Skip to Content
Platform ArchitectureSecurity and Privacy

Security and Privacy

At PlugZero Analytics, we handle sensitive business data. We have built-in rules to make sure this data stays safe and private.

How we protect data

1. User Authentication

We use JWT (JSON Web Tokens) for every request.

  • When a user logs in, they get a token.
  • This token expires after 24 hours.
  • The token is stored in the browser as an HttpOnly cookie. This makes it impossible for malicious scripts to steal the token.

2. Team Boundaries (Multi-tenancy)

We use a “Team” system to separate data.

  • Every project belongs to a team.
  • Before the backend gives back any data, it checks: Is the user a member of the team that owns this project?
  • If the answer is No, the server returns a 403 Forbidden error.

3. AI Safety (No Training)

We use the Gemini 2.0 API.

  • We have a specific agreement that our data is not used to train the AI models.
  • When we send data for analysis, we first “scrub” (remove) any personal names or phone numbers using our PII_Scanner utility in the backend.

Technical Security Checklist

If you are building a new feature, make sure you follow these rules:

  1. Never Use Raw Input: Never put user-typed text directly into a database query. Always use Django’s built-in models which prevent “SQL Injection.”
  2. Check Permissions: Every new view in the backend must have a permission_classes list.
  3. Encrypted Fields: If you are storing a password or a secret token, use the EncryptedField type in our Django models. It uses AES-256 encryption.

Strict Rule: Never commit .env files or API keys to GitHub. Our CI/CD pipeline will automatically block any PR that contains a secret key.

Last updated on
How the AI worksHow the system is built