Security

Plasmic takes security seriously. Our cloud infrastructure is hosted in US data centers by best-in-class cloud providers (AWS, GCP) that have round-the-clock security, fully redundant power systems, physical audit logs, etc.

If you are interested in a self-hosted version of Plasmic that you can deploy yourself, in your own VPC/VPS/Kubernetes cluster, please get in touch with our enterprise team.

Security practices

Security affects everything we do at Plasmic. We have completed our SOC 2 Type II compliance audit and we:

  • Enforce two-factor authentication.
  • Force HTTPS on all connections, so data in-transit is encrypted with TLS 1.2.
  • Encrypt all database data at-rest with AES-256.
  • Regularly conduct external penetration tests from third-party vendors.
  • Regularly conduct security awareness training sessions with all employees.
  • Have a bug bounty program, in order to work with security researchers when they identify potential security vulnerabilities.
  • Maintain detailed audit logs of internal systems.

The full SOC 2 Type II report is available for our enterprise customers.

Data storage and security (cloud hosted)

Plasmic Studio projects are stored and managed on Plasmic servers, includes the design and “code” for your Plasmic websites and applications. It does not include the data that your projects integrate with from your own data sources (unless using Plasmic CMS). Plasmic CMS data is similarly stored and managed on Plasmic servers.

You can deploy your applications and websites on your own infrastructure, and Plasmic projects can be built and configured to avoid all runtime communication with Plasmic servers.

Data-fetching code components are one common way your data is retrieved for rendering Plasmic pages, and the data that passes through here does not get transmitted through Plasmic servers—communication happens directly between your backend and your component running in your application (typically in the browser and on your hosting platform).

If you use backend operations/integrations, then your externally connected data are transmitted through Plasmic servers—this helps prevent exposing the data source directly to end-users, since these are typically connections to databases, private APIs, and other data sources that require credentials to access, with only certain query formulations allowed (learn how this works). When you create a data integration, the credentials and configuration are stored encrypted in Plasmic servers. The data is not stored or cached on our servers.

Finally rendered pages can be cached in the following situations:

  • If you use Plasmic Hosting, then you are choosing to publish a public website, and these rendered static pages are cached in our CDN for performance.
  • If you use the HTML REST API, then you can choose to render with data by specifying the prepass=1 query parameter, in which case you can also specify a maxAge expiry.

Reporting security bugs or concerns

Please contact Plasmic’s security team, via email at security@plasmic.app. We welcome reports from end users, security researchers, and anyone else!

Was this page helpful?

Have feedback on this page? Let us know on our forum.