Security & privacy

Your data, your perimeter,
your audit trail.

ORCA runs inside your cloud tenant — or ours, if you pick the hosted tier. Either way: no data shared, zero retention after matter close, never used for model training.

Request the security packet Talk to security
Trust model

We do three things, and only three things.

A short trust statement up front, because everything else on this page is detail under it.

1

Software, not data.

PlumGen ships ORCA as software you deploy into your cloud. The software runs on your infrastructure, against your data. We are not a data processor in the self-host model.

2

Hosted, with hard boundaries.

If you pick Solo or Org, we host on your behalf in a tenant you can audit. Your matter is logically isolated; no shared storage, no shared compute. Region of your choice.

3

Never used to train.

Customer corpus, custodian data, work product — never used to train models, fine-tune embeddings, or improve PlumGen products. Written commitment, not just an FAQ entry.

Where your data lives

Pick the tenancy that matches your matter's risk profile.

Self-host

Your cloud tenant

  • Deployed into your cloud tenant or private infrastructure
  • Your identity provider, key management, network policies, billing
  • Resources tagged for inventory and continuous-monitoring scans
  • Air-gap option: zero outbound networking, software updates via offline media
Hosted

PlumGen tenant (Solo / Org)

  • Dedicated tenancy per matter (Solo) or per organization (Org)
  • Per-matter database schema, per-org encryption key, per-tenant object storage
  • Region of your choice (US, EU, UK, AU, CA; others on request)
  • BAA available (Org tier); DPA available all hosted tiers
Try

Anonymous demo

  • Public corpus only — no PII, no customer data, no upload
  • Throwaway session credentials
  • No persistence between sessions
Network

Private by default. No public database, no public registry, no public storage.

Inbound through a WAF and TLS. Egress through a deny-all firewall with an explicit allowlist. Internal services reachable only via private endpoints.

Inbound

  • TLS 1.2+ only (1.3 preferred), strict HSTS
  • Web Application Firewall in front of ingress
  • IP allowlist per deployment
  • Optional VPN gateway (SSO required)

Egress

  • All workload egress through a managed firewall
  • Deny-all default with explicit FQDN allowlist
  • No untracked outbound calls
  • DNS forced through firewall (no DoH leakage)

Internal

  • Separate network security groups per subnet
  • Database on delegated subnet, no public endpoint
  • Registry, storage, secrets — private endpoints only
  • Flow logs enabled by default
Identity

Federated identity, role-based access, no service-account passwords.

End-user authentication

  • OIDC SSO via your enterprise identity provider (Microsoft, Google, Okta, others)
  • Email-claim mapping configurable; group-based role assignment
  • MFA enforced via your IdP — ORCA respects your conditional-access policies
  • Session timeouts, IP-bound sessions, device-trust hooks

Service-to-service

  • Workload identities for all internal service auth
  • No long-lived service-account keys checked into config
  • KMS-protected secrets in a managed secrets store
  • Audit log of every secret access

Roles in-product

Matter Lead
Full control + audit-trail visibility
Reviewer
Coding only; redaction-aware viewer
Auditor
Read-only + audit-export rights
Admin
IAM + billing; no document access
Custom
SCIM-defined (Org tier)
Encryption

At rest, in transit, in motion between services.

LayerWhatHow
At rest — storageDocument objects, exports, backupsAES-256, platform-managed key by default; customer-managed keys (CMK) on request
At rest — databaseRelational storeTransparent data encryption + CMK option
At rest — search indexVector index, BM25 shardsAES-256 with KMS-rotated keys
In transit — externalCustomer ↔ ORCATLS 1.2+ (1.3 preferred), HSTS, strict cipher suites
In transit — internalService ↔ servicemTLS via service mesh
Key custodyMaster keysCustomer-managed KMS; PlumGen never exports your keys
Audit

Every action, logged, hashed, and exportable.

Product-level audit

  • Every classification, certification check, reviewer coding, and admin action emits an immutable audit event
  • Events chained with cryptographic hashes — tampering is detectable
  • TAR Disclosure Package exports the full chain at production time

Infrastructure-level logs

  • Cloud activity logs archived to immutable object storage
  • Workload telemetry (containers, pods, requests)
  • Database audit logs (read + write events)
  • Network flow logs
  • Default retention: 180 days (configurable)

Active alerts

  • Failed authentication bursts
  • Privileged-role assignments
  • Outbound traffic anomalies
  • Database CPU / memory / I/O / storage thresholds
  • Object storage health
  • Webhook integration to your SIEM
Lifecycle

Data arrives, is processed, leaves on schedule.

1 · Ingest

Defensible chain

Chain-of-custody from source. SHA-256 hash per document on receipt; manifest cryptographically signed. Pipeline runs in-VPC; no third-party processing.

2 · Active

Reviewed

Accessible only to authorized reviewers per IAM. Privileged documents flagged; clawback-ready under FRE 502(d). All access logged.

3 · Closure

Verified, then deleted

Configurable retention per matter — default 30 days post-close for export verification, then cryptographic deletion. Keys destroyed.

4 · Residency

Where you chose

Self-host: wherever you provisioned. Hosted: your selected region; no cross-region replication without explicit consent. BAA / DPA / SCC available.

Compliance

Audited where it matters, monitored where it matters more.

All compliance frameworks below are on the active roadmap. The underlying architectural and audit controls (encryption, IAM, logging, vendor reviews, written policies) are in place today and continuously monitored.

FrameworkStatusNotes
SOC 2 Type IIRoadmap · Q3 2026In audit. Continuous-monitoring controls live; full control inventory available under NDA.
HIPAARoadmapBAA in preparation. Encryption + audit controls aligned with HIPAA Security Rule.
GDPR / UK GDPRRoadmapDPA + SCC clauses in preparation. Privacy by design; DSAR workflow on the build plan.
CCPA / CPRARoadmap"Do not sell" non-applicable — we never sell or share customer data.
ISO 27001RoadmapGap assessment scheduled after SOC 2 close.
FedRAMPRoadmapSelf-host air-gap mode supports many of the controls; full ATO is a multi-year program.

Continuously monitored controls (sample)

  • Asset inventory tagged for resources containing user data
  • Cloud activity logs archived to immutable storage
  • Subnet and virtual-network flow logs enabled
  • Database CPU, memory, I/O, and storage monitored
  • Object storage health monitored
  • Log alerts active for security events
  • Vendor security reviews completed; risk levels assigned
  • Authentication methods documented for all vendors

Policies in force

Access Control
Asset Management
BC / DR
Code of Conduct
Cryptography
Incident Response
Vendor Management
Data Classification

Policies available under NDA as part of the security packet.

Limits

What we don't do.

  • Train on your data. Not ours, not anyone else's. Not for embeddings, not for fine-tuning, not for benchmarking.
  • Share data with outside subprocessors. Hosted-tier subprocessors are limited to the underlying cloud infrastructure provider and the auditors named in your DPA.
  • Retain data after matter close. Default 30-day verification window, then cryptographic deletion. Deletion certificate provided.
  • Read your data. PlumGen staff have no production access to customer matters except via documented, audited break-glass procedures with customer approval.
  • Use AI you can't trace. Every model decision is logged with version, training-data lineage, and reproducibility hash.

Get the full security packet.

Architecture diagrams, control inventory, policy stack, sample audit logs, SOC 2 readiness letter, and BAA / DPA templates. Available under mutual NDA.

Request the security packet   Talk to security