Last updated:
Asset Inventory
Version: 1.0 · Status: Active · Effective: 2026-05-05
1. Purpose
This policy provides a high-level overview of the technology assets, data stores, third-party services, and data classification framework that comprise the Projan service. It serves as a transparency document for customers, partners, and auditors who need to understand the categories of assets under management without exposing implementation details that could assist in adversarial reconnaissance.
This document is maintained by Projan AI Ltd (company number 17196385) and is reviewed on a quarterly basis.
2. Infrastructure Overview
2.1 Cloud Hosting
All Projan infrastructure is hosted on Amazon Web Services (AWS) within the EU (London) region. This ensures that data processing and storage remain within the United Kingdom and the broader European Economic Area, supporting compliance with UK GDPR and related data protection regulations.
2.2 Environment Isolation
Projan operates separate AWS accounts for each deployment environment:
- Development — used for active feature development and internal testing.
- Test — used for integration testing and pre-release validation.
- Production — the live environment serving customers.
Each environment is logically and physically isolated at the AWS account level. This separation ensures that development activity cannot affect production data, and that access controls can be scoped independently per environment.
2.3 AWS Service Categories
The infrastructure makes use of the following categories of AWS services:
| Category | Purpose |
|---|---|
| Compute | Container orchestration for long-running application services; serverless functions for event-driven processing |
| Storage | Object storage for file uploads, email assets, and static site hosting |
| Networking | Virtual private networks, load balancing, DNS management, and content delivery |
| Security | Secrets management, identity and access management, encryption key management |
| Monitoring | Centralised logging, alerting, and operational dashboards |
All services are configured in accordance with the principle of least privilege, and infrastructure is defined as code to ensure consistency and auditability across environments.
3. Data Stores
3.1 Primary Database
Projan uses a managed MongoDB service hosted within the EU. The database stores application data including user accounts, conversations, documents, plans, team configurations, and integration metadata.
Security controls applied to the database:
- Encryption at rest using AES-256 managed keys.
- Encryption in transit via TLS for all client-to-server and intra-cluster communication.
- Network-level access restrictions limiting connectivity to authorised application services only.
- Automated backups with point-in-time recovery capability.
- Separate database instances per environment (development, test, production).
3.2 Caching and Session Storage
Ephemeral data such as session state and temporary processing artefacts are stored in managed caching services with automatic expiry. No persistent personal data is held in cache layers.
3.3 Object Storage
File uploads (such as voice recordings) and static assets are stored in AWS object storage with server-side encryption enabled. Access is controlled through time-limited pre-signed URLs and scoped IAM policies.
4. Applications
Projan comprises five application components, each deployed independently:
| Application | Description |
|---|---|
| API | The core backend service providing a GraphQL interface for all client applications. Handles authentication, business logic, AI orchestration, and data persistence. |
| Web and Mobile Application | The primary user interface, available as a web application and a mobile application. Provides the conversational workspace, document editing, project management, and account administration. |
| Messaging Integration Service | A bot service that enables users to interact with Projan through third-party messaging platforms (currently Slack). |
| Marketing Site | A static website providing product information, documentation, and legal policies. |
| Serverless Functions | Event-driven functions that handle authentication lifecycle events such as account verification and token enrichment. |
All application components are containerised or packaged as serverless artefacts, deployed through automated CI/CD pipelines, and monitored through centralised logging and alerting.
5. Third-Party Services
5.1 Core Services
The following third-party services are integral to Projan’s operation:
| Service Category | Purpose | Data Shared |
|---|---|---|
| Payment Processing | Subscription billing, invoicing, and payment method management | Customer email, billing address, subscription metadata. Card details are held exclusively by the payment processor and never touch Projan infrastructure. |
| AI Inference | Language model processing for conversational AI agents and document generation | Conversation content submitted by the user for the duration of the AI interaction. No training on customer data. |
| Email Delivery | Transactional email (account verification, password reset, team invitations, notifications) | Recipient email address and email content. |
| Identity and Authentication | User identity management, password storage, and multi-factor authentication | User email, authentication credentials (managed entirely by the identity provider). |
| Analytics | Product usage analytics to improve the service | Anonymised usage events. No personally identifiable information is sent to analytics services. |
5.2 User-Initiated Integrations
Users may optionally connect Projan to external services. These integrations are initiated and controlled by the user and require explicit OAuth authorisation:
- Jira — export plan tasks as Jira issues.
