// Trust & Security Report

    PlanetScale, Inc. logo

    PlanetScale, Inc.

    Cloud database hosting platform for MySQL/Vitess and Postgres, with a bring-your-own-cloud option (PlanetScale Managed) and a high-performance NVMe tier (PlanetScale Metal). Not an AI model vendor; occasionally used as infrastructure (incl. vector storage) behind AI applications.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1 Type 2
    HELD

    SOC 1 & SOC 2 ... PlanetScale SOC 1 Type 2 Report 2025 ... 2025 SOC 1 Type 2 & SOC 2 Type 2 reports now available ... We have also made our first SOC 1 Type 2 report available, covering the same period.

    Verify on trust.planetscale.com
    SOC 2 Type 2
    HELD

    SOC 1 Type 2 & SOC 2 Type 2+ HIPAA compliance ... PlanetScale's latest SOC 2 Type 2+ HIPAA report covering the period of June 16, 2024 to June 15, 2025 is now available to customers.

    Verify on trust.planetscale.com
    PCI DSS 4.0 (Level 1 Service Provider)
    HELD

    PCI DSS 4.0 compliance as a Level 1 Service Provider ... PlanetScale Managed has been issued an updated PCI Attestation of Compliance (AoC) and Report on Compliance (RoC), re-certifying our compliance with the PCI Data Security Standard v4.0.1 as a Level 1 Service Provider.

    Verify on trust.planetscale.com
    HIPAA
    HELD

    HIPAA Business Associate Agreements available on all plans ... SOC 2 Type 2+ HIPAA compliance ... systems, software, networks, and procedures are consistent with the controls outlined in the relevant rules.

    Verify on planetscale.com
    GDPR (posture)
    HELD

    PlanetScale complies with the EU General Data Protection Regulation (GDPR) and other global privacy regulations, where applicable.

    Verify on planetscale.com
    CCPA
    HELD

    Compliance ... CCPA COMPLIANT CCPA

    Verify on trust.planetscale.com
    > Show 4 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. PlanetScale's own Trust Center Compliance list (SOC 1 Type 2, SOC 2 Type 2, PCI-DSS 4.0, HIPAA, GDPR, CCPA) does not include ISO 27001, and the vendor's own /docs/security page confirms: 'Not mentioned: ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 42001, CCPA, FedRAMP, or CSA STAR.' Several third-party aggregator sites (not vendor-owned domains) claim PlanetScale is 'ISO 27001 compliant' and even 'FedRAMP compliant' / 'CSA STAR Level 1 compliant' -- these claims could not be corroborated on any planetscale.com or trust.planetscale.com page and are treated as unverified third-party noise, not vendor evidence.

    source: planetscale.com
    FedRAMP
    NOT CONFIRMED

    No public evidence on any planetscale.com or trust.planetscale.com page. Only unverifiable third-party aggregator claims exist; not confirmed by the vendor.

    source: trust.planetscale.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on any planetscale.com or trust.planetscale.com page. Only unverifiable third-party aggregator claims exist; not confirmed by the vendor.

    source: trust.planetscale.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence. Not an AI model vendor; no AI-governance certification found on vendor domain.

    source: planetscale.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (primary); PlanetScale Managed can be deployed into a customer-owned AWS or GCP account/region for data residency control.

    PlanetScale is a database hosting platform, not an AI model provider. Its Data Processing Addendum states PlanetScale will not 'retain, use, or disclose Customer Data for any commercial purpose... other than providing the Services,' which precludes using customer data to train models. No AI/ML training language appears in the privacy policy.

    // Security controls

    Encryption

    Data encryption utilized (listed as a Product security control on the Trust Center); remote access encrypted enforced (Infrastructure security control).

    trust.planetscale.com

    Authentication / access control

    Unique account authentication enforced; remote access MFA enforced.

    trust.planetscale.com

    Penetration testing

    Penetration testing performed; Web Application Vulnerability Assessment (March 2025) and Network Vulnerability Assessment & Penetration Testing (March 2026) reports available to customers.

    trust.planetscale.com

    SSO

    Single Sign-On (SSO) Documentation listed as an available Trust Center resource.

    trust.planetscale.com

    Business continuity

    Continuity and Disaster Recovery plans established and tested.

    trust.planetscale.com

    Subprocessors disclosure

    Published subprocessor list including AWS (data hosting), ClickHouse (data hosting/analytics), Datadog (monitoring), ClearFeed (support); customers notified of changes and can object within 5 business days per the DPA.

    trust.planetscale.com

    Cyber insurance

    Cybersecurity Insurance - Evidence of Coverage available as a Trust Center resource.

    trust.planetscale.com

    // Products & data scope

    PlanetScale for MySQL/VitessManaged cloud database (MySQL, horizontally sharded via Vitess)

    data: Customer application data (relational + optional vector data) hosted on PlanetScale-operated infrastructure (AWS/GCP).

    Original flagship product; same Trust Center certifications apply.

    PlanetScale for PostgresManaged cloud database (Postgres)

    data: Customer application data hosted on PlanetScale-operated infrastructure.

    Newer product line (GA), same compliance program as Vitess/MySQL offering per vendor statements.

    PlanetScale ManagedBring-your-own-cloud (BYOC) database deployment

    data: Customer data stays within customer's own AWS sub-account or GCP project; PlanetScale operates the control plane remotely.

    Used for stricter data-residency/compliance needs; PCI DSS scope explicitly covers this deployment mode regardless of AWS or GCP.

    // What to watch

    • Third-party sites (not vendor-owned) claim PlanetScale holds ISO 27001, FedRAMP, and CSA STAR Level 1 certifications; none of these appear on trust.planetscale.com or planetscale.com/docs/security, which explicitly enumerate only SOC 1, SOC 2, PCI DSS, HIPAA, GDPR, and CCPA. Graded held=false for all three pending direct vendor confirmation; flagged to avoid propagating an over-claim.
    • Pricing/Enterprise pages do not spell out whether SSO or BAA availability differs by plan tier; homepage states BAAs are 'available on all plans,' which we treat as authoritative.

    // At a glance

    Pricing model

    Consumption/SKU-based (cluster size, storage, backups, egress, replicas); no named Hobby/Pro/Enterprise tiers, custom quotes via sales.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on PlanetScale, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.planetscale.com

    > Browse all vendor trust reports