PLANA Docs

Appearance

Data residency

Audience

PLANA staff, customer CTOs, prospective customers' procurement teams.

PLANA Pulse runs in Exoscale's Sofia data centre (bg-sof-1). Customer business data lives in Bulgaria. This page explains exactly what data sits where, why it sits there, and the small set of exceptions.

Headline

Data classRegionCountryProvider
Tenant Odoo databaseEUBulgaria (Sofia)Exoscale
Tenant Odoo filestore (attachments)EUBulgaria (Sofia)Exoscale
Daily backups (PG dumps + filestore tarballs)EUBulgaria (Sofia)Exoscale SOS
Authentication data (Authentik users, sessions)EUBulgaria (Sofia)Exoscale
Audit logs (Loki, 90d)EUBulgaria (Sofia)Exoscale
Marketing site (planapulse.ai)EUBulgaria (Sofia)Exoscale
Documentation site (docs.planapulse.com)EUBulgaria (Sofia)Exoscale
Mail (sending + receiving on plana.solutions)EUGermany (Falkenstein)Hetzner
LLM inference (BOS agents)US (currently)USAAnthropic
PaymentsEUIreland (HQ) + intra-EU routingStripe

All customer business data is in Bulgaria. The exceptions involve operational tooling, not the customer's records.

Why Bulgaria

  1. Customer alignment. All current customers are Bulgarian SMBs. Their data sits in their own country, simplifying their compliance conversations.
  2. EU jurisdiction. Bulgaria is in the EU; GDPR applies; the Bulgarian CPDP is the supervisory authority.
  3. Latency. A Bulgarian customer's browser is ~5ms from the cluster, which makes the AI agent's streaming UX feel native.
  4. Bulgarian PII rules. Bulgaria's personal data protection rules apply natively. No cross-border transfer mechanism needed for intra-Bulgaria flows.
  5. Vendor lock-in resistance. Exoscale is a Swiss-EU company with no US-cloud parent. Our data is not subject to the US CLOUD Act.

Why Exoscale specifically

  • Swiss-EU operator with EU-specific products
  • Offers a managed SKS Kubernetes service we use
  • Has a Sofia region (the only major EU cloud that does at our scale tier)
  • Reasonable pricing for our workload
  • Reasonable support for a small operator like us

We considered Hetzner (Germany), Scaleway (France), and OVH (multiple EU). All would have meant either non-Bulgarian residency or significant cost for the SKS-equivalent service.

The exceptions explained

Email — Hetzner Falkenstein (Germany)

Email reputation is a non-trivial operational matter. We run Mailu on a separate Hetzner box outside our SKS cluster because:

  • Reverse DNS, SPF, DKIM, DMARC require careful IP-level configuration
  • Email IP reputation degrades silently when sharing IPs with arbitrary workloads
  • Hetzner Falkenstein is well-regarded for outbound mail reputation; Exoscale's residential-style IPs are not

Customer business email is not PLANA's responsibility — the customer sends mail from their own provider (typically Google Workspace or Microsoft 365). The Mailu box only handles plana.solutions and planapulse.ai mail (transactional notifications, support).

This is documented as an exception in FOSS first.

LLM inference — Anthropic (USA)

The hardest exception. Today, the best reasoning models we have access to are American (Claude, GPT-4). We use Anthropic via API.

What gets sent to Anthropic per BOS chat:

  • The user's prompt
  • Recent chat history
  • Tool definitions (public schemas — not customer data)
  • Tool results (which include customer business data — invoice amounts, stock levels, etc.)

What is committed via Anthropic's commercial terms:

  • Customer data sent via the API is not used for model training
  • Anthropic retains the data for a limited operational period (currently 30 days)
  • A DPA with SCCs Annex II is in place between PLANA Digital and Anthropic

For customers whose policy forbids US transfer of their business data, we offer:

  1. Local LLM via OpenRouter to a European-hosted model — a manual configuration, available on Enterprise tier
  2. On-prem LLM running in our cluster — feasible but more expensive per token; available on quotation

These options are not the default because they trade quality for locality. Most customers prefer the default Anthropic configuration with the trade-off documented in their DPA.

Payments — Stripe (Ireland)

Stripe Ireland is the EU contracting entity. Transaction routing inside Stripe stays within the EU for EU-domiciled transactions. Stripe holds the card data; PLANA never sees a PAN.

This is a regulatory necessity rather than a policy choice — we cannot build a Bulgarian payment processor.

What this looks like to a customer

A customer in Bulgaria signing up for PLANA Business Cloud Pro:

Their dataWhere it goes
Their company name + admin emailpulse_account_api on pg01, Sofia
Their Odoo database (customers, invoices, stock, payroll)pg01, Sofia
Their attachments (PDFs, scans)NFS in Sofia, backed up to SOS Sofia
Their banking transactions (PSD2)pulse-banking DB, Sofia; consents stored Sofia
Their workspace API keyspulse_account DB, Sofia (bcrypt-hashed)
Their BOS conversationssent to Anthropic (USA) for inference; logged in Redis Sofia
Their support tickets via MatrixMatrix Synapse DB, Sofia
Their welcome emailsent through Mailu (Germany) once, then lives in their inbox
Their payment cardnever visible to PLANA; goes to Stripe Ireland

No part of their business data leaves the EU except the BOS chat-inference path. They are informed of this at sign-up and in the DPA.

Future direction

  • Move LLM inference to EU. Anthropic has indicated EU regions are on their roadmap. When the Anthropic EU region is GA, we will switch.
  • Continue evaluating EU-hosted models. Mistral, Aleph Alpha, Anthropic's eventual EU offering — we track all of them. The bar is: same quality, EU-resident, comparable cost.

Practical certifications

  • EU data residency — yes, with the named exceptions
  • Bulgarian residency for business data — yes
  • Adequacy for cross-border — Anthropic transfer relies on SCCs; the recipient has signed SCCs Annex II
  • No US CLOUD Act exposure on primary data — yes, primary cloud is Swiss-EU (Exoscale)

Where to read more

© PLANA Digital Ltd.

docs.planapulse.com