🛡
Enterprise Security

Enterprise-Grade Trust.
Zero Compromise.

Built for regulated industries. Every action audited, every answer certified, every byte encrypted. The trust infrastructure your CISO demands.

Schedule Security Review → Explore Architecture
6
RBAC Roles
4
Clearance Levels
35+
Permissions
365+
Day Retention
Role-Based Access Control

Six roles. Two scopes.
Absolute workspace isolation.

Every user has a role at every scope. Permissions cascade from org to workspace. No lateral movement, no privilege escalation, no exceptions.

SETTINGS > ACCESS CONTROL > ROLE HIERARCHY
Org-Level Roles
OWNER
ALL PERMISSIONS
ADMIN
MANAGE ORG + USERS
Workspace-Level Roles
MANAGER
FULL WORKSPACE
SME
CERTIFY + EDIT
CONTRIBUTOR
CREATE + EDIT
VIEWER
READ ONLY
6
ROLES
2
SCOPES
35+
PERMISSIONS
ISOLATION
Knowledge Classification

Four clearance levels.
Query-time enforcement.

Every document gets a classification rank. At query time, users only see content matching their clearance level. Enforced in the retrieval pipeline, not the UI.

KNOWLEDGE > CLASSIFICATION LEVELS
0
🔓
PUBLIC
Visible to all users, no restrictions
RANK 0
1
🔒
INTERNAL
Org members only, standard access
RANK 1
2
🔒
CONFIDENTIAL
SME + Manager clearance required
RANK 2
3
🔐
RESTRICTED
Owner-only, explicit grant required
RANK 3
ENFORCEMENT:
RETRIEVAL PIPELINE
SCOPE CLAUSE INJECTION
QUERY-TIME FILTER
Immutable Audit Trail

Every action. Every user.
Every IP address. Logged.

Fire-and-forget, append-only audit logging. Every knowledge access, modification, and permission change is permanently recorded with full forensic metadata.

AUDIT LOG > LIVE STREAM   LIVE
Sundar P.
published Incident Playbook v8
ALLOWED
10.0.1.42
14:23:07
Alex R.
attempted to access Restricted: M&A Due Diligence
DENIED
10.0.1.55
14:22:51
Priya S.
certified SRE Runbook: Database Failover as SME_VERIFIED
ALLOWED
10.0.2.18
14:21:33
Jordan M.
queried knowledge base — 12 documents retrieved (clearance: INTERNAL)
ALLOWED
10.0.3.91
14:20:15
Casey T.
tried to modify role of admin@acme.com
DENIED
10.0.1.77
14:19:42
IMMUTABLE
APPEND-ONLY
IP TRACKING
FIRE-AND-FORGET
365+ DAY RETENTION
CLOUDWATCH EXPORT
Encryption & Compliance

Military-grade encryption.
Industry-standard compliance.

Every byte encrypted at rest and in transit. Built to satisfy the strictest regulatory frameworks from day one.

🔐

AES-256-GCM

Authenticated encryption for all data at rest. Galois/Counter Mode provides both confidentiality and integrity.

ENCRYPTION
🔑

JWT Auth

Stateless token-based authentication with RS256 signing. Scoped tokens with automatic expiration and refresh.

AUTHENTICATION
🏛

FedRAMP Ready

Architecture designed for FedRAMP authorization. Air-gapped deployment with local LLMs for classified environments.

FEDERAL
🏥

HIPAA

BAA-ready infrastructure. PHI handling with encryption, access controls, and audit trails satisfying the Security Rule.

HEALTHCARE
🛡

SOC 2 Type II

Architecture is SOC 2 compliant by design. Formal audit in progress — scheduled completion Q3 2026. Bridge letter available on request.

IN PROGRESS · Q3 2026
🌎

GDPR

Full data subject rights: export, deletion, portability. Data residency controls with EU-hosted deployment options.

PRIVACY
Data Residency & Sovereignty

Your data. Your country.
Your choice.

Global Fortune 500 organizations have data sovereignty requirements that vary by industry and geography. PlugAI is one of the few enterprise AI platforms with true multi-region data residency — not just compute routing.

🏴
India · Mumbai

Default Region

AWS ap-south-1. Data never leaves Indian jurisdiction. Ideal for domestic enterprises and organizations subject to DPDP Act 2023 compliance.

🇪🇺
EU · Frankfurt

GDPR Region

AWS eu-central-1. Full GDPR compliance with EU Standard Contractual Clauses. Data processed within EU borders for European enterprises.

🇺🇸
US · Virginia

North America Region

AWS us-east-1. FedRAMP compliance pathway (Enterprise+). Preferred for North American enterprises and government-adjacent workloads.

Enterprise+ Exclusive

Zero-egress Private Deployment

For organizations that require data to never leave their own infrastructure, Enterprise+ supports full on-premise or private cloud deployment. Your PlugAI instance runs entirely within your data center — zero data transmitted to PlugAI's infrastructure.

All compute stays in your data center
Air-gapped local LLMs (no external API calls)
Custom encryption key management (BYOK)
Supports classified & FedRAMP workloads
Request Architecture Docs →
Certification Workflow

From AI-generated
to gold-standard certified.

Every piece of knowledge progresses through a four-step certification ladder. SMEs verify, compliance officers certify, and the entire chain is immutably logged.

KNOWLEDGE > CERTIFICATION PIPELINE
STEP 1
🤖

AI_GENERATED

Raw AI output. Not yet human-reviewed. Marked with provenance metadata.

STEP 2
🔍

SME_VERIFIED

Domain expert has reviewed and approved accuracy and relevance.

STEP 3
📋

COMPLIANCE_CERTIFIED

Compliance officer validated for regulatory requirements and policy alignment.

STEP 4
🏆

GOLD_STANDARD

Fully certified, authoritative source of truth. Prioritized in all retrieval results.

75% of knowledge base certified
IMMUTABLE LOG
CHAIN OF CUSTODY
TIMESTAMP + USER
For Security Teams

Request a Security Review

We'll send your CISO team a complete Security & Architecture Overview document — covering data flow diagrams, encryption specifications, RBAC model, audit log structure, deployment architecture, and compliance posture. Typically delivered within 2 business days.

Data flow diagram (all integration points)
Encryption key lifecycle and rotation policy
SOC 2 bridge letter (audit in progress, Q3 2026)
Penetration test summary (available on NDA)
Request Security Docs → Schedule Security Call
🛡
🔒

Ready to bring enterprise-grade
trust to your AI knowledge?

Security is not a feature — it's the foundation. Let's walk through how PlugAI can satisfy your organization's compliance review from day one.

Talk to the Security Team → View Enterprise Pricing