Security Policy

Last Updated: December 6, 2025

At Planifyr, we take security seriously. This Security Policy outlines our commitment to protecting your data, systems, and infrastructure from unauthorized access, theft, and misuse. We implement industry-leading security practices to safeguard your information and ensure the integrity of our services.

Commitment: Security is a core value at Planifyr. We continuously invest in security measures, employee training, and technology to protect your data and maintain your trust.

1. Data Encryption

1.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security) 1.2 or higher. This encryption standard protects your information from interception during transmission.

  • HTTPS protocol on all web connections
  • SSL/TLS encryption for all API communications
  • Encrypted email communications for sensitive information
  • Secure WebSocket (WSS) connections for real-time data

1.2 Encryption at Rest

Data stored on our servers is encrypted using industry-standard AES-256 encryption. This ensures that even if storage devices are compromised, the data remains unreadable without the decryption key.

  • AES-256 encryption for database storage
  • Encrypted backups and archive storage
  • Encrypted field-level encryption for sensitive data (passwords, API keys, payment information)
  • Secure key management with automatic rotation

2. Authentication & Access Control

2.1 Strong Password Policies

We enforce strong password requirements to protect user accounts:

  • Minimum 8 characters with uppercase, lowercase, numbers, and special characters
  • Password expiration policies for sensitive accounts
  • Prevention of common passwords and dictionary attacks
  • Password hashing using bcrypt with salt rounds

2.2 Two-Factor Authentication (2FA)

We offer optional two-factor authentication to add an extra layer of security to your account:

  • Time-based One-Time Password (TOTP) via authenticator apps
  • SMS-based verification codes
  • Backup codes for account recovery
  • WebAuthn/FIDO2 support for hardware security keys

2.3 Role-Based Access Control (RBAC)

Access to sensitive data and features is restricted based on user roles and permissions:

  • Principle of least privilege - users have only necessary permissions
  • Admin, manager, and user-level access tiers
  • Project-based access controls
  • Time-limited access with automatic expiration
  • Audit logs for all access and permission changes

2.4 Session Management

  • Secure session tokens with expiration
  • HTTPOnly and Secure flags on session cookies
  • Session invalidation on logout
  • Protection against session fixation and hijacking

3. Infrastructure Security

3.1 Secure Cloud Infrastructure

Our services are hosted on secure, compliant cloud platforms:

  • Enterprise-grade cloud providers with SOC 2 Type II certification
  • Geographically distributed data centers for redundancy
  • Automated scaling and load balancing
  • Network isolation and virtual private clouds (VPCs)

3.2 Network Security

  • Firewalls and intrusion detection/prevention systems (IDS/IPS)
  • DDoS protection and mitigation
  • WAF (Web Application Firewall) rules and monitoring
  • Network segmentation and micro-segmentation
  • VPN access for internal systems

3.3 Server & System Hardening

  • Regular patching and security updates
  • Minimal service exposure (closed ports, disabled unnecessary services)
  • Operating system and application hardening
  • Intrusion detection and monitoring

4. Application Security

4.1 Secure Development Practices

We follow industry best practices in developing secure applications:

  • OWASP Top 10 vulnerability prevention
  • Secure coding standards and guidelines
  • Code reviews by security-trained developers
  • Static application security testing (SAST)
  • Dynamic application security testing (DAST)

4.2 Input Validation & Output Encoding

  • Strict input validation on all user inputs
  • Protection against SQL injection, XSS, and CSRF attacks
  • Proper output encoding and escaping
  • Content Security Policy (CSP) headers

4.3 API Security

  • API authentication using OAuth 2.0 and API keys
  • Rate limiting to prevent abuse
  • Request signing and verification
  • API versioning and deprecation management
  • Comprehensive API access logging

4.4 Third-Party Dependencies

  • Regular security audits of dependencies
  • Automated vulnerability scanning (SAST/SCA tools)
  • Timely patching of vulnerable libraries
  • Software composition analysis (SCA)

5. Data Protection & Privacy

5.1 Data Classification

We classify data based on sensitivity level and apply appropriate security controls:

  • Public: Non-sensitive data that can be freely shared
  • Internal: Data for internal use only with standard protections
  • Confidential: Sensitive business data requiring strong protection
  • Restricted: Highly sensitive data (PII, payment info) with maximum protection

