Plain-language definitions of the terms we throw around.

A

A2P

Application-to-Person messaging. SMS sent from software (not a human) to phones. Regulated under TCPA in the US and falls under specific A2P 10DLC registration for messaging carriers.

ACID

Atomicity, Consistency, Isolation, Durability. The transactional guarantees a database provides. Postgres provides full ACID; many NoSQL systems weaken one or more.

AML

Anti-Money Laundering. The framework of laws and processes (Bank Secrecy Act in the US, AMLD in the EU) to prevent illicit financial activity. Includes KYC, transaction monitoring, SAR filing.

API

Application Programming Interface. Contract between two software components. REST is the most common style; GraphQL and gRPC are alternatives we use for specific needs.

ATO

Authority to Operate. The federal sign-off (typically against NIST 800-53 Rev 5) required before a system handles US government data. We support customers preparing for ATO.

B

BAA

Business Associate Agreement. The HIPAA contract required between a covered entity (typically a healthcare provider) and any vendor handling PHI. Plutobee BAA is signed before any PHI touches our systems.

BFF

Backend for Frontend. An architectural pattern where each client (web, iOS, Android) has its own tailored backend service that aggregates internal APIs. Reduces over-fetching and frontend logic.

C

CDC

Change Data Capture. Streaming database changes as events. We use Debezium for self-hosted Postgres CDC and Kafka Connect for downstream propagation.

C4 model

A four-level architecture diagramming standard (Context, Containers, Components, Code) we use as a deliverable in the Architecture phase of every engagement.

CDN

Content Delivery Network. Edge cache for static assets. We default to Cloudflare; AWS CloudFront and Fastly when customer-mandated.

CMMC

Cybersecurity Maturity Model Certification. DoD-mandated assessment level for defense industrial base contractors. We support customers preparing for CMMC Level 2 or 3.

CRM

Customer Relationship Management system. Salesforce, HubSpot, Pipedrive in their respective markets.

D

DAST

Dynamic Application Security Testing. Running an automated scanner against a running application to find security issues. We use OWASP ZAP and Burp Suite Professional.

DORA

DevOps Research and Assessment. The four key metrics (lead time, deploy frequency, change failure rate, MTTR) measuring engineering velocity and quality. We commit to elite tier on engagements past month two.

DPA

Data Processing Agreement. The GDPR-required contract between data controllers and processors. Our standard DPA includes SCCs Module 2 and Module 3 and an updated UK IDTA addendum.

E

ECDSA

Elliptic Curve Digital Signature Algorithm. Cryptographic signature standard used in Bitcoin, Ethereum, Solana, and many TLS handshakes.

EDI

Electronic Data Interchange. Standardized B2B document exchange (X12 in US, EDIFACT internationally). Still the lingua franca for logistics, healthcare claims, and supply chain.

eQMS

Electronic Quality Management System. Software supporting ISO 9001, IATF 16949, or 21 CFR Part 11 quality processes (document control, CAPA, non-conformance, audit trails).

F

FedRAMP

Federal Risk and Authorization Management Program. The US government standard for assessing cloud service security. Moderate baseline is the most common; we deliver against it.

FHIR

Fast Healthcare Interoperability Resources. The modern healthcare data exchange standard (R4 is current). Replaces parts of HL7 v2 for new integrations.

FIX

Financial Information eXchange. The protocol used by broker-dealers and exchanges for trade messaging. We work with QuickFIX and OnixS engines.

G

GDPR

General Data Protection Regulation. The EU privacy regulation that introduced data subject rights, breach notification, and lawful basis requirements. Comparable regimes: UK GDPR, CCPA/CPRA (California), LGPD (Brazil), KVKK (Turkey).

H

HIPAA

Health Insurance Portability and Accountability Act. The US healthcare privacy and security regulation. Privacy Rule covers use and disclosure; Security Rule covers technical safeguards; Breach Notification Rule covers required disclosure of incidents.

HITRUST

Health Information Trust Alliance. A control framework that crosswalks HIPAA, NIST CSF, ISO 27001, PCI DSS, and more. r2 certification is the gold standard for healthcare vendors.

I

IaC

Infrastructure as Code. Defining cloud resources in version-controlled code. Terraform default. OpenTofu drop-in. AWS CDK when customer prefers TypeScript.

ISA-95

Industrial automation standard defining the five levels of manufacturing IT/OT (Level 0 sensors, Level 1 controllers, Level 2 SCADA, Level 3 MES, Level 4 ERP). We integrate at Levels 2 through 4.

