Security assessments
Planon has set up a procedure for customers to conduct security testing.
Planon Universe Customer policy for testing
Planon embraces customers who would like to carry out penetration, vulnerability, performance, and/or load tests against their Planon Universe application. This will not only create transparency about our security, but could also improve our product.
Requesting Planon’s annual security assessment
By default, Planon carries out annual security assessments which are performed by a third party. The ‘Executive reports’ and the ‘Planon in response to the report letter’ of these security assessments can be downloaded via the Customer portal Security Assessment page.
Requesting your own security assessment Planon Cloud
Planon embraces customers who want to carry out their own security testing. But for Cloud customers, before a security assessment may be performed, an official approval from Planon is needed along with the acceptance of the Terms and Conditions. The request form can be found on the Customer portal Security Assessment page.
Requesting your own on-premise security assessment
Since on-premise customers are running Planon on their own infrastructure, they do not need a prior approval from Planon to conduct the security assessment. However, the following Terms & Conditions are applicable to security assessments of on-premise installations of Planon Universe.
Terms and Conditions on-premise security assessments
Planon will only evaluate penetration/vulnerability reports performed on a release no older than 1 quarter year.
Vulnerabilities found in older versions than the latest Planon universe release are not resolved separately, they must be resolved by performing an update.
Penetration/vulnerability testing should be performed in a non-production environment. This is to avoid negative consequences on the continuity, integrity, and availability of the application that may arise during testing.
If the tested environment is older than 1 quarter year, a non-production environment needs to be upgraded and a re-test has to be performed. The differences in re-test will be reviewed by Planon after receiving the full penetration/vulnerability report.
The customer will provide Planon with a complete copy of the report to improve its product if possible or necessary. The report needs to be added to the original ticket which is created in support of this test and is visible on the Customer portal.
Additional costs will be charged for valuating penetration/vulnerability reports which are performed on environments older than 1 quarter of a year.
* 
Planon only resolves vulnerabilities in future Live releases.
Individual findings reported via other tickets will not be treated as part of the provided report.
On-premise environments must be hardened before a test is performed as described in .
Any discoveries of vulnerabilities or other issues related to the penetration/vulnerability test are not allowed to make public or made available to others than Planon or the Company.
The customer is obligated to report 'critical' application security vulnerabilities directly to Planon as soon as possible via mail at security@planonsoftware.com.
Your performance of the testing and the results will be considered as confidential information.
Any discoveries of vulnerabilities or other issues related to the penetration test are not allowed to make public or made available to others (for example, CVE registration).
As a customer, you are entitled to hire an external testing party who will perform the testing on your behalf. Planon is in contract with you as a customer and will not sign any contract, statement, and/or other binding agreement with these parties.