Security — full reference

Encryption

Layer	Method
At rest	AES-256 with envelope encryption (per-region KMS)
In transit	TLS 1.3 only, HSTS preloaded
Customer-managed keys (BYOK)	AWS KMS, Azure Key Vault, HashiCorp Vault, on-prem HSM
Per-request encryption	Optional for highly regulated workloads
Zero-knowledge mode	Your gateway encrypts before sending; model never sees plaintext

Authentication

Method	Notes
API keys	Bearer token in Authorization header. sk-live-... for live, sk-test-... for sandbox.
SAML 2.0 SSO	Enterprise. Entra ID, Okta, Google Workspace, Ping, ADFS.
OIDC	Any OIDC-compliant IdP.
SCIM provisioning	Enterprise. Auto-provision and de-provision users from your IdP.
mTLS	Enterprise. Client certificate authentication for service-to-service.

Audit logs

Every request is logged with: timestamp, model, prompt hash, completion hash, token count, latency, IP, user ID, region. Audit logs are exportable to your SIEM (Splunk, Sentinel, QRadar, Datadog) and retained for the period you choose (default 90 days, up to 7 years on Enterprise).

Compliance

• SOC 2 Type II — security, availability, confidentiality
• ISO 27001 / 27017 / 27018
• HIPAA + BAA available
• GDPR + EU SCCs available
• PDPL (Saudi, UAE, Qatar, Bahrain, Kuwait, Oman)
• FedRAMP Moderate (Q4 2026)
• DIFC DPL + NSD + SAMA + CBUAE + QCB + CBB + CBO aligned

Frequently asked questions

How do I get a SOC 2 Type II report?

Enterprise customers can request the SOC 2 Type II report under NDA from your account manager or via security@plugsky.com.

Is BYOK available on self-serve?

BYOK is Enterprise-only. Self-serve uses Plugsky-managed KMS per region. Contact sales for Enterprise BYOK.

How do I enable SAML SSO?

Enterprise customers: Settings → Authentication → SAML SSO. We support Entra ID, Okta, Google Workspace, Ping, ADFS, and any SAML 2.0-compliant IdP.

What about responsible disclosure?

Email security@plugsky.com. PGP key on request. We respond within 24h and credit researchers in our hall of fame.