serviceplanagents
Security & transparency

Trust Center

Serviceplan Agents is an AI Coworker platform operated by Plan.Net Studios. Security, privacy, and transparency are built into every layer — including an honest account of what's still in progress.

security@serviceplan-agents.com · Privacy Policy
ISO 27001:2022Serviceplan Group certified; platform ISMS aligned
GDPRCompliant
EU AI ActCompliant — transparency tier
Own platform ISO 27001Targeted 2027 — SOC 2 Type II readiness 2026
Infrastructure security
  • Encryption at rest (AES-256)
  • Production access restricted to named individuals
  • Managed Identity authentication (zero passwords)
Data protection
  • EU data residency for all data at rest
  • Data retention policies defined per type
  • Data subject rights procedures operational
Development security
  • Mandatory code review before every change
  • Dependency vulnerability scanning in CI/CD
  • OWASP Top 10 mitigations implemented
AI transparency
  • AI nature disclosed across all interaction channels
  • Human-in-the-loop oversight capabilities
  • Full audit trail of all AI interactions
Organizational security
  • Incident response plan with severity classification
  • Onboarding/offboarding security checklists
  • Quarterly access reviews
Business continuity
  • Disaster recovery with defined RTO/RPO
  • Dual data center backup infrastructure
  • Automated backups; first restore test in progress
Agent accountability
  • Per-action audit trail with tool calls, delegations, and costs
  • Authenticated agent identity for all cross-agent communication
  • Human-in-the-loop approval before sensitive operations
Generative media safeguards
  • Authorization gate on every image/video/audio generation
  • Public figures and real, undeletable person photos always blocked
  • Automatic payload deletion after billing completes

Data processed

Infrastructure security

CONTROL STATUS
Encryption at rest and in transit
TLS 1.2+ for all data in transit. AES-256 encryption for all data at rest. Application-level encryption for sensitive tokens and secrets.
Privileged access rights restricted
Production access limited to named individuals. Role-based access control with Managed Identity authentication — no shared passwords.
Database access restricted
Database access restricted to application services via Managed Identity and named administrators with business need.
Network security and DDoS protection
Web application firewall-capable front door, TLS termination, and DDoS protection for all public endpoints.
Auto-scaling and capacity management
Event-driven auto-scaling with defined resource limits to handle load spikes and prevent resource exhaustion.
Information backup
Automated database backups with 7-day point-in-time restore. Code versioned in Git. Group backup infrastructure with dual data center redundancy. First restore/DR test scheduled.
Cloud security
EU data residency (Germany West Central + West Europe + Sweden Central). Infrastructure as Code for reproducible deployments. Managed Identity for all service authentication.

Organizational security

CONTROL STATUS
Information security policies
Comprehensive ISMS document suite covering all Annex A control domains. Complements Serviceplan Group ISO 27001 policies.
Security roles and responsibilities
Information Security Officer, Developer, and Operator roles defined with clear security responsibilities and access levels.
Asset inventory
All information assets inventoried with ownership, classification, and handling requirements documented.
Information classification
Four-level classification scheme: Public, Internal, Confidential, and Strictly Confidential. Classification applied to all documents.
Supplier security management
Supplier register with risk classification. Data Processing Agreements with sub-processors processing personal data, with one documented exception addressed by technical controls instead (see Subprocessors tab).
Contact with authorities
Supervisory authority (BayLDA) identified. Data Protection Officer appointed. Breach notification procedure operational.
Independent security review
Internal audit procedure defined; independent reviewer being designated. External audit planned to validate ISMS alignment with ISO 27001 requirements. Serviceplan Group holds certification at corporate level.

