Skip to content

Security & Compliance

Your planning data stays in the EU. The rest is documented below.

Primary database in the EU. AES-256 at rest, SAML SSO and SCIM on Enterprise, audit logs over API. Security questionnaires answered within two business days.

Infrastructure

Data residency & access

EU-based data residency

All session data and user records are stored in EU regions. AI inference uses a US-based processor governed by Standard Contractual Clauses, with no personal identifiers sent.

  • Primary database in the EU
  • Geo-distributed replicas for resilience
  • Real-time rooms on Cloudflare Durable Objects, pinnable to the EU
  • AI inference outside EU governed by Standard Contractual Clauses

Authentication & access

Email + password with TOTP 2FA, OAuth via GitHub, Google, Microsoft, or Atlassian — or enforce SAML SSO org-wide so your IdP decides who gets in.

  • Email + password with TOTP 2FA
  • OAuth: GitHub, Google, Microsoft, Atlassian
  • SAML 2.0 and OIDC SSO (Enterprise)
  • SSO enforcement, SCIM deprovisioning, audit log retention (Enterprise)

Encryption & provisioning

Encryption & user lifecycle

User lifecycle & SCIM

Provision and deprovision users automatically from your identity provider — no stale accounts, no manual offboarding.

  • SCIM 2.0 provisioning & deprovisioning
  • Just-in-Time user creation on SSO login
  • Automated cleanup when employees leave

Encryption

TLS in transit, AES-256 at rest. Integration credentials carry a second, application-level encryption layer — and with CMEK, the key sits in your own AWS KMS or Azure Key Vault.

  • TLS in transit
  • AES-256 at rest
  • Application-level encryption for integration credentials
  • CMEK — your AWS KMS or Azure Key Vault key (Enterprise); revoke to cut access
  • Encrypted backups

Compliance & observability

GDPR & audit logging

GDPR & compliance

Built EU-first from day one. Data export, deletion, and residency are first-class features, not afterthoughts.

  • DSAR endpoint for self-service data export
  • One-click account deletion (right to be forgotten)
  • Data Processing Agreement on request

Audit logging & monitoring

See who did what, when, and from where. Audit logs are exposed via API and UI for Team and Enterprise plans, with retention matching your plan.

  • Login, role change, and integration audit events
  • Filterable UI & REST API access
  • Retention scales with your plan
  • Application performance and error monitoring with alerting

Need a security review or DPA?

Our team replies to security questionnaires, custom DPAs, and architecture reviews within two business days. Email security@plandeck.app or use the contact form.

Email security teamView sub-processors