Aguardic logoAguardic
Get Started

Security at Aguardic

We build a governance platform — the security of your data isn't an afterthought, it's foundational. Here's how we protect your organization and where we are on our compliance journey.

Security Principles

Our security architecture is built around five principles:

  • Encrypt everything — at rest and in transit, with no exceptions.
  • Isolate by default — every organization's data is scoped at the database and application layers. All queries are filtered by organization, and cross-tenant access is prevented by enforced access controls.
  • Minimize exposure — we collect and transmit only the data required for evaluation. Credentials are encrypted on write and decrypted only at point of use.
  • Audit everything — every evaluation, enforcement action, and state change produces a structured, timestamped record.
  • Defense in depth — authentication, authorization, input validation, rate limiting, and monitoring operate as independent layers.

Data Protection

Encryption at Rest

  • All database storage encrypted with AES-256.
  • Integration credentials individually encrypted with AES-256-GCM before storage.
  • Uploaded documents and knowledge base files encrypted at rest.

Encryption in Transit

  • TLS 1.2+ enforced on all connections.

Data Isolation

  • Organization-level isolation — all data is scoped to the organization at the database layer. Users can only access data belonging to organizations they are members of.
  • Project-level scoping — within each organization, resources are further scoped by project.

Sensitive Data Handling

  • Integration credentials are never exposed in API responses — sensitive fields are redacted before serialization.
  • Documents are uploaded directly to encrypted storage — files never pass through the application server.
  • No customer data is used for AI model training.

Authentication & Access Control

Authentication

  • Enterprise Single Sign-On — supports SAML, OAuth, and social identity providers.
  • No passwords stored — all authentication is delegated to our identity provider.
  • Encrypted, sealed session tokens with automatic refresh and expiration.

Authorization

  • Role-based access control with scoped permissions per role.
  • Destructive and sensitive actions restricted by role with escalation controls.

Application Security

  • All API inputs validated with strict runtime type checking.
  • Rate limiting enforced per IP address.
  • Integration webhooks verified using provider-specific signature validation.

Secure Development Lifecycle

Code Review & Branch Protection

  • All code changes require approval from at least one other engineer before merging.
  • Branch protection enforced on all production branches — direct pushes are blocked.
  • Automated checks must pass before merge, including linting, type checking, and test suites.

Automated Security Testing

  • Dependency vulnerability scanning runs on every pull request.
  • Static analysis checks for common security issues (injection, XSS, hardcoded secrets).
  • Container images built from minimal base images (Alpine Linux) with only runtime dependencies.

Deployment Controls

  • CI/CD pipelines deploy only from the main branch after all checks pass.
  • Infrastructure changes are version-controlled and deployed via automated pipelines.
  • Application secrets are stored in AWS Systems Manager Parameter Store — never in code or environment files.

AI & Model Security

  • No customer data used for training — content sent to LLMs for evaluation is not used to train or fine-tune any models. We use API agreements that prohibit training on customer inputs.
  • Minimal data sent — only the specific content being evaluated and the relevant policy rules are sent to the LLM. No organization metadata, user data, or unrelated content is included.
  • Three-layer architecture minimizes LLM exposure — the majority of rules are evaluated deterministically (pattern matching) with zero LLM involvement. AI evaluation is only triggered for rules that require semantic understanding.
  • LLM evaluation is optional — organizations can disable AI evaluation per-policy, restricting evaluation to deterministic rules only.
  • Knowledge base embeddings are generated and stored within your organization's isolated data environment.

Monitoring & Incident Response

Audit Trails

  • Every API request tagged with a unique correlation ID for end-to-end traceability.
  • Every policy evaluation logged with input, applied policies, results, and evaluation layer used.
  • Every violation includes a structured timeline with timestamps and user attribution.

Vulnerability & Penetration Testing

  • Automated vulnerability scanning runs continuously against application code and dependencies.
  • Container images scanned for known vulnerabilities before deployment.
  • Internal penetration testing conducted regularly against web application and API surfaces.
  • External penetration testing planned as part of SOC 2 audit preparation.

Incident Response

  • Defined incident response procedures with severity classification.
  • Affected customers notified within 72 hours of confirmed data breach.
  • Post-incident review and remediation for all security events.

Compliance Roadmap

We're transparent about where we are on our compliance journey. Aguardic is an early-stage company building toward enterprise-grade certifications.

Principles Applied

GDPRGDPRPrinciples Applied

Data minimization, organization-scoped isolation, structured audit logging, and deletion capabilities built into architecture. DPA available on request.

CCPACCPAPrinciples Applied

User data deletion, data portability, and consent mechanisms built into platform.

In Progress

SOC 2 Type IISOC 2 Type IIIn Progress

Security controls implemented. Formal audit targeting 2026. Infrastructure designed around Trust Services Criteria.

HIPAAHIPAAIn Progress

Technical safeguards (encryption, access controls, audit logging) are in place. BAA available upon request for qualifying customers.

Planned

ISO 42001Planned

AI management systems standard. Planned as a strategic differentiator for AI governance platforms.

EU AI ActPlanned

Tracking enforcement phases. Aguardic's policy marketplace includes EU AI Act compliance packs to help customers meet requirements.

We update this page as our compliance posture evolves. Last updated: February 2026.

Agreements & Sub-Processors

  • Data Processing Agreement (DPA): Available on request for all customers.
  • Business Associate Agreement (BAA): Available on request for healthcare customers handling PHI.
  • Data retention: Configurable per plan tier. Evaluation logs and violation records retained for the duration of the subscription.
  • Sub-processors: A current list of sub-processors is available on request. Contact security@aguardic.com.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue, we ask that you report it responsibly.

How to Report

Email security@aguardic.com with a description of the vulnerability, steps to reproduce, and any relevant evidence. We will respond within 48 hours and provide an initial assessment within 5 business days.

Guidelines

  • Do not run automated scanners against our production infrastructure without prior coordination.
  • Do not access, modify, or delete data belonging to other users or organizations.
  • Do not disclose the vulnerability publicly until it has been resolved.
  • Provide sufficient detail to reproduce the issue — typically the affected URL or endpoint and a description of the vulnerability.

Our Commitment

  • We will not take legal action against good-faith security research.
  • We will handle your report with strict confidentiality.
  • We will credit researchers who report valid vulnerabilities (with permission).
  • We will keep you informed of progress toward resolution.

Out of Scope

  • Clickjacking and UI redressing.
  • Cross-Site Request Forgery (CSRF) on unauthenticated endpoints.
  • Attacks requiring physical access or man-in-the-middle positioning.
  • Denial-of-service (DoS/DDoS) attacks.
  • Content spoofing or text injection without a demonstrable attack vector.
  • Missing security headers (DNSSEC, CAA, CSP) without demonstrated impact.
  • Rate limiting issues.
  • Vulnerabilities in third-party services or dependencies outside our control.

Questions?

For security inquiries, agreement requests, compliance questions, or to discuss our security practices:

security@aguardic.com

For general support: support@aguardic.com

Privacy PolicyTerms of Service