Trust Center | LowerPlane Security & Compliance

Our Certifications

🔒

SOC 2 Type II

Certified

Last audited: March 2025

Annual independent audit covering security, availability, processing integrity, confidentiality, and privacy controls.

Scope: Full platform including API, workers, and data layer

Auditor: Big 4 Accounting Firm

🌍

ISO 27001:2022

Certified

Certified: January 2025

International standard for information security management systems (ISMS). Covers 93 security controls across 14 domains.

Scope: Complete LowerPlane platform and infrastructure

Auditor: Accredited Certification Body

🇪🇺

GDPR Compliant

Compliant

Validated: Ongoing

Full compliance with EU General Data Protection Regulation including data subject rights, privacy by design, and data protection impact assessments.

Scope: All EU customer data processing

Auditor: Internal DPO + External Counsel

Security Measures

We implement defense-in-depth security controls across application, infrastructure, and organizational layers

🔐

Encryption Everywhere

AES-256 encryption at rest for all databases and file storage. TLS 1.3 for data in transit. End-to-end encryption for sensitive evidence files.

🔑

Access Control

Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication (MFA) required for all users. SSO via SAML 2.0.

📊

24/7 Monitoring

Real-time security monitoring with Grafana + Prometheus. Automated alerting for anomalous activities. Security incident response team on-call.

🔍

Vulnerability Management

Continuous vulnerability scanning with Snyk and Wiz. Automated dependency updates. Monthly security patches for all infrastructure.

📝

Audit Logging

Comprehensive audit trails for all data access and modifications. Immutable logs stored in AWS CloudWatch. 1-year retention minimum.

🛡️

Network Security

Web Application Firewall (WAF) with rate limiting. DDoS protection via Cloudflare. Private VPCs with security groups and NACLs.

🔒

Data Isolation

Tenant data isolation with separate schemas per customer. Encrypted backups with 30-day retention. Point-in-time recovery capabilities.

👥

Security Training

Quarterly security awareness training for all employees. Annual phishing simulations. Secure development lifecycle (SDL) training.

📋

Compliance Automation

Automated control testing with 1,200+ tests per hour. Continuous compliance monitoring. Real-time gap analysis and remediation tracking.

Data Privacy Commitment

Your data is your data. We never sell customer data, never train AI models on your evidence or policies, and never share information with third parties without your explicit consent.

✓

Data Residency

Choose where your data is stored: US, EU, or UK regions

✓

Right to Delete

Complete data deletion within 30 days of account closure

✓

Data Portability

Export all your data in standard formats anytime

✓

Privacy by Design

Privacy controls built into every feature from day one

Data Processing

What data we collect:

• Account information (name, email, company)
• Compliance evidence you upload or connect via integrations
• Usage analytics to improve the product
• Support interactions and feedback

What we DON'T do:

• Never sell your data to third parties
• Never train AI models on your evidence
• Never share data without consent
• Never use your data for marketing to others

Data subprocessors:

• AWS (hosting & storage)
• Vercel (frontend hosting)
• Redis Cloud (caching)
• Sentry (error tracking)

Audit Reports & Documentation

SOC 2 Type II Report

NDA Required

Independent auditor report covering 12-month observation period

Report•March 2025

ISO 27001 Certificate

Certification of information security management system

Certificate•January 2025

Security Whitepaper

Detailed overview of our security architecture and controls

Whitepaper•Updated quarterly

Penetration Test Results

NDA Required

Summary of findings from annual third-party penetration testing

Summary•February 2025

Business Continuity Plan

NDA Required

Disaster recovery and business continuity procedures

Document•Updated annually

Data Processing Agreement

Standard DPA for GDPR compliance (can be customized)

Legal•Current version

Penetration Testing

We engage third-party security firms to conduct comprehensive penetration tests annually, covering application security, infrastructure security, and cloud configuration.

Application Security

• OWASP Top 10 testing
• Authentication & authorization
• API security
• Input validation

Infrastructure Security

• Network segmentation
• Access controls
• Encryption implementation
• Cloud configuration

Compliance Testing

• SOC 2 control validation
• ISO 27001 technical controls
• GDPR data protection measures

Latest Test Results

Test Date:February 2025

Testing Firm:Independent Security Firm

Critical Findings:0

High Findings:0

Status:All Clear

🛡️

Continuous Scanning

In addition to annual penetration tests, we run continuous vulnerability scanning on all infrastructure and dependencies. Automated security patches are applied within 24 hours of disclosure for critical vulnerabilities.

Questions About Our Security?

Our security team is here to answer your questions, provide additional documentation, or discuss custom security requirements for enterprise customers.

Contact Security Team Book a Demo

For general inquiries: support@lowerplane.com

For security issues: security@lowerplane.com (PGP key available)

For privacy concerns: privacy@lowerplane.com

Security & Compliance You Can Trust

Our Certifications

SOC 2 Type II

ISO 27001:2022

GDPR Compliant

Security Measures

Encryption Everywhere

Access Control

24/7 Monitoring

Vulnerability Management

Audit Logging

Network Security

Data Isolation

Security Training

Compliance Automation

Data Privacy Commitment

Data Processing

Audit Reports & Documentation

SOC 2 Type II Report

ISO 27001 Certificate

Security Whitepaper

Penetration Test Results

Business Continuity Plan

Data Processing Agreement

Penetration Testing

Latest Test Results

Continuous Scanning

Questions About Our Security?