Security &
Compliance
Enterprise-grade security, built for teams that can't compromise. Your data. Your control.
Our Security Principles
Zero Trust Architecture
Every request authenticated. Every action authorized. We verify identity at every layer. No backdoors, no special access.
Zero Source Code Access
We test your app, not your code. Guardian interacts with your public APIs and staging URLs via the browser. We never require read/write access to your proprietary GitHub/GitLab repositories.
Transparency First
Full audit logs. Complete visibility. We log every action, every API call, every data access. You can audit us anytime.
Compliance & Certifications
SOC 2 Type II
Independently audited for security, availability, processing integrity, confidentiality, and privacy controls over 6+ months of operation.
Renewed annually — currently active
GDPR Compliant
We respect data protection regulations across the EU. Data retention, deletion, and export requests honored within 30 days.
GDPR + UK Data Protection Act 2018
HIPAA Ready
Supports HIPAA compliance for healthcare customers. Business Associate Agreements available. BAA + Technical Safeguards in place.
For healthcare & life sciences
ISO 27001 Eligible
We implement ISO 27001 controls for information security management. Certification pathway available for enterprise customers.
Information Security Management
Data Security in Depth
Encryption
- In Transit: TLS 1.3 for all connections
- At Rest: AES-256 for all stored data
- Backups: Encrypted with separate key
- Key Management: Google Cloud KMS
Access Control
- RBAC: Role-based access for all users
- SSO: SAML 2.0 + OAuth 2.0 support
- MFA: Optional two-factor authentication
- Session Management: 30-minute inactivity timeout
Network Security
- VPC: Dedicated private VPC isolation
- WAF: Web application firewall on all endpoints
- DDoS Protection: Google Cloud Armor
- IP Whitelisting: Support for enterprise requirements
Monitoring & Logging
- Audit Logs: All API calls logged for 1 year
- Real-time Alerts: Security incident notifications
- Intrusion Detection: 24/7 security monitoring
- Incident Response: <1 hour response time
How We Handle Your Data
What Data We Collect
Test results (pass/fail status), video recordings, DOM snapshots, error logs, and API requests. We do not store your source code, credentials, or personal information unless you explicitly provide it.
Learn more in our Privacy Policy
Data Retention
Test logs retained for 90 days by default (configurable). Videos kept for 30 days. Audit logs retained for 1 year. You can request deletion at any time and data is permanently removed within 48 hours.
Data Analytics
We aggregate anonymous, statistical data (test counts, pass rates, execution times) to improve our platform. We never share this with third parties. You can opt-out of analytics anytime.
Subprocessors
We use Google Cloud Platform for infrastructure. We have data processing agreements in place.
Security Questions?
Our security team is available for detailed security reviews, penetration testing coordination, and compliance questions. Reach out anytime.