Plain.
Try it
Back to homeSecurity · data / privacy
Plain · honest security

How we treat your data.

No platitudes. Three lists: what we do now / what's still coming / what we'll never do. Until we're large enough for full compliance audits, this page is the commitment.

What we do now

Today

  • Data lives in Neon Postgres

    Plain stores in Neon Postgres (US-east) · Cloudflare R2 for images/assets. Export anytime to .pptx / .docx / .xlsx, or share as a link (the primary artifact). Account deletion = takeout + erase.

  • All traffic over TLS

    Web / CLI / MCP all over HTTPS. When LLM calls flow through our gateway, we don't log prompt content — only usage metadata for billing (token counts, durations).

  • Magic-link sign-in, no passwords

    Better Auth + Resend. Links expire in 5 minutes, single-use only. OAuth via Google, session rolls every 7 days.

  • Your content never trains a model

    We don't feed your documents to any LLM for training. LLM calls are one-shot request-response — prompt + completion never leave the session.

  • Gateway-only LLM access

    All AI calls go through Plain's gateway. We don't store prompt content; only usage metadata for billing (tokens / duration). No BYOK — keeps the security model simple and auditable.

On the roadmap

Not yet, but coming

  • SOC 2 Type II

    Audit materials in preparation. Targeting a Type II report before end of 2026. Customers who need SOC 2 to sign can email hi@inplain.app for an early vendor security questionnaire.

  • SSO / SAML

    Team plan ships SAML SSO + SCIM provisioning in 2026 Q4. Google Workspace OAuth works today as a stand-in.

  • Regional deployments

    Primary region is US-east today. EU / APAC regional storage is on the roadmap — ping us if you need it.

Never will

We will never

  • Sell your data

    Never. We earn from token billing, not data brokerage. Written into the terms.

  • Use your content for training

    Never. Even if an LLM vendor offers "opt-in training for a discount," we disqualify them in vendor selection.

  • Charge you to export

    .pptx / .docx / .xlsx / .pdf / Markdown source — always free. We sell AI compute, not data walls.

Found a security issue?

Email security@inplain.app. 24-hour reply, responsible disclosure 90 days. For non-urgent privacy concerns, hi@inplain.app.

Last updated · 2026-05 · this page tracks reality, not compliance theater