How PlanoHero protects your retail data, your stores, and your team

Hosting and physical security (Hetzner)

• Customer data is stored in Hetzner data centers in the EU (Germany / Finland), certified to ISO/IEC 27001.
• Physical controls include 24/7 on-site staff, video surveillance, multi-factor and biometric access in sensitive zones, and N+1 redundant power, cooling, and network.
• Hetzner is a German company subject to GDPR and the BDSG; PlanoHero signs a Data Processing Agreement with Hetzner including the EU Standard Contractual Clauses.

Edge, network, and DDoS protection (Cloudflare)

• All traffic routes through Cloudflare, which terminates TLS at the edge, filters malicious traffic, and absorbs volumetric DDoS attacks.
• Cloudflare is certified to ISO/IEC 27001, ISO/IEC 27018, SOC 2 Type II, and PCI DSS, and is a signatory to the EU Cloud Code of Conduct.
• A managed WAF blocks OWASP Top 10 patterns, known exploit signatures, and suspicious bot traffic.
• HTTP-only and Secure cookie attributes, HSTS, Content-Security-Policy, and other modern security headers are enforced.

Network architecture

• Production, staging, and development environments are logically isolated. Customer data exists only in production.
• Internal services communicate over private networks; public endpoints are limited to the application and API gateways behind Cloudflare.
• Administrative access to infrastructure requires MFA, is restricted to a named set of engineers, and is fully logged.

Encryption

• All customer data (databases, object storage, backups) is encrypted at rest using AES-256.
• All connections use TLS 1.2 or higher; TLS 1.0 and 1.1 are disabled. HSTS is enforced.
• Encryption keys are managed separately from the data they protect and rotated on a defined schedule.
• SECURITY_COMPLIANCE_DATA_PROTECTION_GROUP_1_ITEM_4

Data segregation

• PlanoHero provisions a dedicated, isolated database for every customer. Customer data is never co-mingled with other customers' data in a shared database.
• Object storage (planogram files, store photos, exports) is segregated per tenant with separate access policies. Cross-tenant access is denied by default.
• Per-customer isolation simplifies backup, restore, export, and deletion: data for an individual customer can be managed without touching anyone else's data.
• Tenant isolation is validated by automated tests as part of every release.

Integration data (via Connector)

PlanoHero ingests product and inventory data from your POS or ERP through the PlanoHero Connector. The Connector accepts data in SQL, CSV, or JSON, so you can integrate from almost any back-office system without exposing it to the public internet.

• What is ingested: product master data (SKUs, attributes, dimensions, hierarchy) and inventory / sales signals from your POS or ERP. Payment-card data and end-customer personal data are not ingested.
• Supported formats: SQL (direct read from a customer-managed database or replica), CSV file drops, and JSON over HTTPS / REST.
• Transport security: all integration traffic is encrypted in transit. JSON / REST flows go over TLS 1.2+; SQL connections use TLS where supported by the source database; CSV transfers go over SFTP or HTTPS. Plaintext FTP and unencrypted SMB are not supported.
• Authentication: the Connector uses dedicated, per-customer credentials — API keys, OAuth client credentials, or read-only database accounts — with the minimum permissions required. Credentials are stored in a secrets manager and rotated on request or on personnel change.
• Network options: where customers prefer not to expose internal systems, the Connector can run inside the customer's network as an outbound-only agent that pushes data to PlanoHero, removing the need for inbound firewall rules.
• Validation and integrity: incoming data is schema-validated, type-checked, and size-limited. Malformed batches are rejected with a clear error and never partially applied; every ingest is logged with timestamps, source, record counts, and outcome.
• Storage: integrated data lands in the customer's dedicated, isolated tenant database and inherits the same encryption-at-rest, backup, and access-control protections as all other customer data.

Data retention and deletion

• Customer data is retained for the duration of the subscription.
• On termination, data is deleted from production within a defined window and removed from backups on the regular rotation schedule.
• Customers can request export of their data in standard formats at any time.

Secure development lifecycle

• All code changes go through pull-request review by at least one engineer other than the author.
• Static analysis and linting run automatically on every change; security-relevant findings block merges until resolved.
• Dependencies are scanned continuously for known vulnerabilities (CVEs); high-severity issues are patched on a priority schedule.
• Secrets are never committed to source control. Production deployments go through an automated CI/CD pipeline with required tests and immutable artifacts.

