At PlanGrid, we understand that the confidentiality, integrity, and availability of your data is vital to your business, and we take our responsibility to protect it very seriously. Used on over 1 Million projects around the world, PlanGrid helps workers build better while safeguarding their data in the cloud by implementing stringent security measures and procedures at all levels, in accordance with industry-standard security programs.

Application Security

Visibility and control of all project access

PlanGrid has implemented strict permission levels so you can control who has access to your projects. These include:

  • Collaborator:
    Collaborators cannot delete shared data. This is the least permissive role.
  • Power Collaborator:
    Power Collaborators can share markups with the team, but they cannot delete sheets or documents.
  • Administrator:
    Administrators have control over the project and settings and manage project team members.
  • Organization Administrator:
    For organization-owned projects, only the Organization Administrator has the power to delete projects, and manage project team members and subscriptions.

Industry leading encryption in transit

All data transfers from a device to PlanGrid’s secure cloud with industry standard 2048-bit SSL encryption.

Secure authentication

Passwords are stored and transmitted securely and hashed using a strong salt. PlanGrid's public enterprise API utilizes the industry-standard authorization protocol OAuth 2.0.

Automated vulnerability detection

All PlanGrid applications are scanned weekly for vulnerabilities, including but not limited to OWASP Top 10.

Protection against application attacks

PlanGrid uses controls and technologies to prevent attackers from exploiting application-level vulnerabilities.

Single Sign-On (SSO)

PlanGrid supports SSO based on the SAML 2.0 and OAuth 2.0 standards to give administrators the ability to enforce certain security and access requirements through their preferred identify provider, such as Microsoft’s Azure Active Directory and ADFS, Okta, OneLogin and more.

Infrastructure Security

Strict access control policies

Access to customer data internally is limited and provided only when absolutely required or requested by the customer. Code repositories are protected using multifactor authentication.

Risk mitigation

Document uploads are restricted to specific file types to prevent malicious code from being executed on clients or on our cloud hosting machines.View the full list of supported file types.

Secrets management

PlanGrid uses SaaS industry standard processes for managing and storing encryption keys.

Automated vulnerability detection

PlanGrid’s infrastructure is scanned daily for vulnerable packages.

DoS and DDoS protection

PlanGrid’s applications and infrastructure are protected against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, ensuring our high uptime.

Multifactor authentication

Access to the production environment is restricted to a few authorized PlanGrid personnel. Multifactor authentication is always required to access production systems.

Physical Security

Highly secure cloud

PlanGrid hosts data in Amazon data centers, which is an industry leader in secure hosting facilities management. Read more about security at Amazon.

  • Access to Amazon data centers requires multi-factor authentication, and all access is logged. Logs are routinely audited.
  • Professional security staff are present at the data centers 24/7.
  • Uninterruptible Power Supplies prevent downtime and backup generators are installed in every data center.

Available Worldwide

World-class cloud service you can count on

PlanGrid’s SLA ensures 99.5% uptime for services. Databases and infrastructure are available in multiple geographic regions in the United States, allowing resilience in the face of natural disasters or service interruptions. Read more about our disaster response plan.


Application and data portability

PlanGrid provides well documented and easily accessible interfaces to help ensure customer data is not ‘locked in’ and that the cost for moving to another cloud provider is minimal.

Third party security assessments

PlanGrid’s applications are tested using industry leading vendors.

Payment processes are PCI compliant

PlanGrid does not store PCI-related payment information. All sensitive data is stored by a PCI Service Provider Level 1 certified third party provider.

Continuous Education

All PlanGrid employees are trained on security best practices at time of hire and are re-trained annually.

Third party vendor review

Our vendors work just as hard as we do to ensure your data is safe and secure. All third party vendors are audited for compliance with PlanGrid’s security standards.

SOC 2 Type 2 and ISO 27001 compliant

To give our customers added confidence that their data is secure and private, PlanGrid maintains both SOC 2 Type 2 and ISO 27001 compliance.

Responsible Disclosure Policy

Reporting Security Vulnerabilities to PlanGrid

PlanGrid aims to keep its product and services safe for everyone. Data security and privacy is of utmost priority to PlanGrid. If you are a security researcher and have discovered a security or a privacy issue in the product or services, we appreciate your help in disclosing it to us in a responsible manner.

Our responsible disclosure process is hosted by Hackerone bug bounty program. It is a private bounty program, so If you are not one of the invited members, please report the issue to

A report should include:

  • Description of the vulnerability

  • Steps to reproduce the reported vulnerability

  • List of URLs and affected parameters

  • Additional payloads, Proof-of-Concept code

  • Browser, OS and/or app version used during testing

  • If possible - Vulnerable requests and responses

  • Proof of exploitability (e.g. screenshot, video)

  • Attack Scenario - an example attack scenario may help demonstrate the risk and get your issue resolved faster.

Out of scope issues

  • Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
  • Clickjacking.
  • Cookie flags.
  • Covert Redirects.
  • Issue where the fix only requires a text change.
  • Unauthenticated/Login/Logout CSRF
  • Malicious attachments on file uploads or attachments.
  • Missing additional security controls, such as HSTS or CSP headers
  • Mobile issues that require a Rooted or Jailbroken device.
  • Password recovery policies, such as reset link expiration or password complexity
  • SPF, DKIM, DMARC issues.
  • XSS (or a behavior) where you can only attack yourself
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS