Serviceplan Agents is an AI Coworker platform operated by Plan.Net Studios. Security, privacy, and transparency are built into every layer — including an honest account of what's still in progress.
ISO 27001:2022Serviceplan Group certified; platform ISMS aligned
GDPRCompliant
EU AI ActCompliant — transparency tier
Own platform ISO 27001Targeted 2027 — SOC 2 Type II readiness 2026
Infrastructure security
Encryption at rest (AES-256)
Production access restricted to named individuals
Managed Identity authentication (zero passwords)
Data protection
EU data residency for all data at rest
Data retention policies defined per type
Data subject rights procedures operational
Development security
Mandatory code review before every change
Dependency vulnerability scanning in CI/CD
OWASP Top 10 mitigations implemented
AI transparency
AI nature disclosed across all interaction channels
Human-in-the-loop oversight capabilities
Full audit trail of all AI interactions
Organizational security
Incident response plan with severity classification
Onboarding/offboarding security checklists
Quarterly access reviews
Business continuity
Disaster recovery with defined RTO/RPO
Dual data center backup infrastructure
Automated backups; first restore test in progress
Agent accountability
Per-action audit trail with tool calls, delegations, and costs
Authenticated agent identity for all cross-agent communication
Human-in-the-loop approval before sensitive operations
Generative media safeguards
Authorization gate on every image/video/audio generation
Public figures and real, undeletable person photos always blocked
Automatic payload deletion after billing completes
Data processed
Professional email address and display name
Chat messages and queries sent by users
Documents uploaded by users and files generated during tasks
Email content and attachments (when emailing agents)
Files in connected OneDrive folders (when shared by users)
Images, video, and audio generated or uploaded for creative production
AI-generated observations and reflections about contacts
Task and project metadata
Usage and cost records
Session identifiers and interaction timestamps
Infrastructure security
CONTROLSTATUS
Encryption at rest and in transit
TLS 1.2+ for all data in transit. AES-256 encryption for all data at rest. Application-level encryption for sensitive tokens and secrets.
Privileged access rights restricted
Production access limited to named individuals. Role-based access control with Managed Identity authentication — no shared passwords.
Database access restricted
Database access restricted to application services via Managed Identity and named administrators with business need.
Network security and DDoS protection
Web application firewall-capable front door, TLS termination, and DDoS protection for all public endpoints.
Auto-scaling and capacity management
Event-driven auto-scaling with defined resource limits to handle load spikes and prevent resource exhaustion.
Information backup
Automated database backups with 7-day point-in-time restore. Code versioned in Git. Group backup infrastructure with dual data center redundancy. First restore/DR test scheduled.
Cloud security
EU data residency (Germany West Central + West Europe + Sweden Central). Infrastructure as Code for reproducible deployments. Managed Identity for all service authentication.
Organizational security
CONTROLSTATUS
Information security policies
Comprehensive ISMS document suite covering all Annex A control domains. Complements Serviceplan Group ISO 27001 policies.
Security roles and responsibilities
Information Security Officer, Developer, and Operator roles defined with clear security responsibilities and access levels.
Asset inventory
All information assets inventoried with ownership, classification, and handling requirements documented.
Information classification
Four-level classification scheme: Public, Internal, Confidential, and Strictly Confidential. Classification applied to all documents.
Supplier security management
Supplier register with risk classification. Data Processing Agreements with sub-processors processing personal data, with one documented exception addressed by technical controls instead (see Subprocessors tab).
Internal audit procedure defined; independent reviewer being designated. External audit planned to validate ISMS alignment with ISO 27001 requirements. Serviceplan Group holds certification at corporate level.
Product security
CONTROLSTATUS
Secure development lifecycle
Spec-first development with mandatory security review at each stage: specification, code, review, test, and deploy.
Secure coding practices
Mandatory code review for all changes. No hardcoded secrets. Timing-safe comparisons for authentication. OWASP Top 10 mitigations.
Vulnerability management
Dependency vulnerability scanning in CI/CD pipeline. Automated security advisory monitoring. Critical CVEs patched within 24 hours.
Source code access control
Private repository with branch protection on production and staging branches. Secret scanning with push protection enabled.
Environment separation
Separate development, staging, and production environments with isolated resource groups and databases. No production data in non-production environments.
Change management
Git-based workflow with CI/CD enforcement. Pull request requirements for production changes. Automated deployment pipeline.
Generative media authorization gate
Every image/video/audio generation or upload passes an authorization check before execution, enforced at the runtime image level. Public figures and real, undeletable person photos are always blocked; approved requests are purged from the vendor after billing.
Security testing
Dependency audit in CI pipeline. External penetration test commissioned (Q3 2026).
People security
CONTROLSTATUS
Security awareness training
Annual security awareness and phishing training provided by Serviceplan Group. Platform-specific secure development training supplemented internally.
Confidentiality agreements
Non-disclosure agreements in place for all team members via employment contracts. NDA obligations survive termination.
Onboarding and offboarding procedures
Security onboarding checklist for new team members. Offboarding with 24-hour access revocation, device collection, and secret rotation.
Remote working security
Remote working policy enforced. Mobile Device Management with disk encryption, MFA, and automatic patching on all endpoints.
Security event reporting
Clear reporting channels for security events. Escalation procedures defined by severity level.
Endpoint device management
Company-managed devices with MDM enrollment, full disk encryption, screen lock enforcement, and remote wipe capability.
Data and privacy
CONTROLSTATUS
GDPR compliance framework
Data protection framework with Data Protection Officer, record of processing activities (Art. 30), and data subject rights procedures fully operational.
Data subject rights
Access, rectification, erasure, restriction, portability, and objection rights under GDPR Articles 15–21 fully supported with 30-day response commitment.
