PLCcode.ai
All agreements

Security & Trust

Your code never has to leave the building.

PLCcode and Fableloom were designed for the most conservative networks in industry — validated pharma suites, air-gapped OT environments, plants where source code is a trade secret. Security here isn't a checklist bolted on; it's the architecture.

SOVEREIGN DEPLOYMENT  ·  NO TRAINING ON CUSTOMER CODE  ·  AUDIT-READY

Deployment model

The strongest control is topology. In self-hosted and air-gapped deployments, the Fableloom models, your code, and every inference run live entirely on hardware you own, inside your network boundary, with zero required outbound connectivity. There is no data to protect in transit to us — because nothing transits to us.

Practices

Encryption

TLS 1.2+ for all data in transit on cloud-tier services; encryption at rest for stored content. Air-gapped transfers use signed, checksummed packages.

Identity & access

OIDC single sign-on with role-based access control. Least-privilege administration, scoped API tokens, and per-project permissions.

Audit logging

Administrative and content-affecting actions are logged with actor, timestamp, and before/after state — designed with 21 CFR Part 11 expectations in mind.

Tenant isolation

Cloud-tier customers are logically isolated. Enterprise plans can run dedicated instances; sovereign plans run on your hardware, full stop.

No training on your code

Customer code, files, and prompts are never used to train models offered to other customers. Opt-in is explicit or it doesn't happen.

Vulnerability management

Dependency scanning, routine patching, and a responsible-disclosure channel: info@plccode.ai.

Backups & recovery

Versioned backups with tested restoration for cloud-tier data. Self-hosted deployments integrate with your existing backup regime.

Incident response

Documented response plan with customer notification without undue delay for any incident affecting customer data.

Built for regulated industries

PLCcode is designed alongside working CQV engineers for environments governed by GAMP 5 and 21 CFR Part 11. Documentation to support your supplier assessment — architecture overviews, security questionnaires, and validation-support material — is available under NDA.

Compliance roadmap

  • Available Security questionnaire responses & architecture documentation (under NDA)
  • Available DPA with SCCs for cloud-tier customers — view
  • Planned SOC 2 Type I, followed by Type II [update with real dates]
  • Planned Penetration test by independent firm, summary available to customers

Report a vulnerability

We welcome good-faith security research. Email info@plccode.ai with details; we'll acknowledge within 2 business days and won't pursue action against good-faith researchers who respect user data and give us reasonable time to remediate.