Security
by default.
How we protect your data, your code and your customers. Certifications, practices, subprocessors and contacts in one place.
Audited, attested, accountable.
Plutobee operates under industry-standard security frameworks. Reports available under NDA.
SOC 2 Type II
Annual audit covering security, availability, confidentiality and processing integrity.
ISO 27001
Information security management system, certified annually by an accredited body.
GDPR & CCPA
Standard contractual clauses, data subject rights tooling, regional data residency on request.
HIPAA-ready
For healthcare engagements we sign BAAs and operate in HIPAA-aligned environments.
PCI DSS
For payment-handling features, we follow PCI DSS scope reduction patterns and partner with Stripe.
Bug Bounty
Coordinated disclosure program with rewards from $250 to $25,000. Email security@plutobee.com.
Security built into how we ship.
- Threat modeling on day one. Every engagement begins with a STRIDE-style threat model and trust-boundary map.
- Least-privilege access. Production access via just-in-time grants with full audit trail.
- Encryption everywhere. TLS 1.3 in transit, AES-256 at rest, customer-managed keys on request.
- SSO & MFA mandatory. For Plutobee staff and any production system we operate.
- Continuous scanning. SAST, DAST, SCA and IaC scanning gates in CI; weekly external scans.
- Annual penetration test. By an independent CREST-certified vendor; summary report available under NDA.
Who else touches your data.
Current subprocessors used to operate the Plutobee Services. We notify customers 30 days before adding a new subprocessor.
See something? Tell us.
If you believe you've found a security issue, please email security@plutobee.com with a description and steps to reproduce. Our PGP key is available on request.
We commit to an initial acknowledgement within 24 hours and a triage within 72 hours. Bounty rewards range from $250 to $25,000 depending on severity.