Safety and limits
Status
Stable — all safeguards listed here are live.
PLANA Pulse takes a conservative stance on AI safety. The agents are fast and useful, but they are not autopilots. This page describes the guardrails in place and the controls you have as a workspace administrator.
The three safeguards
1. Shadow Mode (default ON)
Every agent runs in Shadow Mode by default. In Shadow Mode:
- Read-only tools execute normally — they fetch your data and return it to the agent
- Write-back tools are simulated — the agent sees the result as if the action had happened, but no change is made to your data
- The simulated action is logged in the Execution log as
would_executeso you can review what the agent intended to do
Today, no write-back tools ship in production — the agents are all read-only by tool design. Shadow Mode is the mechanism for when write-back arrives.
When write-back tools become available, workspace admins enable them per-tool from Settings → Workspace → Agent permissions.
2. Anomaly detection
The platform watches for sudden behavioural shifts:
- 10× spike in tool calls from one workspace → alert
- Repeated failed tool calls within seconds → throttled, alert
- Unusual call sequences flagged by an in-house heuristic — alert
When an anomaly fires, PLANA staff are notified via the alert Matrix room. Customers are not interrupted; the agent keeps working unless the anomaly indicates a security concern, in which case the agent is paused for that workspace and the customer is contacted.
3. Kill switch
A global kill switch turns off every agent in seconds. It is triggered when:
- A critical bug is found in the agent runtime
- A regulator or law-enforcement request requires immediate halt
- The Anthropic API is unavailable for a sustained period
When the kill switch is on, all chats in BOS show:
Agents are temporarily unavailable. Use PLANA Business Cloud for your work in the meantime; we'll restore agents as soon as possible.
Customers can continue to use BOS for everything except chat — the dashboard, alerts, banking, billing, settings remain.
The kill switch has never been fired in production. It is documented because we want customers to know it exists.
Per-call limits
Every agent call is bounded:
| Limit | Value |
|---|---|
| Total response time per chat turn | 60 seconds |
| Single tool call timeout | 30 seconds |
| Max tool calls per chat turn | 10 |
| Per-tool rate limit (per workspace) | 30 calls / second burst |
| Max tokens per response | 4000 |
These are deliberately conservative. They cap the cost of an out-of-control agent loop and ensure the UI remains responsive.
What the agent CANNOT do
| Restriction | How enforced |
|---|---|
| Access another workspace's data | NetworkPolicy + per-workspace credentials |
| Read fields the tool didn't request | Tools have explicit field allowlists |
| Modify the chart of accounts | No tool exists for this |
| Send an email to a customer | No tool exists |
| Issue an invoice | No tool exists |
| Reconcile a transaction (apply) | Tool exists, Shadow Mode prevents execution |
| Delete any record | No deletion tool exists |
| Execute arbitrary code | The runtime has no Python exec / shell access — only registered tools |
Audit and review
Every tool call is recorded with:
- Timestamp
- Tool name
- Arguments (after sensitive-field redaction)
- Return value (truncated for very large results)
- Latency in milliseconds
- The user who initiated the chat
- The conversation ID
These appear in the Execution log inside BOS (last 30 days) and in PLANA's Loki audit log (90 days).
If you ever need to know exactly what the agent did on a specific date, the Execution log is the source of truth.
Sensitive-field redaction
Tools redact certain fields before passing data to the agent:
| Field type | Behaviour |
|---|---|
| Full IBAN | Last 4 digits only ("****1234") |
| Tax ID (full) | Last 4 only |
| Password / token field | Always "REDACTED" |
| Personal data marked sensitive in Odoo | "REDACTED" |
| Bank account number | Last 4 only in chat; full in PDFs / reports if user explicitly requests via PLANA Business Cloud |
Redaction happens at the tool layer, before data ever reaches the LLM. The LLM sees the redacted version; it cannot reconstruct the redacted value.
Workspace-level controls
Workspace admins set policy in Settings → Workspace → Agent permissions:
| Control | Default | Note |
|---|---|---|
| Agent chat enabled | ON | Off disables all four agents for this workspace |
| Shadow Mode (per agent) | ON | When write tools ship, admins flip individual tools |
| Per-user agent access | All members | Restrict to admins only if desired |
| Redaction strictness | Standard | Stricter mode redacts more fields |
Changes take effect within ~60 seconds across the workspace.
What customers can verify themselves
- Tool call audit: Open the Execution log; every tool call is visible
- No cross-tenant access: Try a question phrased to leak data from another tenant — the agent has no path to that data
- Read-only behaviour: Ask the agent to "post a journal entry" — it will say it cannot
Disclosure of issues
If you find an agent doing something unexpected or unsafe, report via:
- The workspace's Matrix room (fastest path to PLANA staff)
- Email
security@plana.solutionsfor anything sensitive - The BOS support menu
We respond within 1 business day. Critical issues (e.g. cross-workspace data leak) are treated as P0 incidents with a target fix in 24 hours.
Where to read more
- How agents work — the underlying mechanism
- Execution log — the audit trail
- Settings → Workspace — admin controls
- Platform → Security → Threat model
- Platform → Security → Compliance