- GitHub — export plan tasks as GitHub issues.
- Linear — export plan tasks as Linear issues.
- Notion — sync documents and data to Notion workspaces.
- Slack — conversational PRD creation within Slack channels.
- Google Tasks — export plan tasks to Google Tasks.
- Todoist — export plan tasks to Todoist.
OAuth credentials for these integrations are encrypted at rest using application-level encryption and are revocable by the user at any time through the account settings interface.
6. Domain and Certificate Management
Projan operates under the projan.ai domain. Environment-specific subdomains are used to separate development, testing, and production traffic. All public-facing endpoints are protected by TLS certificates with automatic renewal, ensuring uninterrupted encrypted communication.
Certificate lifecycle management is automated, and certificates are provisioned through AWS Certificate Manager. No manual certificate handling is required, reducing the risk of expiry-related outages or misconfiguration.
7. Data Classification Framework
All data processed by Projan is classified according to the following framework. Classification determines the handling, storage, access, and disposal requirements for each data element.
7.1 Classification Levels
| Classification | Description | Examples |
|---|---|---|
| Secret | Credentials and cryptographic material that, if disclosed, would enable direct unauthorised access to systems or data. Must never appear in logs, source code, or unencrypted storage. | API keys, OAuth tokens, encryption keys, database credentials, webhook signing secrets |
| Confidential | Personal data and business-sensitive information protected under data protection legislation. Access restricted to authorised personnel and services with a legitimate processing purpose. | User email addresses, conversation content, document content, billing information, team membership data |
| Internal | Operational data that supports service delivery but does not contain personal data or credentials. Not intended for public disclosure but would not cause significant harm if exposed. | Application configuration, feature flags, infrastructure metadata, deployment identifiers, log entries (after redaction) |
| Public | Information intentionally made available to the public with no access restrictions. | Marketing site content, published API documentation, legal policies, pricing information |
7.2 Handling Requirements
| Requirement | Secret | Confidential | Internal | Public |
|---|---|---|---|---|
| Encryption at rest | Required (dedicated key management) | Required | Recommended | Not required |
| Encryption in transit | Required (TLS 1.2+) | Required (TLS 1.2+) | Required (TLS 1.2+) | Required (TLS 1.2+) |
| Access control | Named individuals only, audited access | Role-based, least privilege | Service-level access | Unrestricted |
| Logging of access | Full audit trail | Audit trail for mutations | Standard application logging | Not required |
| Retention | Rotated on schedule; revoked immediately on compromise | Per retention schedule (see Data Protection Policy) | Retained for operational needs | Indefinite |
| Disposal | Secure deletion with confirmation | Secure deletion | Standard deletion | No special requirements |
8. Development Tooling
Projan’s development and deployment lifecycle is supported by the following categories of tooling:
| Category | Purpose |
|---|---|
| Source Control | Version-controlled repositories with branch protection, code review requirements, and signed commits. |
| CI/CD Pipelines | Automated build, test, lint, and deployment workflows triggered by code changes. |
| Container Registry | Private registry for application container images, scoped per environment. |
| Mobile Build Service | Cloud-based build and distribution service for mobile application releases. |
| Infrastructure as Code | All cloud infrastructure is defined declaratively, version-controlled, and deployed through automated pipelines. |
Access to development tooling is restricted to authorised team members and governed by the Access Control Policy.
9. Review Schedule
This policy is reviewed quarterly and updated whenever significant changes are made to the technology estate. Material changes are recorded in the document version history and communicated to relevant stakeholders.
| Review Activity | Frequency |
|---|---|
| Full asset inventory reconciliation | Quarterly |
| Data classification review | Quarterly |
| Third-party service review | Semi-annually |
| Policy document review and approval | Quarterly |
10. Contact
For questions about this policy or to report a security concern related to Projan’s technology assets, contact:
Email: security@projan.ai
Projan AI Ltd will acknowledge all security-related enquiries within 5 business days.