Microsoft Project Online retires September 30, 2026, migrate to a modern platform before it's too late.Start migration

Security at Onplana

Your project data is critical. We protect it with enterprise-grade security, encryption, access controls, audit logging, and data isolation, so you can focus on delivering projects, not worrying about breaches.

Security pillars

Security is built into every layer of the Onplana platform, from authentication to infrastructure.

Encryption everywhere

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • HTTPS enforced on all endpoints
  • Database connections encrypted via SSL

Authentication & access

  • Two-factor auth (TOTP + 10 single-use backup codes)
  • Tenant-level 2FA reset (org OWNER/ADMIN, with privilege guards)
  • SSO via SAML 2.0 and OIDC (Enterprise) with verified-domain gate
  • SCIM 2.0 with per-tenant deactivation and audited mutations
  • Brute-force lockout (Redis-backed, Postgres fallback)
  • Single-use exchange codes, no JWT-in-URL handoff
  • Token versioning + logout-all
  • IP allowlisting (Enterprise)

Audit & compliance

  • Append-only AuditLog with structured before→after diffs
  • Six retention presets, STANDARD / GDPR / HIPAA / FINRA / SOC 2 / CUSTOM
  • Strictest-wins retention across multi-org users
  • Security event feed (logins, password changes, 2FA, SCIM)
  • CSV / JSON audit export with filters and time ranges
  • Compliance score dashboard (2FA, PAT scoping, retention, IP)
  • Change control boards for governed projects

Infrastructure

  • Hosted on SOC 2 compliant cloud providers
  • Isolated tenant data with row-level security
  • Automated backups with point-in-time recovery
  • DDoS protection and rate limiting
  • Regular vulnerability scanning and patching

Data protection

  • Multi-tenant isolation, organizations never see each other's data
  • Soft-delete with Recycle Bin (30-day recovery)
  • Data residency controls (Enterprise)
  • Your data is never used to train AI models
  • Data export available at any time (no lock-in)

Organizational controls

  • 5 default roles + custom roles (Business+)
  • 26 granular permission keys (org + project)
  • OWNER-only permission matrix edit (escalation block)
  • Last-OWNER guardrail, can't demote the only OWNER
  • ADMIN cannot reset OWNER 2FA (privilege isolation)
  • Guest seat management with plan-tier limits
  • Access Review with 2FA status, last login, dormant flag

Production hardening

  • Boot-guard refuses to start on missing / mis-shaped secrets
  • Single-purpose JWT secrets (auth, SSO state, billing, schedule)
  • Helmet headers (HSTS, CSP, X-Frame-Options, COOP/CORP)
  • Per-route rate limits (auth, OAuth, AI, SCIM per-tenant)
  • Webhook HMAC-SHA256 + SSRF protection
  • Build-SHA verification at deploy time (no silent revision lag)

Enterprise security features

Enterprise and Enterprise Plus plans include additional security capabilities for organizations with strict compliance requirements:

SSO (SAML 2.0 & OIDC)
SCIM user provisioning
IP allowlisting
Data residency controls
Audit log export
Customer-managed keys (E+)
Session timeout policies
2FA enforcement (org-wide)

Setup guides for Microsoft Entra: Configure SAML SSO · Configure SCIM provisioning. Equivalent setup is available against Okta, OneLogin, JumpCloud, Ping, and any RFC 7644 / SAML 2.0 IdP.

OAuth credentials and third-party tokens

All OAuth access tokens and refresh tokens (for Google, Microsoft, Box, Dropbox, and any other integrated provider) are encrypted at rest using AES-256-GCM before being written to our database. Encryption keys are managed in Azure Key Vault and never stored alongside the encrypted data. When you disconnect an integration, Onplana immediately revokes the tokens at the provider (where the provider supports per-token revocation) and soft-deletes the connection record, which is then purged after 30 days.

Our security practices

Secure development

Code reviews, dependency scanning, and security-focused testing are part of every release cycle.

Incident response

Documented incident response procedures with defined severity levels and escalation paths.

Penetration testing

Regular third-party penetration testing to identify and address vulnerabilities.

Dependency management

Automated monitoring for known vulnerabilities in third-party dependencies.

Access minimization

Internal access to production systems follows the principle of least privilege with MFA required.

Data handling

Strict policies for data access, retention, and deletion. No customer data on developer machines.

Responsible disclosure

If you discover a security vulnerability in Onplana, please report it responsibly. We appreciate your help in keeping our platform and users safe.

support@onplana.com

Questions about security?

We're happy to answer security questionnaires, provide documentation, or discuss your specific compliance requirements.

For a feature-by-feature inventory, read our Security & Compliance Overview - the same document we send to vendor-review teams.

Contact us Privacy policy

We use strictly-necessary cookies to operate this site (sign-in, anti-spam). With your consent, we also use Google Analytics 4 (anonymized IP) to understand which pages are useful. No ad tracking. See our Cookie Policy and Privacy Policy.