Plytix Security, Compliance, and Data Protection

By the Plytix Team · Updated May 4, 2026

TL;DR: Security at a Glance

Infrastructure: Plytix is hosted on Amazon Web Services (AWS), designed for scalability and high availability
Hosting Region: Primary hosting in AWS Dublin (Ireland, eu-west-1), with data replicated across multiple availability zones.
Data Protection: Data is encrypted in transit using TLS and stored using industry-standard encryption at rest.
Compliance: Plytix operates as a GDPR-aligned data processor and follows a shared responsibility model with its cloud infrastructure providers.
Access Security: Strong password hashing, secure session management, role-based access controls, and least-privilege internal access. Two-factor authentication (2FA) may be available through supported identity providers such as Google Sign-In, rather than as a native Plytix feature.
Payments: Payments are fully handled by Stripe, a PCI DSS–certified provider; Plytix does not store credit card details.

World-Class Infrastructure

Plytix is a cloud-based platform built on Amazon Web Services (AWS). This allows us to leverage a secure, scalable, and globally trusted infrastructure provider used across many industries.

High Availability and Scaling

The Plytix application runs on Amazon Elastic Kubernetes Service (EKS). This enables the platform to scale dynamically based on demand, helping maintain performance during peak activity such as large product imports, exports, or synchronisations. Data and services are deployed across multiple AWS availability zones to reduce the risk of downtime.

Server Locations & Data Residency

Our primary infrastructure is hosted in AWS’s Dublin (Ireland) region (eu-west-1). This region is commonly used by global SaaS providers and is aligned with European data protection standards and GDPR principles. Customer data is stored and processed in this region unless otherwise communicated, supporting European data residency expectations.

Illustration showing a globe with a pin on Dublin with the tag "AWS Dublin".

Data Protection

We apply industry-standard security practices to help protect your data both in transit and at rest.

Data in Transit

All communication between your browser and Plytix is encrypted using TLS (Transport Layer Security). This helps prevent unauthorized parties from reading or tampering with data in transit.

Data at Rest

Customer data is stored using AWS managed services (such as databases and object storage) that support strong encryption at rest with modern algorithms. Encryption keys are managed using secure, industry-standard mechanisms provided by AWS.

Passwords and Authentication

Password Security
User passwords are never stored in plain text. Passwords are hashed using strong, salted cryptographic methods so that they cannot be retrieved in readable form.

Session and Token Security
Access sessions are managed using secure, token-based authentication. Tokens are time-bound and scoped to help protect accounts from unauthorised use.

Access Controls
Plytix supports role-based access and account-level permissions so that customers can control who can see or modify specific data within their account.

Illustration showing Plytix passwords and authentication services.

Plytix Compliance, Shared Responsibility, and Certifications

Plytix uses AWS as its primary cloud provider. AWS maintains a broad set of internationally recognised compliance programs and certifications for the underlying infrastructure, including:

ISO 27001 (Information Security Management)
SOC 1, SOC 2, and SOC 3 (Service Organisation Controls)
Additional regional and industry standards depending on the specific AWS services in use

These certifications apply to the AWS infrastructure and services that Plytix builds on.

Shared Responsibility

Security and compliance in the cloud follow a shared responsibility model:

AWS is responsible for the security “of” the cloud, including physical data centres, networking, and the core infrastructure services.
Plytix is responsible for the security “in” the cloud, including the application, configurations, access control, and operational processes on top of AWS.
Customers are responsible for how they configure and use Plytix, including user management, access policies within their organisation, and the data they choose to upload.

Payments and PCI DSS

All payments for Plytix subscriptions are processed by Stripe. Stripe is a PCI DSS–certified payment service provider. Plytix does not store or process credit card numbers, which reduces exposure of sensitive payment data.

Business Continuity and Reliability

Automated Backups

Databases are regularly backed up using managed database services. Backup processes are designed to support recovery of customer data within defined retention periods.

