Data Privacy
No Training on Your Data
Documents uploaded to Plomo are never used to train AI models. Plomo does not fine-tune foundation models — instead, it uses proprietary prompt optimization algorithms that evolve better instructions without touching model weights. Document content never becomes part of any model. AI inference runs through an enterprise-grade managed inference provider that offers contractual data processing terms explicitly prohibiting the use of customer inputs for model training. Provider selection is covered by a data processing agreement and is kept under review as the hosting landscape evolves.Data Residency
| Component | Region |
|---|---|
| API & Dashboard | EU (Frankfurt, Germany) |
| Document Processing | EU |
| LLM Inference | Managed inference provider (see below) |
| OCR | EU |
| Edge / CDN | Cloudflare — nearest PoP |
Data Retention
- Uploaded documents are stored only for the duration of processing and active deal lifetime
- Classification results (predictions, summaries) are stored alongside the deal
- No persistent logging of document contents — logs contain only metadata (filenames, classification results, confidence scores)
- Documents can be deleted at any time through the dashboard
Analytics & Quality Signals
To improve classification accuracy over time, Plomo collects event-level metadata — not document contents. Examples of tracked signals:- A user manually reclassifies a document (indicates the prediction was wrong)
- Confidence scores are consistently low for a specific category
- Certain document types are repeatedly flagged for review
Network Security
Cloudflare Zero Trust
All production instances are protected by Cloudflare Zero Trust Access:- Every request is authenticated
- Email-based one-time code verification
- Session tokens with configurable expiry
- No VPN required — works from any network
Transport Security
| Layer | Protocol | Details |
|---|---|---|
| Client → Edge | HTTP/3 (QUIC) + TLS 1.3 | Encrypted in transit, optimized for low latency |
| API → LLM | HTTP/2 + TLS 1.3 | Authenticated provider API, mTLS |
Cloudflare WAF
Production instances are protected by Cloudflare’s Web Application Firewall:- OWASP Core Rule Set for common attack patterns
- Rate limiting on API endpoints
- Bot detection and challenge pages
- Automatic DDoS mitigation (L3/L4/L7)
AI Safety & Trust
Evidence Grounding
Every AI output is grounded in the source document. Classifications and extractions must cite the exact text they are based on. Plomo then locates the cited text in the original document — matching it to a specific page and position. If the source text cannot be found, the output is automatically flagged with low confidence.Confidence Calibration
Plomo does not rely on raw model confidence scores — LLMs consistently overreport certainty. Instead, confidence is calibrated by analyzing the distribution across the model’s top alternatives. When the margin between the top candidates is narrow, the score is penalized accordingly. This calibrated score drives triage:| Confidence | Behavior |
|---|---|
| High | Auto-accepted — no review needed |
| Medium | Surfaced for user confirmation |
| Low | Flagged and held for manual review |
Input Sanitization
User inputs are sanitized before being passed to the LLM to mitigate prompt injection risks.Tenant Isolation
All data is isolated at the deal level. There are no shared resources between deals.- Zero-default permissions — storage is isolated per deal with no access granted by default
- Deal-owner controls — the deal owner defines the permission chart: who can view, edit, or export
- Isolated AI processing — documents from one deal are never mixed with another in the pipeline
- Scoped agent context — agents maintain state within a deal so that outputs from one step (e.g., classification) can inform the next (e.g., summarization). This context is strictly scoped to the deal and never shared across tenants
Infrastructure Security
Prod Instances
- Each service runs in its own sandboxed container with no shared filesystem
- Automatic scaling with configurable concurrency limits
- No SSH access — containers are immutable and stateless
Compliance Considerations
GDPR
Plomo is designed with GDPR compliance in mind:- Data minimization — Only document content necessary for classification is processed
- Right to erasure — Documents and classifications can be deleted through the dashboard
- Data residency — Document storage, OCR, and application infrastructure are within the EU. LLM inference is routed through a managed inference provider whose routing may span multiple regions under an executed data processing agreement
- Legitimate basis — Document processing under contractual necessity for due diligence services
- Sub-processors — Hosting and inference providers (data processing agreements in place), Cloudflare (EU configuration)
SOC 2
Plomo’s infrastructure leverages SOC 2 Type II certified services:- Hosting provider — SOC 2 Type II certified
- Managed inference provider — SOC 2 Type II certified
- Cloudflare — SOC 2 Type II certified
- Access controls, audit logging, and encryption at rest are inherited from these providers