We know your data is extremely important to you and your business, and we’re very protective of it. Our data is stored on PlaidCloud too. We take several steps to ensure security. A summary of each step is below:
Please visit our PlaidCloud Responsible Vulnerability Disclosure and submit a vulnerability report. We will make every attempt to address the issue as quickly as possible.
We employ a team of 24/7/365 server specialists at PlaidCloud to keep our software and its dependencies up to date eliminating potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the site.
All data exchanged with PlaidCloud is always transmitted over encrypted connections. All communication with PlaidCloud occurs over HTTPS using modern SSL and TLS processes. We do not accept connections that are not encrypted.
User access is controlled by the use of various authentication processes including single sign-on, OpenID, Mutli-Factor (Using YubiKey), and password. The method of authentication can be determined by Workspace or individual.
We do not encrypt database data on disk because it would not be any more secure: the website and PlaidCloud back-end would need to decrypt the data on demand, slowing down response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.
All data at rest or in file form is encrypted using the strongest industry standard practice available. All data at rest is stored in a highly distributed file system and encrypted prior to loading.
No PlaidCloud employees ever access private workspace data unless required to for support reasons. Support staff may sign into your account to access settings related to your support issue. In rare cases, staff may need to pull a clone of your data, but this will only be done with your consent. Support staff does not have direct access to copy or view any data. When working on a support issue, we do our best to respect your privacy as much as possible by only accessing the files and settings needed to resolve your issue. All copied data are deleted as soon as the support issue has been resolved.
We protect your sign-in from brute force attacks with rate limiting. All passwords are filtered from all our logs and are one-way encrypted in the database using
bcrypt. Sign in information is always sent over SSL.
We also allow you to use two-factor authentication, or 2FA, as an additional security measure when accessing your PlaidCloud account. Enabling 2FA adds security to your account by requiring both your password as well as access to a one-time security code on your phone or Yubikey to access your account.
Single Sign-on is supported using SAML authentication facilities. OpenID is also supported using various OpenID services.
We have full time security staff to help identify and prevent new attack vectors. We always test new features in order to rule out potential attacks.
We’re extremely concerned about maintaining the utmost security, and so we are very active in our security measures.
Some companies are not able to host data outside their firewall for compliance or legal reasons and for those situations we offer PlaidCloud Firewall. PlaidCloud Firewall is a full version of PlaidCloud that can be installed on a server or cluster of servers within the company’s network and ensures no data leaves the firewall.
When you sign up for a paid account on PlaidCloud, we do not store any of your card information on our servers. It’s handed off to Braintree, a company dedicated to storing your sensitive data on PCI-Compliant servers.
Have a question, concern, or comment about PlaidCloud security? Please contact us.