Encryption
All PHI encrypted in transit (TLS 1.2+) and at rest (AES-256). Per-tenant KMS keys for envelope encryption of secrets and ledger signing.
Trust Center
The compliance posture is the product. Everything you need to evaluate us is on this page.
No NDA. No sales call required. If you need our SIG-Lite, security questionnaire response, or BAA template, the request form is at the bottom of the page.
HIPAA
HIPAA-ready architecture, BAA bubble enforced in CI.
PlanLedger handles Protected Health Information. Every service inside the PHI boundary has a signed BAA on file or activates one before the first paying PHI customer. A repository-level lint rule blocks any code change that would route PHI to an out-of-bubble subprocessor.
Access control
Row-level security at the database. Clerk-issued JWTs map to per-tenant Postgres roles. Service-role access logged to phi_access_log on every read/write.
Audit logging
Every PHI access — actor, tenant, purpose, correlation ID — appended to phi_access_log. Logs retained 7 years, KMS-encrypted, immutable in CloudWatch.
Backups & recovery
Continuous Postgres point-in-time recovery (35 days). S3 versioning with Object Lock (Compliance mode) on ledger artifacts. Quarterly DR drills.
Vulnerability management
Dependabot + Snyk on every commit. Critical CVEs patched within 24h, high within 7 days. Annual third-party penetration test starting at year one.
Workforce
All workforce members complete HIPAA Privacy & Security training before access. Background-checked. Access principle of least privilege; quarterly reviews.
No-scrape attestation
We do not log into PBM portals. We do not store PBM credentials.
PBM plan-sponsor portal Terms of Service prohibit automated access. Tools that ‘scrape’ PBM portals on a plan sponsor's behalf put the plan sponsor's contract at risk. PlanLedger never does this and never will.
- We never deploy a headless browser, RPA bot, or scripted login against any PBM-operated portal.
- We never request, collect, or store PBM portal credentials. There is no field anywhere in our product to enter them.
- All inbound PBM data arrives through legal channels: plan sponsor's drag-drop upload, plan sponsor's forwarded email, PBM- pushed SFTP/EDI 835 feed, TPA-mediated feed, or CAA §204 formal request response.
- The repository contains a CI rule that fails any PR introducing browser-automation libraries (Playwright, Puppeteer, Selenium, Browserbase) into the application code path.
- An annual third-party attestation of this posture is published at this URL and rotated each year.
Tamper-evident ledger
Anyone can verify a record. We publish the recipe and the public key.
The PlanLedger fiduciary ledger is per-tenant, append-only, hash-chained, and KMS-signed. Each Fiduciary Package PDF includes the cryptographic excerpt and the openssl recipe to verify it independently.
Verification recipe (sample)
# Verify a Fiduciary Package excerpt
$ openssl dgst -sha256 -verify planledger-public.pem \
-signature excerpt.sig excerpt.json
Verified OKPublic verification key
Our current ledger-signing public key is published at planledger.io/.well-known/ledger-pubkey.pem and rotated annually. Old keys remain published indefinitely so historical packages stay verifiable.
Subprocessor index
Every vendor that touches PlanLedger data, and the BAA status for each.
| Subprocessor | Purpose | BAA status |
|---|---|---|
| AWS (Bedrock, S3, Lambda, KMS, SES, Object Lock, Transfer Family) | PHI compute, storage, AI inference, signing, email, SFTP | Signed |
| Supabase (Postgres, Storage, RLS) | Application database & object storage | Team plan + HIPAA add-on (active before first PHI customer) |
| Clerk | Authentication & identity | HIPAA add-on (active before first PHI customer) |
| Phaxio | HIPAA-compliant fax for dispute filings on consent | Signed |
| PostGrid | USPS Certified Mail for escalation letters on consent | Signed |
| Resend | Marketing / lifecycle email (no PHI) | BAA add-on for any PHI-adjacent flows; non-PHI by default |
| Stripe (incl. Stripe Connect) | Subscription billing & broker payouts | Not required — no PHI |
| PostHog | Product analytics, server-side events only | Not required — PHI-boundary CI lint enforces no PHI |
| Sentry | Error tracking with strict beforeSend PHI scrub | BAA add-on active when PHI tenants enabled |
| Vercel | Marketing site hosting (no PHI). App on Vercel Pro HIPAA before first PHI tenant. | Vercel Pro HIPAA |
We notify customers via email at least 30 days before adding a new subprocessor that will process PHI.
SOC 2 status
Type I targeted within six months of GA. Type II within eighteen.
Live status, audit firm, and report request form are listed below. Customers under NDA can request the in-progress letter at any time.
SOC 2 Type I
Status
In progress
Target
2026 Q3
SOC 2 Type II
Status
Planned
Target
2027 Q2
HITRUST e1
Status
Under evaluation
Target
Post-Type II
Security contact
Reach the security team directly.
Vulnerability reports, security questionnaires, BAA requests, and incident notifications all route to the same address. We respond within one business day.
security@planledger.io
PGP fingerprint published at /.well-known/security.txt