Product security

CONTROL STATUS
Secure development lifecycle
Spec-first development with mandatory security review at each stage: specification, code, review, test, and deploy.
Secure coding practices
Mandatory code review for all changes. No hardcoded secrets. Timing-safe comparisons for authentication. OWASP Top 10 mitigations.
Vulnerability management
Dependency vulnerability scanning in CI/CD pipeline. Automated security advisory monitoring. Critical CVEs patched within 24 hours.
Source code access control
Private repository with branch protection on production and staging branches. Secret scanning with push protection enabled.
Environment separation
Separate development, staging, and production environments with isolated resource groups and databases. No production data in non-production environments.
Change management
Git-based workflow with CI/CD enforcement. Pull request requirements for production changes. Automated deployment pipeline.
Generative media authorization gate
Every image/video/audio generation or upload passes an authorization check before execution, enforced at the runtime image level. Public figures and real, undeletable person photos are always blocked; approved requests are purged from the vendor after billing.
Security testing
Dependency audit in CI pipeline. External penetration test commissioned (Q3 2026).

People security

CONTROL STATUS
Security awareness training
Annual security awareness and phishing training provided by Serviceplan Group. Platform-specific secure development training supplemented internally.
Confidentiality agreements
Non-disclosure agreements in place for all team members via employment contracts. NDA obligations survive termination.
Onboarding and offboarding procedures
Security onboarding checklist for new team members. Offboarding with 24-hour access revocation, device collection, and secret rotation.
Remote working security
Remote working policy enforced. Mobile Device Management with disk encryption, MFA, and automatic patching on all endpoints.
Security event reporting
Clear reporting channels for security events. Escalation procedures defined by severity level.
Endpoint device management
Company-managed devices with MDM enrollment, full disk encryption, screen lock enforcement, and remote wipe capability.

Data and privacy

CONTROL STATUS
GDPR compliance framework
Data protection framework with Data Protection Officer, record of processing activities (Art. 30), and data subject rights procedures fully operational.
Data subject rights
Access, rectification, erasure, restriction, portability, and objection rights under GDPR Articles 15–21 fully supported with 30-day response commitment.
Data transfer safeguards
Data Processing Agreements with Standard Contractual Clauses for all international transfers, with one documented exception (see Subprocessors tab). EU data residency for all data at rest.
Data retention schedule
Retention periods defined per data type. Automated enforcement of retention policies in progress.
Data leakage prevention
Secret scanning with push protection. Code review. No secrets in application logs. Runtime data loss prevention policy engine planned.
AI transparency (EU AI Act)
AI nature disclosed across all interaction channels. Human-in-the-loop oversight. Full audit trail. EU AI Act prohibited practices explicitly banned in acceptable use policy.

Incident management

CONTROL STATUS
Incident response plan
Structured incident response plan with severity classification (P1–P4), detection mechanisms, and defined response procedures.
Incident triage and escalation
Triage procedure with severity classification. Escalation matrix defined. Critical incidents acknowledged within 1 hour.
Breach notification
GDPR-relevant breaches reported to supervisory authority within 72 hours. Communication plan for affected data subjects.
Post-incident learning
Post-incident review process. Corrective action tracking. Lessons learned fed back into security controls.
Audit logging
All interactions and access events logged with timestamps. Application telemetry and centralized log analytics.
Business continuity
Business continuity plan with defined RTO/RPO per service. Disaster recovery procedures documented. First restore/DR test scheduled.

Showing 41 controls across 6 categories. Based on ISO 27001:2022 Annex A. Implemented In progress

Data Processing Agreement (DPA / AVV)
Standard contractual template for data processing
Data Flow Overview
Simplified diagram of how data moves through the platform
ISO 27001 Certificate
Serviceplan Group certification (TUV SUD) — valid until November 2026
Security Overview
High-level overview of our security program
Penetration Test Summary
External test commissioned, scheduled Q3 2026 — executive summary available under NDA on completion
Q3 2026
Privacy Policy
Sokosumi platform privacy policy
Terms of Service
Sokosumi platform terms of service
Acceptable Use Policy
Sokosumi platform acceptable use policy

Some documents are available upon request. Contact security@serviceplan-agents.com and we will share them under NDA where applicable.

The following third-party providers process data as part of the Serviceplan Agents platform. All non-EU transfers are covered by Data Processing Agreements with Standard Contractual Clauses (SCCs), with one documented exception noted below.

