Security

Security at Ploton

We take security seriously. This page describes what we do to protect your data, what's in progress, and how to report vulnerabilities.

Infrastructure

  • + Encryption in transit - all traffic is encrypted with TLS 1.2+ (TLS 1.3 preferred). We enforce HTTPS everywhere with HSTS headers.
  • + Encryption at rest - all data at rest is encrypted with AES-256. This includes task logs, OAuth tokens, and account data.
  • + Network isolation - agent execution environments are isolated from each other. No cross-tenant network access is possible.
  • + Regular patching - infrastructure dependencies are monitored for vulnerabilities and patched within published SLAs.

Authentication and access control

  • + API key authentication - all API requests require a bearer token. Keys can be rotated or revoked at any time from the dashboard.
  • + OAuth token storage - third-party OAuth tokens are encrypted at rest and scoped to the minimum permissions your agent needs. Tokens are never logged or exposed in API responses.
  • + Role-based access - team accounts support role-based access control. Enterprise plans include SSO via SAML 2.0.

Data handling

  • + Isolated execution - each agent task runs in an isolated environment. Task data from one customer cannot be accessed by another.
  • + No persistent credential storage - we do not store third-party credentials beyond encrypted OAuth tokens. API keys, passwords, and secrets provided in task payloads are used in-memory and not persisted.
  • + Log retention - task execution logs are retained for 90 days by default. You can request earlier deletion. Logs do not contain raw credential values.

Compliance

  • ~ SOC 2 Type II - certification is in progress. We expect to complete our audit in 2026. Contact us if you need a current security questionnaire or a letter from our auditor.
  • + GDPR - we comply with applicable data protection regulations including GDPR. Data processing agreements are available for enterprise customers.

Responsible disclosure

If you discover a security vulnerability in Ploton, we'd appreciate your help in disclosing it responsibly.

Please email security@ploton.ai with details of the vulnerability. Include steps to reproduce if possible.

  • > We will acknowledge receipt within 48 hours
  • > We will provide an initial assessment within 5 business days
  • > We will not take legal action against good-faith security researchers

Questions?

For security-related questions, email security@ploton.ai. For general inquiries, reach us at hello@ploton.ai.