Privacy by Architecture, Not by Promise

Placino's security model is built on cryptographic guarantees, not trust. Data stays encrypted end-to-end. Governance is automated and verifiable. Compliance is embedded, not bolted-on.

Security ReviewSecurity Docs

Envelope Encryption Architecture

AES-256-GCM Per-Upload

Every dataset uploaded to Placino is encrypted at rest using AES-256-GCM (Galois/Counter Mode), the standard for authenticated encryption. Each upload receives a unique encryption key and initialization vector (IV).

  • 256-bit symmetric encryption
  • Authenticated encryption with associated data (AEAD)
  • Unique IV per upload prevents replay attacks
  • Hardware-accelerated on modern CPUs

RSA-4096 Envelope Wrapping

Data encryption keys are wrapped in RSA-4096 public keys. Only organizations holding the private key can decrypt. Key material never travels in plaintext through the network.

  • 4096-bit RSA key strength (100+ year horizon)
  • OAEP padding for semantic security
  • Key rotation without re-encrypting data
  • Hardware security module (HSM) compatible

Ephemeral SHA-256 Hashing

Identity matching uses deterministic SHA-256 hashes computed in-memory. Hashes are never persisted. Each matching session uses fresh hashes derived from session-specific salts.

  • Deterministic for consistency, session-scoped for privacy
  • No hash tables or lookup caches
  • Session salts destroyed after matching
  • Resistant to precomputation and rainbow tables

Privacy Controls & Enforcement

Differential Privacy

Add mathematically-proven noise to query results. Control the privacy-utility tradeoff with epsilon budgets.

  • Laplace mechanism (for sum/count)
  • Gaussian mechanism (for mean/variance)
  • Per-user epsilon budget tracking
  • Budget composition bounds

K-Anonymity

Ensure no individual can be re-identified. Suppress or generalize attributes until each person is indistinguishable from k-1 others.

  • Configurable k threshold (default k=5)
  • Attribute generalization (zip → state → region)
  • Record suppression for small groups
  • Enforced on query result sets

Column-Level Permissions

Grant or deny access at the column level. Sensitive columns can be masked, hashed, or restricted to specific roles.

  • Role-based access control (RBAC)
  • Column masking (redaction/hashing)
  • Data classification tags
  • Enforcement in query execution engine

Purpose Limitation

Bind datasets and segments to specific approved uses. Prevent unauthorized secondary uses of data.

  • Purpose tags on datasets and segments
  • Enforcement in query validation
  • Semantic guardrails for intent detection
  • Audit logging of purpose violations

Enterprise Governance

Merkle-Chain Audit Trails

Every query, data access, and permission change is recorded in an immutable Merkle-chained log. Tampering is cryptographically detectable.

  • Hash-chained audit logs (Merkle tree)
  • Append-only with no update or delete
  • Cryptographic integrity verification
  • Export for compliance reviews
  • Real-time audit event streaming

Use audit logs to prove compliance during audits, investigate security incidents, and track data lineage.

When sensitive queries are detected, system automatically creates approval requests routed to data stewards.

Just-In-Time Approval Workflows

Sensitive queries require approval before execution. Configurable policies determine which queries require sign-off. Audit trail records approver, time, and justification.

  • Policy-driven approval triggers
  • Multi-approver workflows
  • Time-gated approval expiry
  • Approval delegation and escalation
  • Audit trail of approvals

Automated DSAR Handling

Respond to Data Subject Access Requests in minutes, not weeks. Placino automatically finds, assembles, and delivers an individual's data across all datasets.

  • Cross-dataset data subject discovery
  • Automated data extraction and compilation
  • DSAR workflow management
  • Secure delivery channel (encrypted export)
  • Proof of compliance (audit trail)

GDPR Article 15 responses completed automatically. Audit logs prove timely, accurate response.

Decouple policy from code. Update access policies without redeploying. Version control your policy as code.

OPA Policy Engine

Open Policy Agent integration for fine-grained access control. Write policies in Rego. Enforce at query execution time.

  • Rego policy language (declarative)
  • Role-based, attribute-based, resource-based access
  • Policy versioning and rollback
  • Policy testing framework
  • Deny policies (blacklist approach)

Compliance Framework Alignment

GDPR

CCPA/CPRA

KVKK

HIPAA

SOC 2

ISO 27001

Mapping Details

  • GDPR: Data protection by design, encryption, DPIA support, DSAR automation, audit trails
  • CCPA/CPRA: Consumer rights automation, transparency logs, opt-out enforcement
  • KVKK: Explicit consent tracking, purpose limitation, data localization support
  • HIPAA: PHI encryption, access controls, audit logging, BAA-ready architecture
  • SOC 2: Type II audit trails, change management, access controls, incident response
  • ISO 27001: Information security management system controls, risk management

Zero-Trust Architecture

3 Isolated Networks

Placino's architecture separates ingestion, processing, and activation into isolated Docker networks. Data never leaves the perimeter without explicit authorization.

  • Ingestion network (data upload + validation)
  • Processing network (matching, queries, AI)
  • Activation network (outbound connectors)

Network Segmentation

Layer 7 (application-level) firewalls between networks. Services communicate via encrypted channels with mutual TLS.

No Egress by Default

Data processing containers have no outbound internet access. All egress is explicitly routed through the activation network.

Data Never Leaves Your Perimeter

Self-hosted architecture means your data stays on your infrastructure. No cloud sync, no vendor backends, no data movement without your explicit action.

  • Inbound-only API endpoints
  • No automatic cloud backups
  • Local storage by default
  • Optional encrypted export for backup

Security Best Practices

TLS Everywhere

  • TLS 1.3 for all network communication
  • Mutual TLS (mTLS) for service-to-service
  • Certificate pinning for external APIs

Key Management

  • Hardware security module (HSM) support
  • Automated key rotation policies
  • Separate keys per customer, per environment

Access Control

  • Principle of least privilege
  • Multi-factor authentication (MFA)
  • Session timeouts and rate limiting

Monitoring & Response

  • Real-time anomaly detection
  • Security event alerting
  • Automated incident response workflows

Security is Not Optional

Every layer of Placino is built with cryptographic guarantees. No backdoors. No trust required. Compliance built in, not bolted on.

Schedule Security ReviewEncryption DocsCompliance Mappings