Data transfer safeguards
Data Processing Agreements with Standard Contractual Clauses for all international transfers, with one documented exception (see Subprocessors tab). EU data residency for all data at rest.
Data retention schedule
Retention periods defined per data type. Automated enforcement of retention policies in progress.
Data leakage prevention
Secret scanning with push protection. Code review. No secrets in application logs. Runtime data loss prevention policy engine planned.
AI transparency (EU AI Act)
AI nature disclosed across all interaction channels. Human-in-the-loop oversight. Full audit trail. EU AI Act prohibited practices explicitly banned in acceptable use policy.
Incident management
CONTROLSTATUS
Incident response plan
Structured incident response plan with severity classification (P1–P4), detection mechanisms, and defined response procedures.
Incident triage and escalation
Triage procedure with severity classification. Escalation matrix defined. Critical incidents acknowledged within 1 hour.
Breach notification
GDPR-relevant breaches reported to supervisory authority within 72 hours. Communication plan for affected data subjects.
Post-incident learning
Post-incident review process. Corrective action tracking. Lessons learned fed back into security controls.
Audit logging
All interactions and access events logged with timestamps. Application telemetry and centralized log analytics.
Business continuity
Business continuity plan with defined RTO/RPO per service. Disaster recovery procedures documented. First restore/DR test scheduled.
Showing 41 controls across 6 categories. Based on ISO 27001:2022 Annex A.
Implemented
In progress
Some documents are available upon request. Contact security@serviceplan-agents.com and we will share them under NDA where applicable.
The following third-party providers process data as part of the Serviceplan Agents platform.
All non-EU transfers are covered by Data Processing Agreements with Standard Contractual Clauses (SCCs),
with one documented exception noted below.
Subprocessor
Role
Region
Microsoft Azure
Cloud infrastructure & hosting
EU
Anthropic
Primary AI model provider (Claude)
US*
Mistral AI
Secondary AI model provider — chat routing, internal task execution, quality checks, and audio transcription
EU
GitHub
Source control & CI/CD
US*
AgentMail
Email delivery
EU
Voyage AI
Text embeddings
US*
Sokosumi
Agent orchestration
EU
Microsoft OneDrive
User file sharing (SharePoint)
EU
Meta (WhatsApp)
Messaging
US*
fal.ai
Image, video & audio generation (creative production) — no DPA in place
US*
* DPA with Standard Contractual Clauses (SCCs) in place for all US-based providers except fal.ai (below).
Data at rest remains in the EU. US transfers involve only API-level processing.
fal.ai is the one sub-processor without a signed Data Processing Agreement.
It powers image, video, and audio generation for creative production tasks. In place of a
contractual DPA, every generation or upload request passes an authorization check before it
runs — enforced at the runtime level, not just in the prompt — and public figures or
undeletable real-person photos are always refused. Approved request payloads and outputs are
automatically deleted from fal.ai once billing is finalized. We are pursuing a formal DPA and
disclose this openly rather than implying coverage we don't have.
The platform runs on Microsoft Azure in EU regions. All data at rest — including databases, file storage, and backups — stays within the European Union. Model inference runs in an EU region (Azure Sweden) or with Mistral AI (France); a small number of research/tool sub-processors operate outside the EU and are covered by Standard Contractual Clauses (SCC), with one documented exception (fal.ai — see Subprocessors tab). A consolidated sub-processor list with transfer bases is available on request.
No. We use Claude and Mistral exclusively via API — no fine-tuning, no persistent model memory, and no custom training on your data. Per each provider's API terms, prompts and responses are not used for model training. Data may be retained by a provider for a limited period for safety monitoring only.
We maintain Data Processing Agreements with our suppliers (with one documented exception, see Subprocessors tab), enforce EU data residency, maintain a record of processing activities (Art. 30), have operational data subject rights procedures, and have appointed a Data Protection Officer. Our Data Protection Officer, Dr. Georg Schroder, can be reached at datenschutz@legaldata.law.
Yes. The platform is classified as limited risk under the transparency tier. AI disclosure is provided in all interaction channels. Full applicability takes effect in August 2026, and we are aligned with the requirements ahead of schedule. Our acceptable use policy explicitly prohibits EU AI Act banned practices including manipulative techniques, social scoring, and unauthorized biometric identification.
We maintain a structured incident response plan with severity classification. Critical incidents are acknowledged within 1 hour. GDPR-relevant breaches are reported to the supervisory authority within 72 hours as required.
Access is limited to named individuals only. Services authenticate via Managed Identity — no shared passwords or API keys stored in code. Access rights are reviewed quarterly, and no shared accounts are permitted.
All data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted with AES-256. Sensitive tokens and secrets are further protected with application-level encryption.
Serviceplan Group holds ISO 27001:2022 certification at the corporate level, audited by TUV SUD. Serviceplan Agents maintains its own Information Security Management System (ISMS) that is fully aligned with ISO 27001:2022 and complements the group-level framework. Independent platform-level certification is targeted for 2027, alongside a SOC 2 Type II examination.
Yes. Data subject rights under Articles 15–21 of GDPR are fully supported, including access, rectification, erasure, and data portability. Upon account termination, data is deleted and deletion is confirmed in writing. Contact security@serviceplan-agents.com to submit a request.
Yes, and we disclose this openly: generative media runs through fal.ai, our one sub-processor without a signed DPA. We compensate with technical controls rather than contract — every request is checked for authorization before it runs (enforced at the runtime level, so it cannot be bypassed by prompt alone), public figures and real, undeletable person photos are always refused, and approved outputs are automatically deleted from the vendor once billing is finalized. See the Subprocessors tab for the full disclosure.