We know your data is extremely important to you and your business, and we’re very protective of it. Our data is stored on PlaidCloud too. We take specific precautions to protect your data and ensure security. We employ defense in depth to keep data secure and private.
PlaidCloud undergoes an annual SOC 2 audit that ensures we have sufficient policies, monitoring, and controls covering security, availability, and confidentiality. If you would like a copy of our SOC 2 report please contact us.
PlaidCloud’s physical infrastructure is hosted and managed within Google’s secure data centers and utilize several services within Google Cloud Platform. Google continually manages risk and undergoes recurring assessments to ensure compliance with industry and government standards. Google’s data center operations have been accredited under:
- ISO/IEC 27001
- ISO/IEC 27017
- ISO/IEC 27018
- SOC 1, SOC 2, and SOC 3
- PCI DSS 3.2
- FedRAMP (High and Moderate)
- DISA IL2
- NIST 800-53 (FISMA)
- NIST 800-171
- FIPS 140-2
PlaidCloud utilizes certified data centers managed by Google. Google has many years of experience in designing, constructing, and operating large-scale data centers. Google designs and builds its own data centers, which incorporate multiple layers of physical security protections. Access to these data centers is limited to only a very small fraction of Google employees. Google uses multiple physical security layers to protect data center floors and uses technologies like biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems.
Google only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Google. All physical and electronic access to data centers by Google employees is logged and audited routinely.
For additional information see: https://cloud.google.com/security/infrastructure/design
A Google data center consists of thousands of server machines connected to a local network. Both the server boards and the networking equipment are custom-designed by Google. Google vets component vendors and chooses components with care, while working with vendors to audit and validate the security properties provided by the components. Google also designs custom chips, including a hardware security chip that is deployed on both servers and peripherals. These chips allow Google to securely identify and authenticate legitimate Google devices at the hardware level.
Google servers use a variety of technologies to ensure that they are booting the correct software stack. Google uses cryptographic signatures over low-level components like the BIOS, bootloader, kernel, and base operating system image. These signatures can be validated during each boot or update. The components are all Google-controlled, built, and hardened.
Each server machine in the data center has its own specific identity that can be tied to the hardware root of trust and the software with which the machine booted. This identity is used to authenticate API calls to and from low-level management services on the machine.
Google has authored automated systems to ensure servers run up-to-date versions of their software stacks (including security patches), to detect and diagnose hardware and software problems, and to remove machines from service if necessary.
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Kubernetes network policies
PlaidCloud operates within a Kubernetes cluster. This provides an additional layer of networking security by allowing the application of networking policies that restrict communication between pods.
File based content is stored in Google Storage Service. All data is stored in an encrypted form. Workspace and Project data is stored in Git repositories as well as in Google Cloud Storage.
Workflows execute within their own isolated environment and cannot interact with other workflows. In addition, they have limited communication policies enforced by Kubernetes networking policies providing an additional layer of security. This restrictive operating environment ensures isolation of user defined code and expressions.
All system configurations and deployments utilize automated deployment processes defined by Kubernetes and Helm. Manual changes are not permitted and actively rolled back automatically. PlaidCloud relies on a very automated self-healing compute environment that limits human interaction and access to systems. This not only ensures security policies are enforced automatically but also prevents circumventing of security processes.
The PlaidCloud team of specialists are available 24/7/365 to keep our software and its dependencies updated, eliminating potential security vulnerabilities. Our software engineers review each line of code before deploying it to our production environment. They are trained to search for and solve security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks. In addition, we employ all of Google’s threat detection and mitigation tools along with a focus on eliminating all possible attack vectors by reducing attack surface area.
All data exchanged with PlaidCloud is transmitted over encrypted connections to maintain end-to-end security. All communication with PlaidCloud occurs over HTTPS using modern SSL and TLS processes. We do not accept connections that are not encrypted.
User access is controlled by the implementation of multiple authentication processes including single sign-on, OpenID, Multi-Factor, and password. The method of authentication can be determined by the Workspace or individual.
PlaidCloud employees never access private workspace data unless such access is required for support reasons. Support staff may sign in to your account to access settings related to your support issue. In rare cases, staff may need to pull a clone of your data, but this is only done with your consent. Support staff does not have direct access to copy or view any data. When working on a support issue, we respect your privacy as much as possible, accessing only the files and settings needed to resolve your issue. All copied data is deleted as soon as the support issue is resolved.
We protect your sign-in from brute force attacks with rate limiting. All passwords are filtered from all our logs and are one-way encrypted in the database using
bcrypt. Sign-in information is always sent over SSL.
We also allow you to use two-factor authentication, or 2FA, as an additional security measure when accessing your PlaidCloud account. Enabling 2FA increases your account’s security because it requires both your password and a one-time security code on your phone or Yubikey to access your account.
Single Sign-on is supported using SAML authentication facilities.
We have full-time security staff to help identify and prevent new attack vectors. We strenuously test all new features to rule out potential attacks.
We’re extremely concerned about maintaining the utmost security, so we are very proactive in our security measures.
Some companies are unable to host data outside their firewall for compliance or legal reasons. In those situations we offer PlaidCloud Firewall. PlaidCloud Firewall is a full version of PlaidCloud that can be installed on a server or cluster of servers within the company’s network to ensure that no data leaves the firewall.
Credit card and ACH account safety
We do not store or process credit card, purchasing card, debit card, or ACH account information. We utilize Stripe for all payments to ensure security of your payment information. We also support direct invoicing for enterprise customers.
Need to report a security vulnerability?
Please visit our PlaidCloud Responsible Vulnerability Disclosure and submit a vulnerability report. We will make every attempt to address the issue as quickly as possible.
Have a question, concern, or comment about PlaidCloud security? Please contact us.