Security at placemy.

The short version: we designed placemy so that the worst-case blast radius of a breach at HPT Limited is the leak of a licence ledger and a support history. Your cloud inventory, your resource graph, and your credentials are structurally not in the building.

Architecture

• Fat client. The scanning engine runs entirely on your machine, against your credentials. We never see the API calls it makes or the responses it receives.
• BYO state bucket. Scan history persists to a bucket in your account. We do not hold a copy.
• No telemetry. The CLI makes exactly one outbound call to us: the weekly licence validation. See the data-handling page for the full list.

Secret handling

• Licence keys are stored in Postgres in plaintext because that's the only way the validation endpoint can verify them. The database is encrypted at rest and access is restricted to the application role.
• The local licence cache on your machine is mode 0600 and lives at ~/.placemy/licence.json.
• Stripe holds payment card data. HPT never sees card numbers.
• Auth.js uses database sessions — no long-lived JWTs on the client, so a stolen session can be revoked server-side.

Infrastructure

• Hosted on Vercel (application) and Neon (Postgres), both in EU regions. TLS 1.2+ everywhere.
• Secrets are managed through Vercel's environment variable store, scoped per environment, and are never committed to git.
• Production deploys only from the main branch after CI passes.

Reporting a vulnerability

Found something? Email security@placemy.cloud. We acknowledge reports within one business day and aim to have a triage response within three. We won't take legal action against researchers acting in good faith.