Security at Playcode

We're actively pursuing SOC 2 Type II certification. Consultant engaged; gap analysis underway. Until certification completes, we can share our security overview, control mappings, and policy documents with procurement teams under NDA.

EU data residency is live — your data never leaves the European Union. Data subject rights (access, portability, erasure) are honored within 30 days; most within 24 hours. Downloadable DPA template available on request. On the roadmap: a cookie consent banner and explicit opt-in flows for analytics (Google Analytics + first-party event tracking). We're being honest about the gap so procurement teams know the exact compliance state when they evaluate.

All payments processed by Stripe (PCI DSS Level 1). Playcode never stores or processes card data directly — every transaction is tokenized at Stripe's vault.

Our AI providers (Anthropic, OpenAI, Google) all carry SOC 2 Type II and GDPR-compliant data-processing agreements. We do not train models on your code or content; provider terms forbid training on user-submitted data on the paid endpoints we use.

Dedicated physical servers in EU data centers (Hetzner). No shared-cloud noisy-neighbor risks, no surprise multi-tenancy, no hidden underlying infrastructure dependencies. Predictable performance, predictable security boundary.

Cloudflare on every public request — DDoS mitigation, WAF rules, bot management, global CDN. Continuously online since 2016 with no major DDoS incidents that affected service.

S3 for asset storage, SES for transactional email, CloudFront for static distribution where edge proximity matters. All in EU regions (eu-central-1). IAM-scoped, least-privilege roles per service.

TLS 1.2+ on every endpoint. Automatic certificate renewal via Let's Encrypt for customer domains. HSTS enabled, secure-cookie flags, modern cipher suites only.

A single engineer holds production database access. By design — the smallest possible human attack surface. Every other operational task runs through audited, role-scoped tooling. Most enterprise breaches start with a compromised employee account; we have exactly one.

Servers are not reachable from the public internet. SSH access requires WireGuard VPN authentication first, plus key-based SSH login (no passwords). All access events are logged.

Your code and project content is never sold, never shared with advertisers, never used to train external models. AI providers process inference requests under strict no-training agreements; nothing else gets your data.

Prometheus + Grafana for infrastructure metrics, Sentry for application errors, custom uptime probes across regions. Production alerts page the engineering lead 24/7. 10 years of operational history.

Full database snapshots daily, retained for 30 days. WAL-G continuous archival for point-in-time recovery within the last 7 days. Backups encrypted at rest in geographically separate storage from the primary database.

Documented runbooks for full database restore, infrastructure rebuild, and DNS failover. Recovery point objective (RPO) under 5 minutes; recovery time objective (RTO) under 4 hours for full restore from cold backup.

All primary data — projects, code, accounts, billing — stored in EU data centers. Backups also stored in EU. Your data never crosses the EU border in normal operations.

Delete your account from the app at any time. All personal data is permanently removed within 30 days, with backup-rotation cleanup completing the erasure within 60 days. No retention beyond the legal minimum required for tax and financial records.

Every project on Playcode exports as real, runnable code (React, Vue, HTML, etc.). No vendor lock-in. You can leave with everything you built, anytime — and we'll permanently delete our copies when you do.

Paid plans default to private projects. Public projects (free tier) are clearly labeled. No silent data sharing between accounts.