ProPlan Studio
Get started
Infrastructure & data protection

Security at ProPlan Studio

Your data — and your buyers' data — is protected by enterprise-grade infrastructure, end-to-end encryption, and strict access controls. Here's exactly how.

TLS 1.2+

All traffic encrypted

AES-256

Encryption at rest

OAuth 2.0

Email integration auth

Infrastructure

  • Hosted on Vercel — enterprise-grade serverless infrastructure with global edge network
  • Database and file storage on Supabase (PostgreSQL on AWS) with automated daily backups
  • All services operate in SOC 2 Type II certified data centers
  • Zero-downtime deployments — no maintenance windows that affect your buyers

Encryption

  • All data in transit is encrypted with TLS 1.2 or higher — enforced on every request
  • All data at rest is encrypted using AES-256 at the storage level
  • Payment card data is never stored by us — Stripe handles all card data under PCI DSS
  • OAuth refresh tokens for connected inboxes are stored encrypted and are never exposed via API

Access controls

  • Row-Level Security (RLS) on every database table — users can only access data scoped to their account
  • Service-role database access is restricted to server-side API routes only; the client never touches it
  • Admin accounts are protected with multi-factor authentication
  • All production access is logged and reviewed

Email integration security

  • Gmail and Outlook connections use OAuth 2.0 — we never see or store your email password
  • OAuth tokens are scoped to the minimum permissions required (send, read metadata)
  • Tokens can be revoked at any time from your Google or Microsoft account settings
  • Connected inboxes that fail authentication are flagged automatically and stop sending

Incident response

  • Security incidents are assessed within 24 hours of detection
  • Affected customers are notified within 72 hours of a confirmed data breach
  • Post-incident reports are available on request for significant incidents
  • To report a vulnerability, email hello@proplanstudio.com with subject line: Security

Data residency and compliance

  • All data is stored in the United States on AWS infrastructure
  • We comply with applicable US data protection laws including CCPA
  • GDPR: ProPlan Studio acts as a data processor for buyer lead data; you are the controller
  • Data Processing Agreements (DPA) are available on request for enterprise customers

Found a security issue?

We take all security reports seriously. Email us at hello@proplanstudio.com with the subject line “Security”. We will acknowledge within 24 hours and work to resolve confirmed vulnerabilities promptly.

We do not currently operate a formal bug bounty program, but we are grateful for responsible disclosures.