Data privacy
No training on your data
Documents uploaded to Plomo are not used to train foundation models. Plomo does not fine-tune model weights on customer documents. Plomo uses managed AI services to read, classify, search, summarize, and answer questions about deal documents. Those services process document content only to provide the product workflow.Who can access uploaded documents
Documents belong to a deal. In normal product usage, a user can access a document only if they have access to the deal that owns it. Plomo enforces this in the application and in the database:- The API checks the user’s session before serving deal data or documents
- The database enforces deal-level isolation with row-level security
- Files in object storage are private and are served through the Plomo API, not exposed as public links
Data retention
- Uploaded documents are stored as encrypted deal assets so they can be reviewed, searched, cited, and downloaded throughout the deal workspace lifecycle
- Classification results are stored with the deal, including categories, confidence signals, and supporting review data used in the product
- Production logs are configured to avoid document contents and raw customer text. Logs are limited to operational metadata such as IDs, statuses, categories, timings, and error signals
Analytics and quality signals
To improve accuracy and product quality, Plomo may collect event-level metadata, not raw document bodies. Examples include:- A user manually reclassifies a document
- A classifier returns a low-confidence result
- A processing job completes or fails
Encryption
Per-deal encryption
Every deal is protected with its own data-encryption key. Plomo uses that key to encrypt original document blobs and sensitive deal fields before they are stored. Encrypted data includes:- Original uploaded documents
- Deal names and document filenames
- Chat content
- Classifier reasoning and evidence spans
- Other rich customer-content fields that need to be stored
Encrypted document storage
Original uploaded documents are encrypted by Plomo before being written to object storage. The storage bucket is private, has public access prevention enabled, and is also protected by cloud storage encryption controls. This gives documents two layers of protection:- Application encryption: Plomo encrypts the document content with the deal’s key before storage
- Cloud storage controls: the storage layer keeps the bucket private and protected by cloud IAM and key-backed storage encryption
Encrypted content vs operational metadata
Plomo encrypts customer content and rich semantic data. Some metadata remains available to the application so the product can work:- Opaque IDs and foreign keys
- Organization and deal linkage
- Status fields and timestamps
- MIME type and file size
- Category and subcategory labels used for filtering and review
AI processing
Plomo decrypts document content only when it needs to process or serve an authorized workflow, such as parsing a document, running OCR, classifying it, building search, summarizing it, or answering a question about the deal. During those workflows, plaintext document content may exist transiently inside the Plomo backend and the managed OCR and AI services used by the deployment. Plomo does not keep long-lived decrypted copies of uploaded documents. Decrypted content is used for the request or background job that needs it, then discarded.Network security
All production traffic is encrypted in transit. The dashboard and API run as separate services under dedicated service identities, and backend services use cloud IAM to reach only the infrastructure they need. An edge security layer can provide additional access controls, WAF rules, bot controls, and DDoS protection. Plomo’s core document protection comes from scoped access, database isolation, private storage, and per-deal encryption.Tenant isolation
All customer data is isolated at the deal level.- Deal-scoped access: users see only deals they are allowed to access
- Database-enforced isolation: row-level security blocks cross-deal reads and writes
- Private file serving: documents are downloaded through authorized API routes, not public bucket URLs
- Scoped AI processing: documents from one deal are processed in that deal’s context and are not mixed with other deals
What “only the customer can access it” means
Plomo is designed so stored documents are encrypted and product access is limited to authorized users for the relevant deal. The backend decrypts documents only for authorized product workflows: viewing, OCR, classification, search, summaries, answers, citations, and downloads. Plomo does not keep long-lived decrypted copies of uploaded documents.Bring your own key
Enterprise customers can supply their own customer-managed key to protect their organization’s data. That customer-managed key becomes the wrapping key for new per-deal data keys in the organization. Revoking that key renders encrypted records under it unreadable by Plomo. In practice, this gives the customer a cryptographic off switch they control directly. Key revocation is a destructive control. If the key is disabled or destroyed, affected encrypted data cannot be recovered unless the key is restored according to the customer’s key-management policy.Compliance considerations
Plomo is designed with privacy and security requirements common in deal workflows.GDPR
Plomo is designed with GDPR principles in mind:- Data minimization: Plomo processes document content needed for classification, search, summarization, and deal workflows
- Access control: customer data is scoped by deal membership and database-enforced isolation
- Encryption: uploaded documents and rich content fields use per-deal encryption
- Retention control: uploaded documents remain tied to the deal workspace lifecycle
SOC 2
Plomo’s infrastructure uses SOC 2 Type II certified providers:- Hosting provider: SOC 2 Type II certified
- Managed inference provider: SOC 2 Type II certified
- Edge security provider: SOC 2 Type II certified