Security & Trust

PlanningPoker.live is an open-source, serverless app built entirely on Google Cloud. Here's how we keep your data safe.

Open Source
Firebase & Google Cloud
Marketplace Approved
GDPR Compliant

Architecture Overview

PlanningPoker.live runs on a fully serverless architecture powered by Firebase and Google Cloud. There are no custom servers, no VMs, and no SSH surface to attack. All infrastructure is managed, patched, and secured by Google.

Browser
HTTPS
Firebase HostingGlobal CDN
Cloud Functionseurope-west1
Cloud FirestoreEncrypted at rest
FrontendAngular app served via Firebase Hosting on Google's global edge network
BackendFirebase Cloud Functions (Node.js) in europe-west1 — no persistent servers
DatabaseCloud Firestore with server-side security rules enforcing per-document access control
PaymentsStripe (PCI DSS Level 1 compliant) — we never see or store credit card numbers

Marketplace Security Reviews

PlanningPoker.live is listed on four major collaboration platform marketplaces. Each platform conducts its own independent security and compliance review before approving an app for distribution.

Microsoft TeamsAppSource Verified Google MeetWorkspace Marketplace Verified ZoomZoom App Marketplace Verified WebexWebex App Hub Verified

Open-Source Codebase

The entire PlanningPoker.live codebase is public on GitHub. This includes the Angular frontend, Firebase Cloud Functions, Firestore security rules, and storage rules. Anyone can audit the code, verify our security claims, and see exactly what data we access.

We believe transparency is the strongest security signal a small app can offer. Instead of asking you to trust a black box, we invite you to read the source.

View source on GitHub

Google Cloud & Firebase Certifications

Firebase is part of Google Cloud and inherits its world-class security infrastructure. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Google manages infrastructure patching, DDoS protection, and physical data center security.

SOC 1Financial reporting controls
SOC 2Security, availability & confidentiality
SOC 3Public trust services report
ISO 27001Information security management
ISO 27017Cloud security controls
ISO 27018Cloud privacy protection

Learn more: Firebase Security & Privacy · Google Cloud Compliance

Data Handling & Storage

What we store

  • Room data: topics, votes, card sets, timer state
  • Display names chosen by participants
  • Email address (only if you create an account)
  • Organization metadata (name, member list)
  • Stripe customer reference (for premium users)

What we don't store

  • Passwords — Firebase Auth handles hashing
  • Credit card numbers — Stripe handles payments
  • Sensitive PII beyond your email address
  • Screen recordings, keystrokes, or clipboard data
  • Data from your Jira/Linear beyond synced issues
Data residencyCloud Functions and primary data processing in europe-west1 (Belgium, EU)
Data retentionRooms can be deleted by their creators. User data is deletable on request. We never sell data to third parties.
Integration tokensJira and Linear OAuth tokens are stored in Firestore and used only for issue sync. You can revoke access at any time.

Authentication & Access Control

AuthenticationFirebase Authentication with support for anonymous access, email/password, Google OAuth, and Microsoft OAuth
AuthorizationFirestore Security Rules enforce per-document access control — all rules are viewable in the repo
Room-level securityPassword-protected rooms and organization-restricted rooms for private sessions
Bot & abuse protectionreCAPTCHA v3 and Firebase App Check to prevent automated abuse and API misuse

Transport & HTTP Security

All traffic to PlanningPoker.live is served over HTTPS with modern security headers. The serverless architecture means there are no managed servers, VMs, or SSH endpoints to attack.

Strict-Transport-SecurityHSTS with preload — max-age=31536000; includeSubDomains; preload
Content-Security-PolicyRestrictive CSP limiting allowed script, style, and frame sources
X-Content-Type-Optionsnosniff — prevents MIME type sniffing
Referrer-Policystrict-origin-when-cross-origin

Monitoring & Error Tracking

SentryError monitoring and crash reporting. No PII is included in error reports.
PostHogProduct analytics for understanding usage patterns. Privacy-conscious with opt-out support.
Firebase AnalyticsAggregate usage metrics to improve the product. No individual tracking.

Security Questions?

If you have security questions, need to complete a vendor assessment, or want to report a vulnerability, reach out to us at [email protected].

You can also review our Privacy Policy and Terms & Conditions.

Planning Poker black and white logo
IntegrationsMicrosoft TeamsGoogle MeetZoom MeetingsWebex MeetingsJiraLinearSlack
ResourcesGetting StartedFAQGlossaryKnowledge baseWhat is Planning Poker?Estimation Techniques Comparison
ToolsPlanning PokerStory Point CalculatorMeeting Cost CalculatorPrintable Planning Poker Cards
PoliciesPricingTermsPrivacySecurityGithub