DPO FAQ

Does Plaw receive policy or decision content?

No for BYOC. Policy bodies, decisions, tool-call args, approval details, Slack content, prompts, env vars, secrets, agent IDs, and end-user IDs stay in the customer plane.

What does the license heartbeat send?

Exactly six fields: instance_uuid, license_id, decision_count_30d, sdk_version, operator_version, and timestamp.

Can we run without egress?

Yes. Air-gapped mode disables heartbeat and telemetry and validates an offline license JWT mounted from a customer-managed secret/file.

Does Plaw need cloud account access?

No. BYOC is outbound HTTPS only. Plaw does not assume roles, use cross-account IAM, or impersonate GCP/Azure identities.

Is Convex required?

Cloud/SaaS uses Convex in the Plaw plane. BYOC/self-hosted deployments use STORAGE_DRIVER=sqlite or STORAGE_DRIVER=postgres in the customer plane and do not require Convex.