Security · Compliance · Trust

Trust isn't claimed.
It's documented.

SOC 2 Type II certified. CPSTIC pathway. EU data residency by default. Zero data retention. Review every control in our trust portal.

SOC 2 Type II
✓ Certified
CPSTIC Pathway
→ LINCE In Progress
NIS2 Compliance
✓ Evidence Pack
DORA Art. 28
✓ Evidence Pack
EU Data Residency
✓ By Default
Centro Criptológico Nacional
✓ Reference Customer
Visit Trust Center Portal Request Security Report
Built on three foundations

Security at every layer.

Zero Data Retention

Your source code is processed in ephemeral containers and discarded immediately. No code stored, no AI training on your data. EU data residency by default. On-prem and air-gap available.

Verified & Audited

SOC 2 Type II certified. CPSTIC LINCE evaluation in progress. NIS2, DORA Article 28, and CRA evidence packs auto-generated. Compliance isn't a checkbox — it's continuous.

Built in Europe. For Europe.

Incorporated in Bilbao, Spain. EU jurisdiction. Zero Schrems-II risk. Trusted by Spain's Centro Criptológico Nacional. The only AI-native ASPM on the CPSTIC pathway.

Data Handling

Your code never leaves your control.

Every Plexicus analysis runs inside isolated, ephemeral containers. No code is persisted after analysis completes. No data is used to train models. Choose the deployment that fits your security posture.

Read our security documentation

EU SaaS

  • EU data centres only
  • Zero data retention (ZDR)
  • Encrypted in transit and at rest
  • SOC 2 Type II covered

On-Premises & Air-gap

  • Real Kubernetes Helm chart
  • Full network isolation available
  • No call-home required
  • Feature-identical to SaaS
FAQ

Common security questions.

Does Plexicus store my source code?
No. Plexicus uses zero data retention (ZDR) by default. Source code is processed inside ephemeral, isolated containers and discarded immediately after analysis. Nothing is persisted to disk or database.
What compliance certifications does Plexicus hold?
Plexicus holds SOC 2 Type II certification. We are actively pursuing CPSTIC qualification (LINCE evaluation in progress, targeting Q3 2026). NIS2, DORA Article 28, and CRA evidence packs are available on request via our trust portal.
Is Plexicus GDPR compliant? Where is my data processed?
Yes. Plexicus is incorporated in Bilbao, Spain (EU). All data is processed in EU data centres. We provide a Data Processing Agreement (DPA) template and operate under EU jurisdiction with zero Schrems-II exposure. Download the DPA at trust.plexicus.ai.
Can I deploy Plexicus in my own infrastructure?
Yes. Plexicus ships a production-ready Kubernetes Helm chart for self-hosted deployments. Full air-gap (no outbound internet) is supported. The self-hosted and SaaS variants are feature-identical.
Does Plexicus conduct penetration testing on its own platform?
Yes. We conduct annual third-party penetration testing. Additionally, the AI Pentest engine — which generates real proof-of-concept exploits — runs natively against our own infrastructure.
How do I access audit reports, DPAs, or security questionnaires?
All compliance artifacts — SOC 2 report, DPA template, penetration test summary, security questionnaire responses — are available via our trust portal at trust.plexicus.ai. Access is self-serve; no NDA required for the SOC 2 summary.
Ready when you are

Stop paying per developer.
Start closing the loop.

Plexicus is the AI-native ASPM that scans, filters, fixes, pentests, and explains — autonomously. Unlimited developers, unlimited repos, fair-use AI actions. Real free tier, €269/mo annual when you're ready.

Get started free Book a demo