Plasmic takes security seriously. Our cloud infrastructure is hosted in US data centers that are SOC 1, SOC 2, and ISO 27001 certified. Our data centers have round-the-clock security, fully redundant power systems, two-factor authentication, and physical audit logs.

If you are interested in a Self-hosted version of Plasmic that you can deploy yourself, in your own VPC/VPS/Kubernetes cluster, please get in touch with our enterprise team.

Security practices

Security affects everything we do at Plasmic. We have completed our SOC 2 Type 2 compliance audit and we:

  • Force HTTPS on all connections, so data in-transit is encrypted with TLS 1.2.
  • Encrypt all database data at-rest with AES-256.
  • Host all servers in the US, in data centers that are SOC 1, SOC 2 and ISO 27001 certified. Our data centers have round-the-clock security, fully redundant power systems, two-factor authentication and physical audit logs.
  • Regularly conduct external penetration tests from third-party vendors.
  • Regularly conduct security awareness training sessions with all employees.
  • Have a bug bounty program, in order to work with security researchers when they identify potential security vulnerabilities.
  • Maintain detailed audit logs of internal systems.

Data storage and security (cloud hosted)

Plasmic projects are stored and managed on Plasmic servers, includes the design and “code” for your Plasmic websites and applications. It does not include the data that your projects integrate with from your own data sources.

You can deploy your applications and websites on your own infrastructure, and Plasmic projects can be built and configured to avoid all runtime communication with Plasmic servers.

Data-fetching code components are one common way your data is retrieved for rendering Plasmic pages, and the data that passes through here does not get transmitted through Plasmic servers—communication happens directly between your backend and your component running in your application (typically in the browser and on your hosting platform).

If you use backend operations/integrations, then your externally connected data are transmitted through Plasmic servers—this helps prevent exposing the data source directly to end-users, since these are typically connections to databases, private APIs, and other data sources that require credentials to access, with only certain query formulations allowed (learn how this works). When you create a data integration, the credentials and configuration are stored encrypted in Plasmic servers. The data is not stored or cached on our servers.

An on-premise offering of backend operations/integrations is available. This is a standalone Docker container that does not require you to host and run all of Plamsic Studio on-premise.

Only finally rendered pages can be cached in the following situations:

  • If you use Plasmic Hosting, then you are choosing to publish a public website, and these rendered static pages are cached in our CDN for performance.
  • If you use the HTML REST API, then you can choose to render with data by specifying the prepass=1 query parameter, in which case you can also specify a maxAge expiry.

Provisioned data sources

For provisioned databases hosted on Plasmic, such as Plasmic CMS or Plasmic Database, we store data in a Postgres cluster managed by our cloud provider.

  • The cluster is accessible by only our servers using the same stringent security applied to our external database connections.
  • End-user data may be colocated on a single Postgres instance—reach out if you are interested in having a dedicated Postgres instance.

Reporting security bugs or concerns

Please contact Plasmic’s security team, via email at We welcome reports from end users, security researchers, and anyone else!

Was this page helpful?

Have feedback on this page? Let us know on our forum.