J

JWT

JSON Web Token. A signed (or encrypted) token for transmitting claims between parties. Common in OAuth and OIDC. We use short expiry windows and rotate signing keys.

K

KYC

Know Your Customer. The identity verification process required for regulated services (financial, real estate, fund admin). We integrate Persona, Alloy, Socure.

M

MES

Manufacturing Execution System. The plant-floor software bridging ERP and PLC/DCS control systems. We integrate AVEVA, Rockwell FactoryTalk, Siemens Opcenter.

MCP

Model Context Protocol. Anthropic-developed open standard for connecting LLMs to tools and data sources. We are MCP-native and build agent systems around it.

mTLS

Mutual Transport Layer Security. Two-way certificate authentication for service-to-service communication. We use it in service meshes (Linkerd, Istio).

N

NIST 800-53

The US government control catalog covering 1,000+ security and privacy controls across 20 families. The baseline for FedRAMP and FISMA. Revision 5 is current.

O

OAuth 2.1

Authorization framework consolidating OAuth 2.0 best practices. The default for delegating access between services. We pair it with OIDC for authentication.

OPC-UA

Open Platform Communications Unified Architecture. The modern industrial protocol for OT data exchange. We use it for structured machine data ingestion.

OWASP ASVS

Application Security Verification Standard. A tiered (L1, L2, L3) checklist for security requirements. We build to L2 by default, L3 for high-stakes financial or government systems.

P

PCI DSS

Payment Card Industry Data Security Standard. The regulation governing cardholder data handling. Version 4.0 introduced significant new requirements effective March 2025. We scope tightly via tokenization.

PHI

Protected Health Information. The HIPAA-defined category of patient data requiring specific safeguards.

PII

Personally Identifiable Information. Data that can identify a natural person. Subject to multiple privacy regimes depending on jurisdiction.

R

RAG

Retrieval Augmented Generation. The pattern of fetching relevant context from a vector store or search index before passing to an LLM. We default to hybrid (BM25 + semantic) with reranking.

RPO

Recovery Point Objective. The maximum acceptable data loss measured in time. Our tier-1 default is 15 minutes.

RTO

Recovery Time Objective. The maximum acceptable downtime. Our tier-1 default is 4 hours.

S

SAST

Static Application Security Testing. Code-scanning tools that find security issues without running the code. We use Semgrep with custom rules.

SBOM

Software Bill of Materials. A list of all software components in a build. CycloneDX is the format we produce automatically per build.

SCC

Standard Contractual Clauses. The EU-approved contract template for international data transfers. Module 2 (controller to processor) and Module 3 (processor to processor) are the relevant ones for us.

SDLC

Software Development Life Cycle. The end-to-end engineering process. Ours is the eight-phase Plutobee Delivery Framework.

SIG

Standardized Information Gathering. The Shared Assessments-developed vendor security questionnaire. SIG Lite is the common entry-level version we respond to.

SLA

Service Level Agreement. Contractual commitments on availability, response time, resolution time. Ours are documented in the Delivery Framework.

SLO

Service Level Objective. The internal target that drives the SLA (slightly tighter typically). SLOs govern error budgets.

SOC 2

Service Organization Control 2. The AICPA audit standard for service providers. Type II covers a six-month operating window. Our audit is in progress, report expected Q4 2026.

SOX

Sarbanes-Oxley Act. The US public-company financial reporting regulation. Section 404 requires internal control attestation; SSAE 18 / SOC 1 evidence supports it.

SRE

Site Reliability Engineering. The Google-popularized discipline of treating operations as a software problem. SLI/SLO/error budget framework.

STRIDE

Threat modeling framework: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. We apply it to every new system during the Architecture phase.

T

TCPA

Telephone Consumer Protection Act. The US regulation governing SMS and voice marketing. Consent tiers, quiet hours, opt-out handling.

TLS

Transport Layer Security. The protocol securing internet traffic. We default to TLS 1.3 with strong cipher suites.

V

VPAT

Voluntary Product Accessibility Template. The standard format for declaring WCAG and Section 508 conformance. We produce VPATs as a project artifact for accessibility-bound engagements.

W

WCAG

Web Content Accessibility Guidelines. The W3C standard for web accessibility. 2.1 AA is our baseline; 2.2 AAA where contractually required.

Z

ZAP

OWASP Zed Attack Proxy. Free, open-source DAST tool we use as a baseline in CI before manual Burp work.