Security & Compliance

Your data.
Your compliance.
Your control.

PLRX is built for the regulatory environments where the cost of a security failure is not a fine — it is a patient, a claim, or a loan. Every architectural decision reflects that.

Live compliance monitoring
trust.plrx.ai
Active control monitoring, certification roadmap, and compliance evidence — updated in real time via Drata.
View Trust Center →

We do not use your data to train AI models. Ever.

Your operational data — PHI, documents, mission records, workflow configurations — is used exclusively to run your missions. It is never used to train, fine-tune, or improve any AI model. Your data stays yours. This is not a setting. It is not an opt-out. It is the only mode PLRX operates in.

3rd-party audit on a
published timeline.

No vague commitments. A specific audit roadmap with specific dates — visible, tracked, and monitored live at trust.plrx.ai from day one.

July 2026
In Progress

  • SOC 2 Type 1

    Point-in-time attestation of security, availability, and confidentiality controls across the PLRX Agentic Execution Platform.

  • NIST AI Risk Management Framework Completed

    Documented self-assessment against the NIST AI RMF 1.0 — governing, mapping, measuring, and managing AI risk across the platform.

October 2026
Planned

  • HIPAA

    Third-party HIPAA compliance assessment covering all administrative, physical, and technical safeguards. BAA available now — contact [email protected].

  • SOC 2 Type 2

    Period-of-time attestation covering a minimum six-month audit window. Observation period begins immediately following Type 1 award.

  • HITRUST i1

    Healthcare-specific security framework certification covering HIPAA, NIST, and additional healthcare regulatory requirements. The gold standard for health system and payer procurement.

Current compliance status and control evidence available at trust.plrx.ai

Built for regulatory
examination from day one.

Every architectural decision was made knowing that PLRX operates in healthcare and financial services — where a security review is not a procurement step, it is a regulatory requirement.

▸ Tenant Isolation

Dedicated environment per customer

Each customer runs in a dedicated Kubernetes environment with no shared runtime and no shared data plane. Cross-tenant access is structurally impossible — not prohibited by policy, impossible by architecture. Your environment is yours alone.

▸ Audit Trail

WORM audit logs — 100% of AI decisions

Every AI prompt, model response, agent decision, workflow state transition, and tool call is captured in append-only, object-locked storage that cannot be modified or deleted. This is not a logging feature — it is what enables your own regulatory examination readiness. Every AI action is traceable, attributable, and permanent.

▸ Encryption

AES-256-GCM — in transit and at rest

All event payloads are encrypted in transit using AES-256-GCM. PHI is encrypted at the database level using AES-256-GCM at rest. Sensitive fields are masked before any logging occurs, so PHI never appears in audit records in plaintext.

▸ Authentication

OAuth2 — every action attributed

Every API call is authenticated via OAuth2 bearer tokens. Every action is attributed to an authenticated identity. There are no anonymous operations in PLRX. Every step of every mission has a complete chain of custody from initiation to settlement.

▸ Secrets

No credentials in code — ever

All credentials, API keys, and connection strings are stored in a secure vault and injected at runtime. Startup validation refuses to start if required configuration is missing. There are no silent misconfigurations and no credentials committed to source control.

▸ Protocols

Open standards — no proprietary black boxes

A2A and MCP are published open standards with public specifications. Any technical evaluator can read exactly how agent coordination and AI client integration work. No proprietary protocols that obscure how the system behaves — full transparency for your IT review.

Your data.
Your decisions.

PLRX operates on data that includes protected health information, financial records, and commercially sensitive operational data. Our data access policy is not a terms-of-service clause — it is an architectural commitment.

No PLRX engineer accesses customer data without explicit written customer approval for a specific support-related purpose. Access is logged, time-limited, and attributed. The same audit trail that governs agent decisions governs human access to your environment.

Written approval required

Engineer access to customer data requires explicit written approval from the customer for a specific, documented purpose. No open-ended access rights.

Full data portability on exit

When your contract ends, you receive a complete export of your data before deletion. All data and dedicated resources are permanently deleted on termination.

Data retention controls

Set and manage data retention periods to align with your internal policies and applicable regulatory requirements.

BAA available now

Business Associate Agreement available for signature before any PHI is processed. Contact [email protected] to begin.

Cadence
Semi-annual
Independent penetration tests conducted twice per year covering the full platform scope.
Methodology
Assume Breach
Tests are designed on the assumption that perimeter controls have already been bypassed — the most rigorous posture available.
Scope
Full Platform
Every layer of the PLRX Agentic Execution Platform — API endpoints, agent coordination layer, tenant isolation, storage, and authentication.

Questions your IT team
will ask.

Does PLRX use our data to train AI models?
No. PLRX never uses customer data — operational data, PHI, documents, or mission records — to train, fine-tune, or improve any AI model. Your data is used exclusively to run your missions. This is not an opt-out setting. It is the only mode PLRX operates in.
How is PHI protected within PLRX?
PHI is encrypted at the database level using AES-256-GCM. Sensitive fields are masked before any logging occurs, so PHI never appears in logs, traces, or audit records in plaintext. Each customer environment is physically isolated in a dedicated Kubernetes cluster with no shared data plane.
Can PLRX engineers access our data?
Only with explicit written customer approval for a specific, documented support-related purpose. Access is time-limited, logged in the same audit trail that governs agent decisions, and attributed to a named individual. There is no standing engineer access to customer environments.
How can we audit AI decisions made by PLRX agents?
Every AI prompt, model response, agent decision, workflow state transition, and tool call is captured in WORM (Write-Once Read-Many) append-only, object-locked storage. The log cannot be modified or deleted. Every decision is traceable to the specific prompt, model, timestamp, workflow ID, and agent identity that produced it. This record is available to you at any time and is designed to support regulatory examination.
What is the current certification status?
NIST AI RMF self-assessment is completed. 3rd-party audit of SOC 2 Type 1 is planned for July 2026. 3rd-party audits of HIPAA and SOC 2 Type 2 are targeted for October 2026. Active compliance monitoring, in-progress control evidence, and the full certification roadmap are available at trust.plrx.ai. A BAA is available for signature now.
Does PLRX support SSO and enterprise identity management?
Yes. PLRX supports OAuth2 and standard enterprise SSO protocols. Every action within the platform is authenticated and attributed to a verified identity. Contact [email protected] for SSO configuration details specific to your identity provider.

Enterprise ready.
From day one.

The Trust Center is live at trust.plrx.ai. The BAA is ready. The security team answers questions directly.

View Trust Center → Request BAA Talk to the team