Security & Compliance
What we ship to make your CISO sleep.
Concrete claims, not slogans. Every item below is mechanically enforced or you can verify it yourself. Spotted a gap? Email founder@pliuz.com — we will fix it.
- EU-hosted by default
Supabase Frankfurt (eu-central-1). US region planned, not default.
- Append-only events table
Cryptographic source of truth. Convenience tables are projections.
- SHA-256 hash chain
Verifiable by you via SELECT * FROM pliuz_verify_chain()
- RLS on all 13 tables
Multi-tenant isolation enforced at the database, not in the application.
- No LLMs in the critical path
Policy evaluation is deterministic JSONLogic. Your payload never touches an external model.
- SDK-side redaction
pliuz.mask("iban", "last4") lands the masked value in our DB. We never see the original.
- Per-event auto_approve_source
Every audit row says whether a human, a policy, or a tool flag approved the action.
- Sub-processors listed publicly
Supabase (EU), Cloudflare, Slack API at /legal/subprocessors
- DPA at /legal/dpa
Signable. Required for any EU customer; available before contract.
- Encryption at rest AES-256
TLS 1.3 in transit, no exceptions.
- No training on customer payloads
No payload inspection for "product improvement". No retention beyond your configured policy.
For your CISO
DPA: signable at /legal/dpa. Available before contract — we do not gate this behind a sales call.
Sub-processors: public list at /legal/subprocessors. Currently Supabase (EU), Cloudflare, Slack API. Any addition triggers a 30-day notice to existing customers.
Pen-test access: design-partner tier gets a copy of our most recent internal pen-test report. Email founder@pliuz.com.
SOC2 Type I: in progress (target Q4 2026). Type II to follow.
EU AI Act: built to satisfy Article 12 (audit logs) and Article 14 (human oversight). Legal certification is your auditor call, not ours.
Talk to the founder directly.
Compliance questions get a real answer in <24h. No sales gating.
Email founder@pliuz.com