Security

Your data is safe with us.

Security is built into every layer of PostPlank — from the infrastructure we run on to the way we write code. Here's exactly what we do to protect you.

All systems operational View status page →
Encryption in transit & at rest

All data transmitted between your browser and PostPlank is encrypted via TLS 1.2+. Data at rest is encrypted using AES-256 on AWS infrastructure.

PCI-DSS compliant payments

We never see or store your card details. All payments are handled by Stripe, a PCI-DSS Level 1 certified provider — the highest available standard.

Two-factor authentication

Enable 2FA on your PostPlank account for an extra layer of login security. We support authenticator apps (TOTP) and email-based verification.

Secure cloud infrastructure

PostPlank runs on AWS with Cloudflare in front for DDoS protection, WAF filtering, and global CDN. Infrastructure is monitored 24/7 with automated alerts.

Strict access controls

Production systems are accessible only to authorised engineers with MFA enforced. Access is granted on a least-privilege basis and reviewed quarterly.

Automated backups

Your data is backed up automatically every 6 hours, with point-in-time recovery available up to 30 days. Backups are encrypted and stored in geographically separate regions.

Application Security
  • Password hashing

    All passwords are hashed with bcrypt (cost factor 12). We never store plain-text passwords and cannot retrieve them.

  • Secure session management

    Sessions use cryptographically random tokens with short expiry. Active sessions can be viewed and revoked from your account settings.

  • OWASP best practices

    Our codebase is built against the OWASP Top 10. SQL injection, XSS, CSRF, and other common vulnerabilities are mitigated by design.

  • Regular penetration testing

    We conduct internal security reviews continuously and commission third-party penetration tests annually.

Operational Security
  • Employee device security

    All team devices use full-disk encryption, screen-lock policies, and endpoint security software. Lost devices are remotely wiped.

  • Security training

    All employees complete security awareness training on hire and annually. Phishing simulation tests are run quarterly.

  • Minimal data access

    Engineers access production data only when needed for support or debugging, under a formal approval process. All access is logged.

  • Incident response plan

    We have a tested incident response playbook. In the event of a breach, affected users are notified within 72 hours as required by law.

Compliance & standards

PostPlank is built to meet and exceed industry security and privacy standards.

🔒
TLS 1.2+
All data in transit
💳
PCI-DSS Level 1
Payment security via Stripe
🇪🇺
GDPR Ready
EU data subject rights
🛡️
AES-256
Encryption at rest
☁️
AWS ISO 27001
Certified infrastructure
🇮🇳
IT Act 2000
Indian data law compliance
🔄
30-day Backups
Point-in-time recovery
👁️
24/7 Monitoring
Automated anomaly detection

Responsible Disclosure Programme

Found a vulnerability? We want to hear from you — and we'll reward you for it.

PostPlank takes security vulnerabilities seriously. If you discover a security issue, we encourage you to report it to us privately so we can address it before it is disclosed publicly. We commit to working with you in good faith and will not pursue legal action against researchers who follow this policy.

Scope — what we want to hear about

  • Authentication or session management vulnerabilities
  • Cross-site scripting (XSS) with real exploitability
  • SQL injection or other data injection flaws
  • Cross-site request forgery (CSRF) on sensitive actions
  • Insecure direct object references (IDOR) exposing user data
  • Server-side request forgery (SSRF)
  • Privilege escalation within the platform
  • Any vulnerability exposing other users' private content or billing data

Out of scope

  • Social engineering attacks targeting PostPlank employees
  • Denial of service (DoS/DDoS) attacks
  • Reports from automated scanners without manual verification
  • Missing HTTP headers with no demonstrated exploitability
  • Vulnerabilities in third-party services (LinkedIn, Stripe, etc.)
  • Rate limiting on non-sensitive endpoints

How to report

Email your findings to security@postplank.io with the subject line "Security Vulnerability Report". Please include:

  • A clear description of the vulnerability and its impact
  • Step-by-step reproduction instructions
  • Screenshots, video recordings, or proof-of-concept code (if applicable)
  • The affected URL(s), endpoint(s), or feature(s)

What to expect

  • Within 24 hours: We'll acknowledge receipt of your report
  • Within 5 business days: We'll confirm whether the issue is valid and its severity
  • Within 30 days: We aim to patch critical vulnerabilities
  • We'll keep you updated throughout the process and credit you in our security acknowledgements (if you'd like)
Report a vulnerability
We acknowledge reports within 24 hours
🔒

Still have security questions?

Our security team is happy to answer questions from enterprise customers, security researchers, or anyone evaluating PostPlank for their organisation.

Email security@postplank.io Contact us