Built for enterprise. Designed to be trusted.

AWS Cloud Infrastructure

PlugIQ runs entirely on Amazon Web Services (AWS) — the same infrastructure trusted by banks, governments, and Fortune 500 companies. Our primary region is EU West (Ireland) with backup and failover to a secondary AWS region.

• ✓ Primary region: AWS EU West (Ireland)
• ✓ Automated cross-region backups
• ✓ AWS Shield for DDoS protection
• ✓ VPC isolation and private subnets
• ✓ WAF (Web Application Firewall)

Encryption Architecture

We use encryption at multiple layers to ensure your data is protected whether in transit, at rest, or being processed. Encryption keys are managed via AWS Key Management Service (KMS) and rotated on a regular schedule.

• ✓ TLS 1.2+ for all data in transit
• ✓ AES-256 encryption for data at rest
• ✓ AWS KMS for key management
• ✓ Regular key rotation policy
• ✓ Encrypted database backups

High Availability

Our architecture is designed for resilience. Services run across multiple availability zones so that the failure of any single zone does not impact availability. Automated failover and load balancing are active at all times.

• ✓ Multi-AZ deployment across all services
• ✓ Automated health checks and failover
• ✓ Load-balanced application tier
• ✓ Database read replicas for performance
• ✓ Regular disaster recovery drills

RBAC — Role-Based Access Control

Define custom roles with precise permissions. Control who can submit requests, who can approve, who can view reports, and who can administer the workspace. Permissions apply at the workflow level, not just the system level.

SSO / SAML 2.0

Enterprise customers can enforce single sign-on via SAML 2.0, integrating with any identity provider including Okta, Azure AD, Google Workspace, and OneLogin. SSO can be made mandatory for all workspace users.

SCIM User Provisioning

Automatically provision and deprovision users via SCIM 2.0. When an employee joins or leaves your organisation, their PlugIQ access is updated automatically in sync with your identity provider — no manual intervention required.

Session Security

Sessions are time-limited and bound to the originating device fingerprint. Administrators can view active sessions, force-expire individual sessions, and configure maximum session duration. Suspicious session activity triggers automatic alerts.

Immutable Audit Trail

Every action taken in PlugIQ — submission, approval, rejection, delegation, comment, escalation — is recorded in a tamper-proof log. Records include actor, timestamp, IP address, device, and full context. Logs cannot be modified or deleted by any user, including administrators.

Tenant Data Isolation

Each customer's data is logically isolated using workspace-level partitioning enforced at the database and application layer. There is no mechanism by which one customer's data can be accessed by another customer, regardless of plan type.

Retention and Deletion

Customers can configure data retention policies within their workspace. On account termination, all Customer Data is permanently deleted within 30 days. Deletion is applied across primary storage, backups, and any derived caches.

Google Workspace

PlugIQ's use of Google API data adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access only the minimum scopes necessary to provide the integration.

• ✓ Data not used for advertising
• ✓ Data not shared with third parties beyond service delivery
• ✓ Data not used for AI training without explicit consent
• ✓ Users can revoke access via Google account settings at any time

Microsoft 365

Microsoft 365 integration is authenticated via OAuth 2.0 through Microsoft's identity platform. We request only the minimum Graph API permissions required for the features you enable.

• ✓ OAuth 2.0 — no password storage
• ✓ Tokens encrypted and scoped to minimum required access
• ✓ Admins can revoke access via Microsoft admin portal at any time
• ✓ Microsoft 365 data not retained beyond the active session