PlatoForms Trust Center
Your data is protected by enterprise-grade encryption, industry-standard compliance frameworks, and transparent privacy practices—built in from the ground up.
Compliance & Certifications
Whether you're in healthcare, education, or operating globally, PlatoForms meets the compliance requirements your industry demands.
HIPAA
Full HIPAA compliance for healthcare data. Business Associate Agreements (BAA) available for Silver and Gold plan subscribers handling Protected Health Information.
GDPR
General Data Protection Regulation compliance for EU data subjects, including Data Processing Agreements, data portability, and right-to-erasure support.
CCPA
California Consumer Privacy Act compliance with consumer data access rights, deletion requests, and transparent data collection practices.
FERPA
Family Educational Rights and Privacy Act compliance for higher education institutions. Student Data Privacy Agreements and Education Addendums available.
HECVAT
Higher Education Community Vendor Assessment Toolkit (v4.15) completed. Full questionnaire available to institutions upon request during procurement.
APP (Australia)
Australian Privacy Principles compliance as an Australian-incorporated company, ensuring lawful handling of personal information under the Privacy Act 1988.
PIPEDA (Canada)
Personal Information Protection and Electronic Documents Act compliance for Canadian users, covering consent, data access, and breach notification obligations.
COPPA
Children's Online Privacy Protection Act awareness. PlatoForms does not knowingly collect data from children under 13 without verifiable parental consent.
StateRAMP
Alignment with StateRAMP security requirements for U.S. state and local government agencies, built on our AWS infrastructure certifications.
WCAG 2.1 AA
Web Content Accessibility Guidelines conformance. Our Voluntary Product Accessibility Template (VPAT 2.5) is available for accessibility review.
Spam Protection
Built-in spam protection including reCAPTCHA integration, rate limiting, and automated abuse detection to protect form submissions.
SOC 2 Type II
SOC 2 Type II certification is on our roadmap. Our AWS infrastructure already maintains SOC 2, ISO 27001, and FedRAMP certifications.
Security Architecture
Every layer protected—from the moment data is submitted to long-term storage.
256-bit SSL / TLS 1.2+ Encryption
All data transmitted between your browser and PlatoForms is encrypted using TLS 1.2 or higher with 256-bit encryption, ensuring complete protection in transit.
AES-256 Encryption at Rest
All stored data is encrypted using AES-256 encryption with hardware security modules (HSM) for key management and regular key rotation.
Encrypted Form Submissions
Form data is encrypted end-to-end from submission to storage. HIPAA-enabled accounts receive additional encryption layers for Protected Health Information.
Two-Factor Authentication (2FA)
2FA available for all accounts; team admins can enforce it platform-wide. Role-based access controls enforce the principle of least privilege across the platform.
DDoS Protection & CDN
Cloudflare enterprise-grade DDoS mitigation and content delivery network provides high availability and protection against network-layer attacks.
24/7 Security Monitoring
Continuous automated security monitoring, intrusion detection, and real-time alerting. All access attempts are logged and auditable.
Infrastructure at a Glance
Hosted on AWS, backed by world-class infrastructure security.
Sub-processors
We maintain a limited set of trusted sub-processors, each bound by data protection agreements.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, storage, email delivery | United States / Global |
| Cloudflare | CDN, DDoS protection, security, analytics | Global edge network |
| Stripe | Payment processing (PCI DSS Level 1 certified) | United States |
Documentation & Downloads
Compliance documentation, legal agreements, and security resources—all in one place.
Public Documents
Website Policies
Available Upon Request
The following documents are available to qualified organizations during procurement or due diligence. Contact security@platoforms.com to request access.
How We Handle Your Data
Here's exactly how we process, store, and protect your data.
Data Residency
Data is hosted on AWS infrastructure with primary operations in the United States. Standard Contractual Clauses are available for EU/EEA data subjects.
Data Retention
Retention is configurable: free and trial accounts are fixed at 3 months; premium plans choose from 7 days to forever. HIPAA accounts default to "Forever" to meet the 6-year minimum requirement. Data export is available at any time. Premium plans can also choose 0-day retention—data is instantly removed from PlatoForms after successful upload to your connected cloud drive.
See the data retention policy for full details.
Data Deletion
You can request data deletion at any time. We provide written certification of deletion upon request and obtain confirmation from all sub-processors that your data has been permanently removed.
Incident Response
Formal incident response plan with 24-hour notification for high-risk security incidents. We provide regular updates during investigation and full cooperation with regulatory breach notifications.
FAQ'S
-
Is PlatoForms HIPAA compliant?
Yes. PlatoForms offers full HIPAA compliance for customers on Silver or Gold plans who sign a Business Associate Agreement (BAA). This includes encrypted form submissions, access controls, audit logging, and all required administrative, physical, and technical safeguards. -
Can educational institutions use PlatoForms under FERPA?
Yes. PlatoForms can operate as a "school official" under FERPA through our Student Data Privacy Agreement and Education Addendum. We restrict use of student education records to the purposes specified by the institution and never use student data for advertising or profiling. -
Do you have a completed HECVAT?
Yes. We have completed the HECVAT 4.15 (Full) questionnaire covering all 376 questions across security, infrastructure, accessibility, privacy, and AI categories. The completed questionnaire is available to higher education institutions upon request during procurement. -
Where is my data stored?
All data is hosted on Amazon Web Services (AWS) infrastructure, which maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications. Data at rest is encrypted with AES-256, and data in transit uses TLS 1.2+ encryption. -
Does PlatoForms have SOC 2 certification?
SOC 2 Type II certification is currently on our roadmap. Our infrastructure provider (AWS) maintains SOC 2 Type II, ISO 27001, and FedRAMP certifications. PlatoForms implements comprehensive security controls that align with SOC 2 trust service criteria. -
How do you handle security incidents?
We maintain a formal incident response plan. Security incidents are detected through 24/7 automated monitoring. High-risk incidents trigger notification within 24 hours. We provide full cooperation with regulatory notifications and ongoing updates throughout the investigation. -
Can I get a Data Processing Agreement (DPA)?
Yes. A DPA is available for all customers on Silver or higher plans. It covers GDPR, CCPA, Australian Privacy Principles, and other applicable data protection laws. You can download the template from this page or contact us for a customized agreement. -
Is PlatoForms accessible (WCAG compliant)?
PlatoForms is committed to WCAG 2.1 Level AA conformance. Our Voluntary Product Accessibility Template (VPAT 2.5) is available for download from this page, detailing our conformance with all applicable success criteria.
Have Security Questions?
Whether it's a compliance review, procurement process, or a specific security question—we're here to help.