Security · Compliance

Trust isn't claimed.
It's documented.

SOC 2 Type II certified. CPSTIC pathway. EU data residency by default. Zero data retention. Review every control in our trust portal.

Visit Trust Center Portal Request Security Report
SOC 2 Type II
Certified
Zero Retention
Code discarded after analysis
EU Data Residency
Bilbao, Spain · EU jurisdiction
CPSTIC
LINCE In Progress
Reference customer

Trusted by Spain's Centro Criptológico Nacional — the national cryptology centre behind Spain's ENS certification programme.

SOC 2 Type II CPSTIC Pathway EU-incorporated Zero Data Retention CCN Reference

Trusted by leading teams across Europe

Telefonica
Ironchip
Oesia
Barbara
Deloitte
Prowler
Overxet
Wandari
Telefonica
Ironchip
Oesia
Barbara
Deloitte
Prowler
Overxet
Wandari
Built on three foundations

Security at every layer.

Zero Data Retention

Your source code is processed in ephemeral containers and discarded immediately. No code stored, no AI training on your data. EU data residency by default. On-prem and air-gap available.

Verified & Audited

SOC 2 Type II certified. CPSTIC LINCE evaluation in progress. NIS2, DORA Article 28, and CRA evidence packs auto-generated. Compliance isn't a checkbox — it's continuous.

Built in Europe. For Europe.

Incorporated in Bilbao, Spain. EU jurisdiction. Zero Schrems-II risk. Trusted by Spain's Centro Criptológico Nacional. The only AI-native ASPM on the CPSTIC pathway.

Compliance evidence pack

One click.
Every auditor satisfied.

Plexicus auto-generates a compliance evidence pack mapped to NIS2, DORA Article 28, CRA, and ENS controls. When your auditor asks for AppSec evidence, you click one button. The pack includes scan history, triage logs, fix audit trails, and an AI provenance report.

  • Application risk management controls
  • Vulnerability scan history (90 days)
  • False-positive triage evidence
  • AI-generated fix audit trail
  • Supply chain dependency inventory
  • Incident response timeline
  • AI provenance & AIBOM
Request your evidence pack
Plexicus · Compliance Report
Evidence pack
NIS2 / DORA Art. 28
READY
NIS2 DORA SOC 2 CRA ENS
Application risk management controls
Vulnerability scan history (90 days)
False-positive triage evidence
AI-generated fix audit trail
Supply chain dependency inventory
Incident response timeline
AI provenance & AIBOM
Generated Jun 2026 · Plexicus
Data Handling

Your code never leaves your control.

Every Plexicus analysis runs inside isolated, ephemeral containers. No code is persisted after analysis completes. No data is used to train models. Choose the deployment that fits your security posture.

How every analysis works SaaS · On-prem · Air-gap
Code received
Isolated container
SAST / SCA
Results delivered
Container wiped

The ephemeral container is destroyed immediately after step 5. No code, no intermediate artefact, no log is retained. This applies identically to SaaS and self-hosted deployments.

EU SaaS

  • EU data centres only
  • Zero data retention (ZDR)
  • Encrypted in transit and at rest
  • SOC 2 Type II covered

On-Premises & Air-gap

  • Real Kubernetes Helm chart
  • Full network isolation available
  • No call-home required
  • Feature-identical to SaaS
Read our security documentation
How we keep security tight

Security isn't a product.
It's a process.

01

Automated SAST/SCA on every PR

Every pull request — including our own — is scanned by Plexicus before merge. We use our own SAST, SCA, secrets detection, and IaC analysis engines. No exception for internal code.

02

Annual third-party penetration test

An independent security firm conducts a full-scope penetration test against our production infrastructure every year. Summary report available via trust.plexicus.ai.

03

AI Pentest runs on our own infrastructure

We run our own AI Pentest engine against plexicus.ai continuously. If it can find an exploitable vulnerability in a customer repo, it can find one in ours. We eat our own cooking.

04

SOC 2 Type II continuous monitoring

Our SOC 2 Type II certification is backed by continuous monitoring of 100+ controls. Evidence is collected automatically and reviewed by an accredited auditor annually.

05

Responsible disclosure program

Security researchers can report vulnerabilities directly to security@plexicus.ai. We acknowledge within 48 hours, triage within 5 business days, and publish fixes with credit where permitted.

FAQ

Common security questions.

Does Plexicus store my source code?
No. Plexicus uses zero data retention (ZDR) by default. Source code is processed inside ephemeral, isolated containers and discarded immediately after analysis. Nothing is persisted to disk or database.
What compliance certifications does Plexicus hold?
Plexicus holds SOC 2 Type II certification. We are actively pursuing CPSTIC qualification (LINCE evaluation in progress, targeting Q3 2026). NIS2, DORA Article 28, and CRA evidence packs are available on request via our trust portal.
Is Plexicus GDPR compliant? Where is my data processed?
Yes. Plexicus is incorporated in Bilbao, Spain (EU). All data is processed in EU data centres. We provide a Data Processing Agreement (DPA) template and operate under EU jurisdiction with zero Schrems-II exposure. Download the DPA at trust.plexicus.ai.
Can I deploy Plexicus in my own infrastructure?
Yes. Plexicus ships a production-ready Kubernetes Helm chart for self-hosted deployments. Full air-gap (no outbound internet) is supported. The self-hosted and SaaS variants are feature-identical.
Does Plexicus conduct penetration testing on its own platform?
Yes. We conduct annual third-party penetration testing. Additionally, the AI Pentest engine — which generates real proof-of-concept exploits — runs natively against our own infrastructure.
How do I access audit reports, DPAs, or security questionnaires?
All compliance artifacts — SOC 2 report, DPA template, penetration test summary, security questionnaire responses — are available via our trust portal at trust.plexicus.ai. Access is self-serve; no NDA required for the SOC 2 summary.

Responsible Disclosure

Found a security vulnerability in Plexicus? We want to know. Report it privately and we'll work with you to resolve it quickly. We acknowledge all valid reports and publish fixes with researcher credit where permitted.

security@plexicus.ai

48h acknowledgement · 5-day triage · coordinated disclosure

Security Artefacts

Download our SOC 2 Type II report, DPA template, penetration test summary, and answers to common security questionnaires — all self-serve, no NDA required for the summary report.

Open Trust Portal View system status & uptime →
Ready when you are

Stop paying per developer.
Start closing the loop.

Plexicus is the AI-native ASPM that scans, filters, fixes, pentests, and explains — autonomously. Unlimited developers, unlimited repos, fair-use AI actions. Real free tier, €269/mo annual when you're ready.

Get started free Book a demo