// Trust & Security Report

    Planful, Inc. logo

    Planful, Inc.

    Financial performance management (FP&A) cloud platform: budgeting, planning, consolidations, close, and reporting, with embedded 'Planful AI' assistants (Analyst, Planner, Help) and a separate Planful for Marketing module

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC2 Type 2 The American Institute of Certified Public Accounts (AICPA) Service Organization Controls (SOC) reports give assurance o...

    Verify on trust.planful.com
    SOC 1 Type 2
    HELD

    SOC1 Type 2 The American Institute of Certified Public Accounts (AICPA) Service Organization Controls (SOC) reports give assurance o...

    Verify on trust.planful.com
    ISO 27001:2022
    HELD

    ISO 27001: 2022 Certificate The International Organization for Standardization 27001 Standard (ISO 27001) is an information security...

    Verify on trust.planful.com
    ISO 27701:2019
    HELD

    ISO 27701: 2019 Certificate The International Organization for Standardization 27701 Standard (ISO 27701) is a privacy extension to ...

    Verify on trust.planful.com
    HIPAA (Business Associate Addendum)
    HELD

    HIPAA Business Associate Addendum (HIPAA BAA) A "business associate" is a person or entity that performs certain functions or activi...

    Verify on trust.planful.com
    GDPR (compliance posture / DPA with SCCs)
    HELD

    For Clients subject to General Data Protection Regulation or the California Consumer Privacy Act, Planful agrees to comply with its data processor obligations under the applicable data processing addendum ("DPA")... The Planful DPA incorporates the SCCs and provides descriptions of Planful's processing of the personal data (Appendix 1) and a description of Planful's security measures (Appendix 2).

    Verify on planful.com
    > Show 5 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification on trust.planful.com or elsewhere on planful.com; only ISO 27001:2022 and ISO 27701:2019 are listed as certified.

    source: trust.planful.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification found on the trust center or public pages.

    source: trust.planful.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on the trust center or public pages. Planful is a planning/FP&A platform and does not appear to process cardholder data directly.

    source: trust.planful.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on the trust center or public pages.

    source: trust.planful.com
    ISO 27017 / ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27017 or ISO 27018 certification. The trust center's certified-standards list is limited to ISO 27001:2022 and ISO 27701:2019.

    source: trust.planful.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region SaaS hosting: the live status page (trust.planful.com) separately monitors US, Australia, Europe, Canada, and a distinct 'Planful for Marketing' instance, indicating regional production instances rather than a single fixed data center. No single-tenant or customer-selectable data-residency guarantee was found documented.

    The trust center and MSA/DPA pages, which list the formal certifications and GDPR/DPA terms, WERE directly fetched and verified live.

    // Security controls

    Encryption in transit

    TLS 1.3 (per vendor AI/security messaging, indexed from planful.com/planful-ai/; not independently raw-fetched)

    planful.com

    Encryption at rest

    AES-256 (per vendor AI/security messaging, indexed from planful.com/planful-ai/; not independently raw-fetched)

    planful.com

    AI tenant isolation

    Vendor states the AI layer runs in an isolated, tenant-specific namespace so customer data does not leave its region or cross tenant boundaries

    planful.com

    Uptime / status transparency

    Public real-time status page with per-region uptime history; 100.00% uptime reported for the current quarter at time of review

    trust.planful.com

    Maintenance transparency

    Published recurring maintenance-window schedule (monthly release and operations-maintenance windows) through 2026

    trust.planful.com

    Data processing agreement

    DPA incorporating EU Standard Contractual Clauses available on request (dpo@planful.com) or as a presigned document; Transfer Impact Assessments also published

    planful.com

    // Products & data scope

    Planful Financial Performance Management (core platform, "PFF")FP&A / enterprise performance management (budgeting, planning, consolidations, close, reporting)

    data: Company financial and operational planning data, budgets, actuals, consolidations, close workflows

    The flagship product; covered by the trust center's SOC 1 Type 2, SOC 2 Type 2, ISO 27001:2022, ISO 27701:2019, and HIPAA BAA listings.

    Planful for Marketing ("PFM")Marketing performance / spend management

    data: Marketing budget, spend, and campaign performance data

    Tracked as a separate production instance on the vendor's own status page, alongside the core FP&A instance; no evidence found of a separate certification scope distinct from the main trust center listing.

    Planful AI (Analyst, Planner, Help assistants)Embedded generative AI / conversational analytics

    data: Reads and reasons over the customer's existing Planful data (forecasts, plans, analysis); vendor states prompts/questions may be logged for usage analytics, but responses containing customer data are not stored and none of it is used for model training

    Features are embedded within the core certified platform rather than sold as a separate SKU; AI training-data claims are vendor-stated, not attested to by SOC/ISO reports.

    // What to watch

    • Treat these two items as medium confidence pending a direct re-check, even though the wording was consistent across independent search results.
    • HIPAA is offered as a Business Associate Addendum (a contractual instrument), not a certification with an auditable report like SOC/ISO; list it as 'HIPAA BAA available' rather than a formal HIPAA certification to avoid overstating it.
    • No evidence of ISO/IEC 42001 (AI management systems) or CSA STAR, which are increasingly relevant given the vendor's embedded 'Planful AI' features; this is common for the vendor's market segment and should be listed as a gap, not a red flag.
    • No explicit customer-selectable data residency/region commitment was found; the multi-region status page (US/EU/Australia/Canada) suggests regional instances exist but the assessment could not confirm whether customers can contractually pin data to a specific region.

    // At a glance

    Pricing model

    Enterprise quote-based (contact sales / book a demo); no public self-serve pricing found

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Planful, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.planful.com

    > Browse all vendor trust reports