Security Policy

1. Organizational Security

Placet has formally adopted an Information Security Policy governing all aspects of data protection, access control, and incident management for the Placet platform. Security responsibilities are assigned to designated personnel. This policy is reviewed and updated at least annually, and whenever material changes to our infrastructure or threat landscape occur.

2. Infrastructure Security

All production infrastructure is hosted with SOC 2-certified providers:

3. Encryption

4. Access Control

• Role-based access control (RBAC): All system access is governed by predefined roles with least-privilege permissions. Employees and contractors receive only the access necessary for their function.
• Multi-factor authentication (MFA): Required for all personnel with administrative access to production systems, cloud infrastructure, and databases.
• Access reviews: Access privileges are reviewed quarterly and revoked promptly upon role change or termination.
• Row-level security: Supabase RLS policies enforce data isolation at the database layer, preventing unauthorized cross-tenant data access.

5. Data Classification

No PHI exists in any classification tier. Placet does not store, process, or transmit Protected Health Information.

6. Data Residency

All user data is stored and processed in United States data centers only. We do not transfer personal data to servers outside the United States. All subprocessors used for data storage and processing are required to maintain US-only data residency for Placet data.

7. Development Security

• All software development is performed by US-based personnel.
• Code review is required for all changes to production systems — no solo merges to main.
• Automated security scanning (dependency vulnerability checks and static analysis) runs on every pull request.
• Secrets are managed via environment variables and secret management tools — no credentials in source code.
• Staging environments use non-production data only.

8. Vulnerability Management

• Dependency updates: All software dependencies are reviewed and updated at least monthly.
• Critical patches: Vulnerabilities rated Critical or High severity are patched within 48 hours of disclosure.
• Security scanning: Automated tools scan for known vulnerabilities in dependencies and infrastructure configuration on each deployment.

9. Incident Response

Placet follows a five-phase incident response process:

Affected parties will be notified within 72 hours of confirmed incident identification, consistent with applicable legal requirements.

10. Business Continuity

• Automated backups: Database backups run daily with point-in-time recovery available.
• Multi-region failover: Application deployment via Vercel provides automatic multi-region redundancy and failover.
• Recovery objectives: We target a Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 24 hours for major incidents.

11. Third-Party Risk

All subprocessors that handle Placet user data are required to maintain security certifications equivalent to or stronger than SOC 2 Type II. Third-party security posture is reviewed prior to onboarding and at least annually thereafter. A full list of subprocessors is available in our Privacy Policy.

12. HIPAA Alignment

Placet does not process Protected Health Information (PHI) and is not a HIPAA covered entity or business associate. However, we voluntarily align our security controls with the HIPAA Security Rule (45 CFR Part 164) as a baseline — including administrative, physical, and technical safeguards. This alignment reflects our commitment to healthcare-grade data protection even where not legally required.

13. Annual Review

This Security Policy is reviewed and updated at least once per calendar year, and any time a material change occurs to our infrastructure, threat landscape, or applicable legal requirements. The "Last updated" date at the top of this page reflects the most recent review.

14. Responsible Disclosure

We welcome reports from security researchers. If you discover a potential vulnerability in Placet, please disclose it responsibly:

• Submit your findings via our contact form with subject line "Security Disclosure."
• Include a clear description of the vulnerability, steps to reproduce, and potential impact.
• Allow us reasonable time to investigate and remediate before public disclosure.
• Do not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the vulnerability.

We commit to acknowledging receipt within 48 hours, providing status updates, and working collaboratively toward remediation. We do not take legal action against researchers who follow these guidelines in good faith.