Vendor Security
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page summarizes the security posture of Shisho Cloud byGMO and Takumi byGMO, operated by GMO Flatt Security Inc. It is written to support your internal review processes and security questionnaire responses.
This page covers cross-cutting security topics that apply to our services as a whole. Product-specific behavior (assessment data retention, Takumi Guard's registry proxy operation, Runner VM isolation, etc.) is documented in the feature pages of each product. Please refer to both as needed.
Compliance
ISO/IEC 27001 (ISMS)
GMO Flatt Security Inc. has obtained certification against the international standard for information security management systems, ISO/IEC 27001 (ISMS).
| Item | Detail |
|---|---|
| Standard | JIS Q 27001:2025 (ISO/IEC 27001:2022 + Amd 1:2024) |
| Scope | (1) Security assessment, penetration testing, consulting, incident response, research, and educational services (2) Planning, development, and operation of information-security cloud services |
| Certificate number | JP26/00000054 |
| Certifying body (accreditation number) | SGS Japan Inc. (ISR021) |
| Initial certification | February 17, 2026 |
| Valid through | February 17, 2029 |
The current certification status is publicly listed on the ISMS-AC registry: JP26/00000054. For further details, please reach out via the contact channel at the bottom of this page.
Data Handling
Residency
Customer data is stored and processed in Japan regions by default. A subset of operational metadata and SaaS-side logs follow the hosting region of each respective SaaS provider.
Retention Periods and Deletion
Customer data associated with a Shisho Cloud organization is deleted in accordance with the organization's lifecycle (cancellation and organization-deletion procedures). For the deletion procedure itself, see Organizations > Deleting an organization.
Input data received during the processing of individual features may be deleted on a shorter cycle. For example, source code and related input files provided to the assessment features are deleted within the minimum period required to provide the feature.
If you wish to request deletion of personal data in accordance with applicable laws and regulations, see How to Delete Individual's Data.
Provisions for AI/LLM Usage
This section applies only when you use AI-powered features of Takumi byGMO. When you only use features that do not involve AI, customer data is not sent to the LLM providers below.
Takumi byGMO's AI features rely on external LLM providers for inference. The inference providers we can disclose at this time include the following:
- Google Cloud Vertex AI
- AWS Bedrock
- Anthropic API
All are consumed via API only, and customer data is not used to train the LLMs. The set of providers may change over time as we improve quality and adopt new models.
Note that we do not disclose the specific model names or version configurations we actually run on the above inference providers.
Contact
For security-related inquiries, vulnerability reports, and requests for certification details, please see the Contact page.
Frequently Asked Questions (FAQ)
Can you respond to security questionnaires?
Yes, provided you are on or trialing a Takumi subscription. Please note that, given the volume of inquiries we receive, we cannot accommodate this for free-tier-only use.
Where is the Privacy Policy?
See the GMO Flatt Security Privacy Policy.