Subprocessor Role Region
Microsoft Azure Cloud infrastructure & hosting EU
Anthropic Primary AI model provider (Claude) US*
Mistral AI Secondary AI model provider — chat routing, internal task execution, quality checks, and audio transcription EU
GitHub Source control & CI/CD US*
AgentMail Email delivery EU
Voyage AI Text embeddings US*
Sokosumi Agent orchestration EU
Microsoft OneDrive User file sharing (SharePoint) EU
Meta (WhatsApp) Messaging US*
fal.ai Image, video & audio generation (creative production) — no DPA in place US*

* DPA with Standard Contractual Clauses (SCCs) in place for all US-based providers except fal.ai (below). Data at rest remains in the EU. US transfers involve only API-level processing.

fal.ai is the one sub-processor without a signed Data Processing Agreement. It powers image, video, and audio generation for creative production tasks. In place of a contractual DPA, every generation or upload request passes an authorization check before it runs — enforced at the runtime level, not just in the prompt — and public figures or undeletable real-person photos are always refused. Approved request payloads and outputs are automatically deleted from fal.ai once billing is finalized. We are pursuing a formal DPA and disclose this openly rather than implying coverage we don't have.

The platform runs on Microsoft Azure in EU regions. All data at rest — including databases, file storage, and backups — stays within the European Union. Model inference runs in an EU region (Azure Sweden) or with Mistral AI (France); a small number of research/tool sub-processors operate outside the EU and are covered by Standard Contractual Clauses (SCC), with one documented exception (fal.ai — see Subprocessors tab). A consolidated sub-processor list with transfer bases is available on request.
No. We use Claude and Mistral exclusively via API — no fine-tuning, no persistent model memory, and no custom training on your data. Per each provider's API terms, prompts and responses are not used for model training. Data may be retained by a provider for a limited period for safety monitoring only.
We maintain Data Processing Agreements with our suppliers (with one documented exception, see Subprocessors tab), enforce EU data residency, maintain a record of processing activities (Art. 30), have operational data subject rights procedures, and have appointed a Data Protection Officer. Our Data Protection Officer, Dr. Georg Schroder, can be reached at datenschutz@legaldata.law.
Yes. The platform is classified as limited risk under the transparency tier. AI disclosure is provided in all interaction channels. Full applicability takes effect in August 2026, and we are aligned with the requirements ahead of schedule. Our acceptable use policy explicitly prohibits EU AI Act banned practices including manipulative techniques, social scoring, and unauthorized biometric identification.
We maintain a structured incident response plan with severity classification. Critical incidents are acknowledged within 1 hour. GDPR-relevant breaches are reported to the supervisory authority within 72 hours as required.
Access is limited to named individuals only. Services authenticate via Managed Identity — no shared passwords or API keys stored in code. Access rights are reviewed quarterly, and no shared accounts are permitted.
All data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted with AES-256. Sensitive tokens and secrets are further protected with application-level encryption.
Serviceplan Group holds ISO 27001:2022 certification at the corporate level, audited by TUV SUD. Serviceplan Agents maintains its own Information Security Management System (ISMS) that is fully aligned with ISO 27001:2022 and complements the group-level framework. Independent platform-level certification is targeted for 2027, alongside a SOC 2 Type II examination.
Yes. Data subject rights under Articles 15–21 of GDPR are fully supported, including access, rectification, erasure, and data portability. Upon account termination, data is deleted and deletion is confirmed in writing. Contact security@serviceplan-agents.com to submit a request.
Yes, and we disclose this openly: generative media runs through fal.ai, our one sub-processor without a signed DPA. We compensate with technical controls rather than contract — every request is checked for authorization before it runs (enforced at the runtime level, so it cannot be bypassed by prompt alone), public figures and real, undeletable person photos are always refused, and approved outputs are automatically deleted from the vendor once billing is finalized. See the Subprocessors tab for the full disclosure.