Vulnerability management

• Automated vulnerability scans run against infrastructure and application surfaces on a regular schedule.
• Findings are remediated according to a documented severity-based SLA, with critical issues prioritized immediately.
• Periodic independent penetration testing is performed; findings feed back into the engineering backlog.

Common web application defenses

• Input validation, output encoding, and parameterized queries protect against injection attacks (SQL injection, XSS, etc.).
• CSRF protections, secure session cookies, and origin checks are enforced for state-changing requests.
• File uploads are validated, scanned, and stored in isolated object storage with restricted permissions.

Customer-facing controls

• Strong password policy with bcrypt-style hashing; passwords are never stored in plaintext.
• Multi-factor authentication (MFA) is available for all customer accounts.
• Role-based access control (RBAC): HQ admins, regional managers, store users, and viewers each have distinct permissions.
• SSO via OAuth / OpenID Connect is supported on enterprise plans (Google Workspace, Microsoft Entra ID, and others).
• Session timeouts, device-aware sign-in, and account lockout protections defend against credential stuffing.

Internal access to customer data

• Access to production systems is restricted to a named group of engineers, requires SSO and MFA, and is least-privilege by default. All privileged actions are logged.
• Access reviews are performed periodically and on every personnel change. Offboarding revokes access immediately.
• Customer data is never copied to local laptops, personal accounts, or unmanaged environments.

Where data lives

• Customer data is hosted in the European Union by default, on Hetzner infrastructure in Germany / Finland.
• Data does not leave the EU/EEA without an appropriate transfer mechanism (EU Standard Contractual Clauses) in place.
• US-region hosting can be discussed for enterprise customers with strict data-residency requirements.

GDPR (EU and UK)

PlanoHero operates as a GDPR-compliant data processor with EU hosting, signed Data Processing Agreements, and Standard Contractual Clauses for any onward transfers. Data subject rights - including access, rectification, erasure, restriction, portability, and objection - are supported on request through your PlanoHero account or by writing to [email protected].

US privacy laws (CCPA / CPRA and state laws)

PlanoHero is compliant with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA/CPRA"). When processing personal information about California residents on behalf of customers, PlanoHero acts as a "service provider" as defined in the CCPA/CPRA.

• No sale, no sharing: PlanoHero does not sell personal information, and does not "share" it for cross-context behavioral advertising as defined under the CCPA/CPRA.
• Use limitation: customer personal information is used only to provide the contracted services — never for marketing, profiling, or training of unrelated AI models.
• Consumer rights support: PlanoHero helps customers respond to verifiable consumer requests under the CCPA/CPRA — the right to know, delete, correct, and limit use and disclosure of sensitive personal information.
• Contractual safeguards: customer agreements include the service-provider clauses required by the CCPA/CPRA, including limitations on retention, combination, and onward disclosure of personal information.

PlanoHero's privacy program is designed to support the growing patchwork of US state privacy laws on a single, consistent baseline. This includes the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and Texas Data Privacy and Security Act (TDPSA), among others. Customer data is treated as confidential by contract, use is limited to providing the service, data subject rights are supported, and customers are notified of security incidents in a timely manner regardless of the state of residence of affected individuals.

Data ownership and use

• Customers own their data. All planogram, store, product, inventory, and execution data remains the customer's property.
• PlanoHero does not sell, rent, or license customer data to third parties, and does not use it to serve advertising.
• Customer data is not used to train third-party AI models.
• Data can be exported in standard formats at any time and is deleted on termination.

Subprocessors

PlanoHero relies on a small set of carefully chosen subprocessors, each covered by a Data Processing Agreement including EU Standard Contractual Clauses where applicable.

Organizational Security

• All employees and long-term contractors sign confidentiality agreements before being granted access.
• Security awareness training is delivered at onboarding and refreshed regularly.
• Workstations enforce full-disk encryption, screen lock, anti-malware, and patching.
• Access is provisioned through documented joiner/mover/leaver processes with mandatory dual approval for production privileges.

Incident response

• A documented incident response plan covers detection, triage, containment, eradication, recovery, and post-incident review.
• Security alerts and anomalous-activity signals are monitored continuously; on-call engineers are paged for incidents.
• In the event of a confirmed security incident affecting customer data, affected customers will be notified without undue delay, in line with GDPR obligations (typically within 72 hours).
• Every significant incident is followed by a blameless postmortem, with action items tracked to closure.