Skip to content
Plain Help Center home
Plain Help Center home

Our commitment to security

At Plain, we take your data seriously. Whether you're handling sensitive customer conversations or scaling your support operations, security is foundational to how we build, operate, and support our platform.

Transparent & compliant

Plain is SOC 2 Type II certified, meaning we’ve passed independent audits verifying how we manage security, availability, and confidentiality. We’ve also built our systems in line with GDPR and the UK Data Protection Act, and provide a clear Data Processing Agreement (DPA) for companies that need it.

We believe in transparency. You can check our system health any time at status.plain.com, and we’re happy to share SOC2 reports or security documentation with your team – just head here to request access.

A few of foundations to the way we build:

  • All data is encrypted at rest and in transit

  • Our infrastructure is hosted securely in AWS

  • Data access is tightly controlled and on a 'need-to-know' basis

  • All system changes go through strict code reviews

Securing Plain's API

Everything from Plain's platform to our API is designed to keep your data protected.

  • Our GraphQL API uses the same infrastructure that powers Plain itself - there are no “hidden features” and you have access to our entire GitHub repo.

  • Every API request requires authentication and signed headers, so only trusted systems can interact with your data.

  • We support mutual TLS (mTLS) for teams that want an additional layer of verification.

  • Slack messages are temporarily cached for no longer than 7 days, purely for reliability and recoverability.

Privacy-first by default

We’re clear about what data we collect, how we use it, and how you can stay in control. For more information on how we process your data, read our Privacy Policy and DPA.

We support your rights as a data owner:

  • You can request, access, or delete your data at any time.

  • We’ll never share your data without consent.

  • We’re available to help your team meet internal privacy or compliance goals.

If your team needs help mapping Plain’s security and compliance to your internal requirements, or you’d like to request additional documentation, just email us at help@plain.com.

Data security

  • We use Amazon Web Services to host Plain

  • All data is stored in Amazon Web Services eu-west-2 (London) region

  • All data is encrypted in transit and at rest

  • All data is backed up regularly and encrypted at rest

  • We apply the following security best practices:

    • All changes to our infrastructure, permissions, and code happen via code reviews

    • We grant the least amount of privileges to IAM roles, systems, and engineers to perform their duties

    • Administrator privileges are only used in the case of serious incidents, for routine maintenance tasks we provision IAM roles with fine-grained permissions.

  • We carefully evaluate 3rd party vendors before using them, regularly review them and the data they can access. Please see the Data Processing Addendum for the full list of vendors we use.

Request signing

Outbound requests we make to your target urls provide a HMAC signature with a shared secret key. Please see the Request signing documentation for more information.

Reporting an issue

If you think you found a security issue or have any questions related to security please email us at security@plain.com.

Please keep your report concise, add steps to reproduce, and include a proof of concept if possible.

We will acknowledge valid reports within 48 hours of receipt. Please avoid following up more than once every 72 hours to allow our team to focus on fixing any issues.

Guidance

We reward a bounty to security researchers who have adhered to this policy and found a confirmed high-severity vulnerability on a case-by-case basis.

You must not:

  • Break any applicable law or regulation

  • Access unnecessary, excessive or significant amounts of data

  • Modify data in Plain systems or services

  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities

  • Attempt or report any form of denial of service, for example; overwhelming a service with a high volume of requests

  • Disrupt the Plain services or systems

  • Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers

  • Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support

  • Communicate any vulnerabilities or associated details other than by means described in this policy

  • Social engineer, ‘phish’ or physically attack Plain staff or infrastructure

  • Demand financial compensation in order to disclose any vulnerabilities, or threaten the public disclosure of a vulnerability unless payment is made

You must:

  • Always comply with data protection rules and must not violate the privacy of any data Plain holds. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services

  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursuing or supporting any legal action related to your research

  • Working with you to understand and resolve the issue quickly (including an initial confirmation of your report within 48 hours of submission)

Powered by Plain