Security and compliance — PlanetScale Documentation

PlanetScale is committed to delivering a powerful and easy-to-use database platform while keeping your data secure. The security of our systems is of the utmost importance and we consistently aim to improve our security posture by building security into every layer of our products.

Compliance reporting

PlanetScale continuously monitors and reports primarily using System and Organization Controls (SOC) 2 Type 2. To receive a copy of the report please contact Support.

HIPAA

PlanetScale can enter into Business Associate Agreements (BAAs) with customers deployed on Single-tenant environments. Please reach out for more information, and we'll be in touch shortly.

The customer must determine whether they are a Covered Entity — or a Business Associate of a Covered Entity — as defined under HIPAA. If so, the customer may require a BAA with PlanetScale for the purposes of our relationship.

Responsibility around HIPAA compliance between PlanetScale and the customer is implemented using a shared responsibility model. While PlanetScale Single-tenant provides a secure and compliant infrastructure for the storage and processing of Protected Health Information (PHI), the customer is ultimately responsible for ensuring that the environment and applications that they build on top of PlanetScale are properly configured and secured according to HIPAA requirements.

The Department of Health and Human Services does not recognize any formal certification for HIPAA. PlanetScale systems, software, networks, and procedures are consistent with the controls outlined in the relevant rules.

Application security

Encryption of data

PlanetScale databases and their client communications are AES encrypted throughout the PlanetScale platform both in transit and at rest.

At rest

Data is encrypted at rest on the underlying storage media that serves database branches and also the underlying storage media that hosts your PlanetScale database backups. This helps mitigate the risk of unintentional or malicious access to user data on storage systems.

In transit

Encrypted data is transmitted to PlanetScale databases through three major paths:

The PlanetScale CLI, leverages Mutual TLS when initiating a connection to PlanetScale via shell or connect commands.
PlanetScale Connection Strings require the successful establishment of a TLS session before any SQL commands can be issued.
When using PlanetScale Connect, Mutual TLS is used to secure all data transmitted between PlanetScale and Airbyte.

Additional data protection controls

Communications to the PlanetScale API and Dashboard are encrypted using TLS 1.3. Certificates are issued by an established third party certificate authority.

Corporate security

Background checks

Background checks are performed on new team members during onboarding (within 30 days of their start date) as permitted by local law.

Security training

All team members complete security awareness training covering company security policies and procedures during onboarding (within 30 days of their hire date). Trainings are required annually thereafter for all employees.

The training material is designed to assist the employee in how to identify and respond to social engineering and other cybersecurity risks they may encounter as part of their role at PlanetScale.

Security operations

Endpoints

All company-provided devices are managed with Kandji. Device configuration is based on the Center for Internet Security (CIS) level 1 benchmark and is continuously enforced. Mobile device management deploys and enables relevant services to ensure corporate endpoints are appropriately monitored.

Detection and response

PlanetScale employs measures for both corporate endpoints and cloud instances to collect, analyze, and store events, connections, and other potentially relevant metadata in real time. Automated systems match events against internal and known bad patterns and intelligence streams.

Vulnerability disclosure

In Scope

PlanetScale is actively seeking vulnerability reports for the following components that make up the product and its Production Environment:

Dashboard and API: The website hosted at app.planetscale.com, along with the API hosted at api.planetscale.com
Database Operations: The actions taken within the product to create, branch, backup, and restore databases
Database Connectivity and Behavior: The process of provisioning a password and issuing SQL statements against a PlanetScale database
Command-line Interface: The open source command-line interface hosted at planetscale/cli

Out of scope

PlanetScale is not actively seeking the following types of reports:

Testing software output: Output generated from automated testing software like Burp Suite. These include, but aren't limited to:
- CSRF on forms that are available to anonymous users or are related to logging out
- Disclosure of known public files or directories (i.e. robots.txt)
- DNSSEC or other DNS configuration suggestions
- TLS and security header configuration suggestions
- Sender Policy Framework (SPF) configuration suggestions
- Flags on cookies that are not sensitive
Software version reports: Reports notifying PlanetScale that newer versions of software have been released

Reporting a vulnerability

If you believe you have discovered a security vulnerability in a PlanetScale product or its Production Environment, please let us know immediately. You can submit your vulnerability findings to security@planetscale.com.

If applicable, please include the following pieces of information in your report:

Steps to reproduce the vulnerability
The word "mochi" to acknowledge that you have read these guidelines
Any relevant software (including versions) used to identify the vulnerability

Need help?

Get help from the PlanetScale support team, or join our GitHub discussion board to see how others are using PlanetScale.