Redundancy and Availability

Key services are deployed across multiple AWS availability zones within the eu-west-1 region. This helps reduce the impact of hardware failures or localised issues on overall service availability.

Recovery Processes

Plytix maintains a disaster recovery plan with clear procedures for restoring service after a major disruption. We regularly test those procedures to help make sure our team is ready to respond effectively.

Internal Security and Governance

Least Privilege Access

Access to production systems is restricted to authorised personnel and follows a least-privilege principle. Employees receive only the access required to perform their role.

Strong Authentication

Internal systems used to operate Plytix are protected with strong authentication controls, including two-factor authentication (2FA) where supported. For customer access to the Plytix app, 2FA may be available through the user’s identity provider, such as Google Sign-In, rather than as a native Plytix feature.

Onboarding and Offboarding Controls

Access for new employees is provisioned according to role, and access for departing employees is removed promptly to help maintain system security.

Monitoring and Logging

System and security logs are collected and monitored to help detect unusual activity, performance issues, or potential security events. Alerts are used to support timely investigation and response.

Illustration showing Plytix internal security and governance features.

Security Incidents and Vulnerability Management

Incident Response
Plytix maintains internal processes to identify, assess, and respond to security incidents. In the event of a confirmed incident affecting customer data, Plytix will investigate, take corrective action, and, where appropriate, communicate with affected customers.

Vulnerability Management
Plytix regularly updates its systems and dependencies and applies security patches as part of ongoing operations. Automated tooling and reviews are used where possible to help identify vulnerabilities, and remediation is prioritised based on risk.

GDPR and Data Protection

Role Under GDPR
Plytix acts as a data processor for personal data that customers choose to store in the platform. Customers remain the data controllers and are responsible for deciding what data to collect, how it is used, and who it is shared with.

Data Subject Rights
Plytix processes personal data of users on behalf of our customers. Customers, as data controllers, remain responsible for complying with applicable data protection laws, including providing access, correction, or deletion of their users’ personal data. Our handling of personal data is described in the Plytix Privacy Policy.

For any GDPR-related questions or to exercise data subject rights, please contact our Data Protection Officer (DPO) at:
Alameda Principal, 24, 2ª, 29005, Málaga, Spain
Email: gdpr@plytix.com

For more detailed security or technical questions, or if you need specific documentation for security reviews, please contact the Plytix support team at help@plytix.com.

Frequently Asked Questions

Is Plytix GDPR compliant?

Plytix compliance with GDPR principles is part of our broader security and data protection framework. Plytix is designed with data protection principles in mind and operates as a GDPR-aligned data processor. Customers remain responsible for how personal data is configured and managed within the platform and for meeting their own obligations as data controllers.

Where is my data stored?

Customer data is primarily stored and processed in AWS’s Dublin (Ireland, eu-west-1) region. This region is within the European Union and supports compliance with European data protection requirements.

Does Plytix store credit card details?

No. Payments are processed by Stripe, and Plytix does not store or process credit card numbers.

How does Plytix handle security incidents?

Plytix maintains incident response procedures for detecting, investigating, and resolving security incidents. Where customer data is affected, Plytix will take appropriate remedial action and, when required, notify impacted customers.

Where can I find more technical details?

For more detailed security or technical questions, or if you need specific documentation for security reviews, please contact the Plytix support team at help@plytix.com.

Disclaimer

The information on this page is provided for general informational purposes only. It describes Plytix’s platform, infrastructure, security practices, and data protection approach, but does not constitute a contractual commitment or legal advice.

Customers remain responsible for how they configure and use Plytix, manage their data, and comply with applicable laws and regulations, including data protection requirements.

Service availability, backup, recovery, and security commitments are governed by Plytix’s applicable agreements, including its Terms and Conditions and any relevant Service Level Agreements.

For GDPR-related inquiries or requests related to data subject rights, please contact our Data Protection Officer at gdpr@plytix.com or Alameda Principal, 24, 2ª, 29005, Málaga, Spain.