5.2 Data Access Logging

  • Comprehensive audit logs of all data access
  • Monitoring and alerting for suspicious access patterns
  • User activity tracking and reporting
  • Immutable log storage with long retention periods

5.3 Data Minimization

  • Collect only necessary data for stated purposes
  • Regular review and deletion of unnecessary data
  • Data retention policies aligned with regulations
  • Secure data disposal procedures

6. Backup & Disaster Recovery

6.1 Regular Backups

  • Automated daily backups of all data
  • Encrypted backup storage in geographically distributed locations
  • Multiple backup copies at different retention periods
  • Regular backup restoration testing

6.2 Business Continuity

  • Documented disaster recovery plans
  • Regular disaster recovery drills and testing
  • Recovery Time Objective (RTO) of less than 4 hours
  • Recovery Point Objective (RPO) of less than 1 hour
  • Redundant systems and failover capabilities

7. Security Monitoring & Incident Response

7.1 24/7 Security Monitoring

We maintain continuous monitoring of our systems and networks for potential threats:

  • Security Information and Event Management (SIEM) systems
  • Real-time threat detection and alerting
  • Behavioral analysis and anomaly detection
  • Log aggregation and correlation

7.2 Incident Response Plan

We have a comprehensive incident response plan to address security incidents:

  • Immediate incident detection and containment
  • Root cause analysis and investigation
  • User notification within 72 hours of confirmed breach
  • Regulatory reporting and compliance
  • Post-incident review and remediation

7.3 Security Team

  • Dedicated security team available 24/7
  • Security professionals with industry certifications
  • Regular security training and awareness programs

8. Vulnerability Management

8.1 Regular Security Testing

  • Annual third-party penetration testing
  • Monthly vulnerability scanning
  • Quarterly security assessments
  • Bug bounty program for responsible disclosure

8.2 Vulnerability Disclosure

We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please contact us at security@planifyr.com with details about the vulnerability.

8.3 Patch Management

  • Regular patching schedule for all systems
  • Emergency patching for critical vulnerabilities
  • Zero-downtime deployment capabilities

9. Compliance & Certifications

Planifyr maintains compliance with industry standards and regulations:

  • SOC 2 Type II compliance
  • GDPR compliance for European users
  • CCPA compliance for California residents
  • ISO 27001 information security standards
  • PCI DSS compliance for payment processing
  • HIPAA compliance where applicable

10. Employee Security

10.1 Background Checks

All employees with access to sensitive data undergo background checks and security screening.

10.2 Security Training

  • Mandatory security awareness training for all employees
  • Annual security certifications
  • Phishing awareness and simulation programs
  • Secure development training for developers

10.3 Access Control for Employees

  • Principle of least privilege for employee access
  • Access revocation upon termination
  • Multi-factor authentication required for all employees
  • Regular access reviews and audits

11. Security Updates & Communication

We regularly communicate important security updates to our users:

  • Security advisories for discovered vulnerabilities
  • Updates on security improvements and enhancements
  • Notifications of changes to security practices
  • Security blog and best practices guidance

12. User Responsibilities

While we implement comprehensive security measures, users also have important responsibilities:

  • Use strong, unique passwords and enable 2FA
  • Keep login credentials confidential
  • Log out of accounts when not in use
  • Report suspected security issues immediately
  • Keep your device and browser updated
  • Be cautious with phishing attempts and suspicious emails
  • Review account activity regularly

13. Security Policy Updates

We may update this Security Policy to reflect changes in our security practices, new threats, or regulatory requirements. We will notify you of material changes and post the updated policy on our website.

14. Report Security Issues

Found a Security Vulnerability?

If you discover a security vulnerability, please report it responsibly to:

Planifyr Security Team
Email: security@planifyr.com

Please do not disclose the vulnerability publicly until we have had time to investigate and develop a fix. We appreciate responsible disclosure and will acknowledge your report promptly.

We will respond to your report within 24 hours and keep you informed of progress toward resolution.

15. Contact Us

Questions About Our Security?

If you have any questions or concerns about our security practices, please contact us:

Planifyr
Email: info@planifyr.com
Security Issues: security@planifyr.com

We will respond to your inquiry within a reasonable timeframe, typically within 2 business days.