Security Overview

ABC-Plan is built on Google Cloud Platform and follows the NIST Cybersecurity Framework, incorporating its core functions: Identify, Protect, Detect, Respond, and Recover. We employ SecOps—Security Operations—to merge security practices with IT operations, bridging the gap between development and operations teams. Learn how our quality practices reinforce these security efforts.

On this page:

• Access Control
• Data Protection
• Security Operations
• Incident Response
• Compliance and Governance
• Service Level
• Network Configuration
• Contact

Access Control

Customer Authentication

ABC-Plan utilizes Google Firebase Authentication, a secure, enterprise-grade authentication system that ensures robust protection for your user accounts.

• Enterprise Single Sign-On: Customers can opt for Single Sign-On via SAML integration, allowing organizations to manage authentication through their existing identity providers and apply their own password policies. See our SSO Setup Guide for configuration instructions.
• Password Strength Requirements: For standard authentication, we enforce strict password requirements. Passwords must be between 8 and 100 characters in length. We implement the zxcvbn password strength estimator developed by Dropbox and require passwords to achieve the maximum strength score of 4, which ensures protection against even sophisticated offline attacks (requiring 10 billion or more guesses to crack). For more details on this scoring system, see the zxcvbn documentation.

Employee Authentication

Employees and contractors follow these authentication requirements:

• Password Requirements: Passwords must be at least 12 characters with a mix of letters, numbers, and symbols.
• Password Rotation: Passwords should be changed at a frequency reflecting the level of security needed for the system, for example every 90 days for systems that access customer data.
• Password Storage: Passwords are stored in a secure password manager.
• Two-Factor Authentication: 2FA is required when offered by third-party systems.

Data Protection

Encryption

ABC-Plan protects customer data using encryption provided by Google Cloud and Firebase managed services. Encryption is applied automatically and by default, without requiring application-level configuration.

• Encryption at Rest: All data stored in Cloud Firestore is encrypted at rest. Google Cloud documentation states that Firestore "automatically encrypts all data before it is written to disk" (source) using "AES-256 encryption" (source).
• Encryption in Transit: Data transmitted between clients and Google Cloud services is encrypted using Transport Layer Security (TLS). Google Cloud documentation confirms that "data is encrypted in transit using TLS" (source).

Infrastructure and Redundancy

ABC-Plan is deployed on Google Cloud Platform. Customer data is stored in Cloud Firestore using a US multi-region configuration (nam5), providing geographic redundancy across multiple data centers. Compute services, including Cloud Functions, are deployed in the us-central1 region.

Backups and Disaster Recovery

We take nightly data snapshots to safeguard against loss and test disaster recovery quarterly.

• Recovery Point Objective (RPO): 24 hours or less
• Recovery Time Objective (RTO): 4 hours or less

Security Operations

Secure Development Lifecycle (DevSecOps)

Our DevSecOps program integrates security into every phase of the software development lifecycle. From initial requirements to release, we adhere to stringent security standards and employ a comprehensive set of tools and practices.

• Requirements: Security by design. We follow the OWASP Application Security Verification Standard to ensure security considerations are integrated into project requirements.
• Design: Our approach involves "red team" thinking using tools such as Threat Dragon in conjunction with ChatGPT, that help us identify and address potential threats during the design phase.
• Implementation: We conduct security code reviews to identify and mitigate vulnerabilities in the implementation phase.
• Testing: We perform Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). Specific tools include Snyk, Semgrep, OWASP ZAP, and Sentry, all orchestrated with GitLab Security.
• Release: We prioritize security in the release phase with practices such as credential refreshing, auditing, monitoring, and maintaining a Product Security Incident Response Team (PSIRT) with a CVSS calculator for assessing vulnerabilities.

Penetration Testing

We conduct regular internal penetration tests to identify and rectify vulnerabilities. Our systematic approach includes defining objectives, assembling teams, executing tests, and analyzing results. Executive summaries of recent penetration tests are available to prospective customers under NDA. All critical and high-severity findings are remediated within 30 days.

Logging and Monitoring

ABC-Plan maintains logging and monitoring controls to support security operations, incident detection, and operational visibility.

• Server Logging: Backend operations are logged via Google Cloud Logging, providing centralized log management for server-side events.
• Error Tracking: Client-side errors and exceptions are tracked via Sentry, enabling rapid identification and resolution of application issues.
• Audit Logs: Administrative operations on Google Cloud and Firebase resources are captured via Cloud Audit Logs.
• Retention: Logs are retained in accordance with our data retention policy, with a minimum retention period of 30 days.

Malware Protection

We employ a multi-layered virus control approach including automated scanning of file uploads, regular system scans, and industry-standard malware detection tools integrated with our cloud infrastructure.

Asset Management and Maintenance

• Asset Management: We track and manage physical IT assets. Employees are required to keep operating systems and other key software versions up to date.
• Maintenance: Regular system maintenance of production systems and IT assets.
• Training: All employees complete cybersecurity awareness training.

Incident Response

ABC-Plan maintains a documented incident response and notification process overseen by a designated Product Security Incident Response Team (PSIRT). The PSIRT uses a CVSS calculator for assessing vulnerability severity. This process governs the identification, containment, investigation, and remediation of security events that may affect customer data.

If an incident involves a customer's data, ABC-Plan will notify the relevant controller within 72 hours of confirming the incident, consistent with the timeline established by Article 33 of the General Data Protection Regulation (GDPR). This ensures that notifications are accurate, actionable, and sufficient to support the controller's own response and regulatory obligations.

Compliance and Governance

GDPR Compliance

We handle your data in compliance with GDPR regulations. See our Privacy Policy for details on data processing, retention, and your rights as a data subject.

AI Governance

ABC-Plan uses artificial intelligence in a limited, controlled manner to support internal engineering and security workflows, such as threat modeling, code review assistance, and test generation. AI tools are used strictly as decision-support aids. Final decisions regarding system design, security, and software releases are always made by qualified human reviewers. ABC-Plan does not deploy autonomous or customer-facing AI systems as part of its product.

AI usage is governed through internal access controls, data handling guidelines, and mandatory human review of AI-assisted outputs. Customer production data is not intentionally submitted to public AI systems for training, and sensitive data is excluded from prompts unless anonymized or replaced with synthetic data. Our AI governance approach aligns with risk-based AI governance principles reflected in the EU Artificial Intelligence Act and with governance, risk management, and change management controls commonly evaluated under SOC 2 Trust Services Criteria.

Policy Governance

This security policy is reviewed quarterly and is owned by Michael Osofsky, cofounder & CTO, who serves as our Designated Privacy Officer. Employees or contractors who violate security requirements are subject to disciplinary action, up to and including termination of employment or contract.

Last updated: January 26, 2026

Related Security Policies

ABC-Plan relies on Google Cloud and Firebase platform-level controls. Below are security policies for products and infrastructure that we rely on:

• Google Firebase Security Policy
• Google Cloud Security Policy
• Google Cloud SOC 2 Reports
• ABC-Plan Privacy Policy

Service Level

We provide a Monthly Uptime Percentage of 99.9%. The underlying Google Cloud Platform provides uptimes in the same or better ranges. For more information see Google Cloud Platform Service Level Agreements.

See our System Status Dashboard for live uptime data and recent incident reports.

Network Configuration

For customers who access ABC-Plan from networks with strict security policies, the following domains may need to be whitelisted in corporate firewalls to ensure proper functionality of the application:

Contact

Questions about our security measures? Reach out to us at support@abc-plan.com.

To speak with our Designated Privacy Officer, contact Michael Osofsky at michael@abc-plan.com.