’re committed to assisting our customers with satisfying their GDPR data security and privacy requirements.

Privacy Shield

We are certified under the EU-U.S. Privacy Shield Framework. To view our certification, please visit Privacy Shield.


ProductPlan’s infrastructure provider is PCI Level 1 compliant. We use a PCI compliant payment processor for encrypting and processing credit card payments.

Best-In-Class Service

ProductPlan is committed to providing reliable service and quick support responses to issue. Our application has 99.9% uptime; the current status of our application and any past incidents can be seen on our status page.

Our Professional and Enterprise Plans also include features and services designed to ensure that ProductPlan is managed as securely as possible at your organization. These include:

  • Single Sign-On
  • Enhanced Password Security
  • Advanced Admin Management
  • Restriction on Sharing via Private Links

To report security or privacy issues that affect ProductPlan or our web servers, please contact