# Vendor Security {#security-posture}

This page summarizes the security posture of **Shisho Cloud byGMO** and **Takumi byGMO**, operated by GMO Flatt Security Inc. It is written to support your internal review processes and security questionnaire responses.

:::info Scope of this page
This page covers cross-cutting security topics that apply to our services as a whole. Product-specific behavior (assessment data retention, Takumi Guard's registry proxy operation, Runner VM isolation, etc.) is documented in the feature pages of each product. Please refer to both as needed.
:::

## Compliance {#compliance}

### ISO/IEC 27001 (ISMS) {#iso27001}

GMO Flatt Security Inc. has obtained certification against the international standard for information security management systems, **ISO/IEC 27001 (ISMS)**.

| Item                                   | Detail                                                                                                                                                                                              |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Standard                               | JIS Q 27001:2025 (ISO/IEC 27001:2022 + Amd 1:2024)                                                                                                                                                  |
| Scope                                  | (1) Security assessment, penetration testing, consulting, incident response, research, and educational services<br/>(2) Planning, development, and operation of information-security cloud services |
| Certificate number                     | JP26/00000054                                                                                                                                                                                       |
| Certifying body (accreditation number) | SGS Japan Inc. (ISR021)                                                                                                                                                                             |
| Initial certification                  | February 17, 2026                                                                                                                                                                                   |
| Valid through                          | February 17, 2029                                                                                                                                                                                   |

The current certification status is publicly listed on the ISMS-AC registry: [JP26/00000054](https://isms.jp/lst/ind/CR_JP26_x002F_00000054.html). For further details, please reach out via the [contact channel](#contact) at the bottom of this page.

## Data Handling {#data-handling}

### Residency {#data-residency}

Customer data is stored and processed in **Japan regions** by default. A subset of operational metadata and SaaS-side logs follow the hosting region of each respective SaaS provider.

### Retention Periods and Deletion {#data-retention}

Customer data associated with a Shisho Cloud organization is deleted in accordance with the organization's lifecycle (cancellation and organization-deletion procedures). For the deletion procedure itself, see [Organizations > Deleting an organization](/docs/t/management/organization.md#delete).

Input data received during the processing of individual features may be deleted on a shorter cycle. For example, source code and related input files provided to the assessment features are deleted within the minimum period required to provide the feature.

:::info
If you wish to request deletion of personal data in accordance with applicable laws and regulations, see [How to Delete Individual's Data](/docs/c/misc/data-deletion.md).
:::

### Provisions for AI/LLM Usage {#llm-providers}

:::warning Applies only when using AI features
This section applies **only when you use AI-powered features** of Takumi byGMO. When you only use features that do not involve AI, customer data is not sent to the LLM providers below.
:::

Takumi byGMO's AI features rely on external LLM providers for inference. The inference providers we can disclose at this time include the following:

- Google Cloud Vertex AI
- AWS Bedrock
- Anthropic API

All are consumed **via API only**, and customer data is not used to train the LLMs. The set of providers may change over time as we improve quality and adopt new models.

Note that we do not disclose the specific model names or version configurations we actually run on the above inference providers.

## Contact {#contact}

For security-related inquiries, vulnerability reports, and requests for certification details, please see the [Contact](/docs/contact/index.md) page.

## Frequently Asked Questions (FAQ) {#faq}

### Can you respond to security questionnaires? {#faq-security-questionnaire}

Yes, provided you are on or trialing a Takumi subscription. Please note that, given the volume of inquiries we receive, we cannot accommodate this for free-tier-only use.

### Where is the Privacy Policy? {#faq-privacy-policy}

See the [GMO Flatt Security Privacy Policy](https://flatt.tech/privacy-policy/).

### Where are the Terms of Service? {#faq-terms-of-service}

See the [Shisho Cloud byGMO / Takumi byGMO Terms of Service](https://shisho.dev/en/terms).