your work is yours. quietly.

data encrypted at rest with AES-256. transport with TLS 1.3. per-tenant database isolation. backups are encrypted with their own rotating keys.

aws eu-central-1 (frankfurt) by default — keeps your data inside the EU. enterprise tier can request paris (eu-west-3) or tunis-region mirrors for GDPR + MENA proximity.

automated daily snapshots, 30-day retention. weekly long-term backups held for 12 months. tested restore drills run monthly — we know they work.

plumo is GDPR-compliant by design. data minimization, lawful basis documented, DPA available on request for paid tiers. you can export or delete everything with one click.

SOC 2 Type II audit under way with our auditor. target completion: q3 2026. we can share the Type I report and a controls overview today on request, under NDA.

SAML 2.0 SSO with Okta, Google Workspace, Azure AD. SCIM provisioning on the enterprise tier. 2FA available on every plan. magic-link sign-in by default — passwords are optional.

your data is yours. one-click export to JSON or CSV — projects, issues, comments, time entries, the whole thing. if you ever leave, plumo doesn't hold it hostage.

every meaningful action — including AI / MCP activity — is logged with actor, timestamp, and source. admins can stream logs to s3 or siem on the enterprise tier.

annual third-party pentest by a CREST-accredited firm. summary report available on request, under NDA, for paid customers.

your data is never used to train third-party models. MCP sessions are permission-scoped, fully logged, and require explicit consent for write actions. read more in the AI handling addendum.

ISO 27001 certification is on the roadmap once SOC 2 Type II lands. internal ISMS already aligned with the standard.

24/7 on-call rotation. customer notification within 72 hours of a confirmed material incident (or sooner, when GDPR requires). post-mortems published in field notes.