Security Policy

Last Updated: February 23, 2026

PlanXpress is committed to maintaining the highest standards of security to protect your data and ensure the integrity of our workforce management platform.

1. Infrastructure Security

Our infrastructure is built on industry-leading cloud platforms with enterprise-grade security:

Hosting: Render.com provides our application hosting with SOC 2 Type II compliance, DDoS protection, and automatic failover
Database: Neon PostgreSQL with automatic backups, point-in-time recovery, and connection pooling
Geographic Distribution: Multi-region deployment capabilities for high availability and disaster recovery
Network Security: Private networking between services, TLS 1.2+ for all connections, and isolated tenant environments

2. Data Encryption

We implement comprehensive encryption to protect your data at all stages:

Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ with strong cipher suites
Data at Rest: All database records, credentials, and sensitive data are encrypted using AES-256-GCM encryption
Credential Storage: Authentication tokens, API keys, and connector credentials are encrypted at the field level with unique encryption keys
Key Management: Encryption keys are rotated regularly and stored separately from encrypted data

3. Access Controls & Authentication

We implement multi-layered access controls to ensure only authorized users can access your data:

Authentication: Magic link authentication via email eliminates password-related vulnerabilities
Session Management: Secure session tokens with automatic expiration, HTTP-only cookies, and SameSite protection
Row-Level Security (RLS): Database-enforced tenant isolation ensures users can only access their organization's data
Role-Based Access Control (RBAC): Admin and user roles with granular permissions for feature access
Password Requirements: For accounts using password authentication, we enforce a minimum of 10 characters with at least one letter and one number

4. Application Security

Our application implements comprehensive security hardening across seven phases:

4.1 Security Headers

Content Security Policy (CSP): Restricts script and resource loading to approved domains (self, cdn.jsdelivr.net, unpkg.com, plausible.io)
X-Frame-Options: DENY to prevent clickjacking attacks
X-Content-Type-Options: nosniff to prevent MIME type confusion attacks
Strict-Transport-Security (HSTS): 1-year duration to enforce HTTPS connections
X-XSS-Protection: Browser-level XSS filtering enabled

4.2 Rate Limiting

Authentication endpoints: 5 requests per 15 minutes per IP
API endpoints: 100 requests per 15 minutes per authenticated user
Protects against brute-force attacks and denial-of-service attempts

4.3 CSRF Protection

CSRF tokens required for all state-changing operations
Double-submit cookie pattern for API requests
SameSite cookie attributes to prevent cross-site request forgery

4.4 Input Validation & Sanitization

Server-side validation of all user inputs
SQL injection prevention through parameterized queries and prepared statements
XSS prevention through HTML entity encoding and content sanitization
File upload validation (type, size, content inspection)

4.5 Audit Logging

Comprehensive logging of authentication events, data access, and administrative actions
Immutable audit trails for compliance and forensic analysis
Logs include timestamps, user identifiers, IP addresses, and action details

4.6 Session Hardening

Secure session configuration with HTTP-only and secure flags
Automatic session expiration after inactivity
Session fixation protection through token regeneration

4.7 Dependency Management

Weekly automated vulnerability scanning of all dependencies using npm audit
Security dashboard for real-time vulnerability tracking
Current status: 0 CRITICAL, 0 HIGH vulnerabilities
Automatic alerts for newly disclosed vulnerabilities

5. Vulnerability Management

We maintain a proactive approach to identifying and remediating security vulnerabilities:

Automated Scanning: Weekly OWASP ZAP penetration testing covering SQL injection, XSS, broken authentication, sensitive data exposure, CSRF, and access control vulnerabilities
Latest Scan Results: Most recent scan (February 22, 2026) found 0 vulnerabilities across all tested categories
Dependency Updates: Regular updates to address security advisories in third-party libraries
Security Patches: Critical security patches deployed within 24 hours of disclosure
Responsible Disclosure: Security researchers can report vulnerabilities to security@planxpress.com

6. Data Isolation & Privacy

We ensure strict separation of customer data:

Tenant Isolation: Database-level row-level security (RLS) enforces complete isolation between organizations
Data Residency: Customer data stored in geographically appropriate regions based on customer location
Data Minimization: We collect only the data necessary to provide our services
Access Logging: All access to customer data is logged and auditable

7. Monitoring & Incident Response

We maintain 24/7 monitoring and incident response capabilities:

Real-Time Monitoring: Automated alerts for security events, system anomalies, and performance issues
Log Aggregation: Centralized logging for security event correlation and analysis
Incident Response Team: Dedicated team for security incident handling and escalation
Response Timeline: Initial assessment within 1 hour, containment within 4 hours, full resolution within 24 hours for critical incidents
Breach Notification: Customer notification within 72 hours of confirmed data breach (GDPR compliance)

8. Business Continuity & Disaster Recovery

We maintain comprehensive backup and recovery procedures:

Automated Backups: Daily automated database backups with 30-day retention
Point-in-Time Recovery: Ability to restore data to any point within the retention period
Geographic Redundancy: Backups stored in geographically separate regions
Recovery Time Objective (RTO): 4 hours for critical systems
Recovery Point Objective (RPO): 24 hours maximum data loss
Disaster Recovery Testing: Quarterly tests of backup restoration procedures

9. Compliance & Certifications

PlanXpress maintains compliance with industry standards and regulations:

GDPR: General Data Protection Regulation compliance for European customers
CCPA: California Consumer Privacy Act compliance for California residents
SOC 2 Type II: Infrastructure provider (Render) maintains SOC 2 Type II certification
Data Processing Agreements: Available for enterprise customers requiring formal DPA execution

10. Employee Security

We maintain strict security practices for employee access:

Background Checks: Security background checks for all employees with access to customer data
Security Training: Mandatory security awareness training for all employees
Least Privilege: Employees granted minimum access necessary for their role
Access Review: Quarterly reviews of employee access permissions
Offboarding: Immediate revocation of access upon employee termination

11. Third-Party Security

We carefully vet all third-party service providers:

Vendor Assessment: Security review of all vendors with access to customer data
Subprocessors: List of data subprocessors maintained in our Data Processing Agreement
Contractual Protections: Data protection clauses in all vendor contracts
Regular Reviews: Annual reassessment of vendor security posture

12. Security Reporting

To report a security vulnerability or concern:

Email: security@planxpress.com
Response Time: Initial response within 24 hours
Responsible Disclosure: We request 90 days to address reported vulnerabilities before public disclosure
Recognition: Security researchers who responsibly disclose vulnerabilities will be acknowledged (with permission)

13. Policy Updates

This Security Policy is reviewed and updated regularly to reflect our current security practices and address emerging threats. Material changes will be communicated to customers via email or through the platform.

Questions about our security practices?
Contact us at security@planxpress.com