Skip to content
Guard0

Security

Last Updated: April 2, 2026

Our Commitment

Security is not an afterthought at Guard0 — it is foundational to every product decision, architectural choice, and operational procedure. As an AI Security Posture Management platform, we understand that our customers trust us with visibility into their most critical security infrastructure. We take that responsibility seriously.

We are committed to:

  • Protecting customer data with industry-leading encryption and access controls
  • Maintaining transparent communication about security practices and incidents
  • Continuously improving our security posture through testing and monitoring
  • Achieving and maintaining recognized security certifications and compliance standards
  • Providing enterprise customers with the security assurance materials they need

Infrastructure Security

Data Encryption

In Transit: All data in transit between customer systems and Guard0 is encrypted using TLS 1.3. We require and enforce TLS 1.3 for all external-facing services and APIs.

At Rest: Customer data at rest is encrypted using AES-256 encryption. Encryption keys are managed through industry-standard key management services provided by our infrastructure partner.

Network Security

Guard0's infrastructure includes:

  • Firewalls & Network Segmentation: Multi-layer firewalls and security groups that enforce principle of least privilege for internal and external network traffic
  • Intrusion Detection & Prevention: Real-time monitoring for suspicious network activity with automated alerting and response capabilities
  • DDoS Protection: Cloud-native DDoS mitigation to ensure service availability and protect against volumetric attacks
  • VPC Isolation: Customer data and infrastructure operate within isolated virtual private clouds with restricted cross-tenant communication

Access Controls

We implement defense-in-depth access controls:

  • Role-Based Access Control (RBAC): All internal systems use RBAC with clearly defined roles and permissions tied to job function
  • Multi-Factor Authentication (MFA): MFA is mandatory for all employee access to internal systems, customer data, and infrastructure
  • Least Privilege Principle: Employees have access only to the data and systems necessary to perform their roles; access is regularly reviewed and revoked when no longer needed
  • Administrative Access Logging: All privileged actions are logged and monitored for audit and compliance purposes

Cloud Infrastructure

Guard0 infrastructure is hosted with a major cloud provider that maintains SOC 2 Type II certification, ensuring our foundational infrastructure meets or exceeds leading security and compliance standards.

Application Security

Secure Development Lifecycle (SDLC)

Our development practices include security at every stage:

  • Design & Threat Modeling: Security reviews occur during the design phase of new features and services
  • Code Reviews: All code changes undergo peer review with at least one other developer before merging; security is a key review criterion
  • Static Analysis: Automated static application security testing (SAST) tools scan code for common vulnerabilities and misconfigurations

Dependency Vulnerability Scanning

We maintain inventory of all third-party dependencies and regularly scan them for known vulnerabilities using industry-standard vulnerability databases. High and critical severity vulnerabilities are remediated within 30 days; critical vulnerabilities affecting production systems are addressed immediately.

Penetration Testing

Guard0 conducts third-party penetration testing at least annually by independent, qualified security firms. These tests evaluate both the Guard0 platform and our operational security practices. We use findings from these assessments to drive continuous improvements to our security controls.

Data Protection

Multi-Tenant Data Isolation

Guard0 operates a multi-tenant platform with strict data isolation controls to prevent unauthorized access between customers:

  • Each customer's data is logically and cryptographically isolated
  • Database-level access controls prevent cross-tenant queries
  • Application logic enforces tenant boundaries at every layer
  • Isolation controls are regularly tested to verify effectiveness

Data Classification & Handling

We classify all data (customer data, internal data, third-party data) and maintain procedures that specify how each classification must be handled, transmitted, and stored. Employees are trained on data classification and handling requirements.

Backup & Disaster Recovery

Customer data is regularly backed up with:

  • Redundancy: Backups stored in geographically distributed locations
  • Testing: Disaster recovery procedures are tested regularly to ensure data can be recovered
  • Retention: Backups retained according to customer contractual requirements and legal obligations
  • Encryption: All backups are encrypted with the same standards applied to primary data

Data Retention & Deletion

Customer data is retained only as long as necessary to provide the Guard0 service, as detailed in our Privacy Policy. Upon customer request or contract termination, data is deleted securely using industry-standard erasure procedures that prevent recovery.

Compliance & Certifications

SOC 2 Trust Service Criteria

Guard0 is pursuing SOC 2 Type II certification and aligns its security practices with the AICPA SOC 2 Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Our control environment, risk assessment, and monitoring procedures are designed to meet these standards.

GDPR Compliance

Guard0 complies with the General Data Protection Regulation (GDPR) requirements applicable to our role as a data processor for EU customers:

  • Data Subject Rights: We support customer fulfillment of GDPR data subject access requests, deletion requests, and portability requests
  • Processing Agreements: Data Processing Agreements (DPAs) are available for all EU customers
  • Privacy by Design: Personal data processing is designed with privacy protection as a core requirement
  • Breach Notification: We maintain procedures to notify affected customers and relevant authorities in compliance with GDPR timelines

CCPA Compliance

Guard0 complies with the California Consumer Privacy Act (CCPA) requirements:

  • Consumer Rights: We support customer fulfillment of CCPA consumer rights requests
  • Data Minimization: We collect and process only the personal data necessary to provide the Guard0 service
  • Opt-Out Support: Customers can control how their data is used and disclosed

Data Processing Agreements

Data Processing Agreements are available for enterprise customers upon request and can be obtained by contacting security@guard0.ai or your account manager.

Incident Response

Incident Response Program

Guard0 maintains a documented incident response program that outlines:

  • Roles & Responsibilities: Clear assignment of incident response roles
  • Detection & Response: Procedures for identifying, containing, eradicating, and recovering from security incidents
  • Communication Protocols: Procedures for internal escalation and external customer notification
  • Continuous Improvement: Post-incident reviews to identify lessons learned and process improvements

Customer Notification

In the event of a confirmed data breach affecting customer data, Guard0 will notify affected customers as quickly as possible, and no later than 72 hours after confirmation, consistent with GDPR and industry best practices. Notifications will include details of the data affected, steps customers should take, and Guard0's remediation efforts.

Post-Incident Review

Following any security incident, we conduct a post-incident review to:

  • Understand the root cause
  • Identify systemic improvements to prevent recurrence
  • Document lessons learned
  • Track remediation to completion

Employee Security

Background Checks

All Guard0 employees undergo background checks prior to hire, consistent with local legal requirements.

Security Awareness Training

All employees receive security awareness training as part of onboarding and ongoing professional development. Training covers:

  • Phishing and social engineering awareness
  • Data protection and privacy principles
  • Secure password and credential practices
  • Incident reporting procedures
  • Customer data handling requirements

Confidentiality Agreements

All Guard0 employees sign confidentiality and non-disclosure agreements as a condition of employment, protecting customer data and proprietary information.

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential vulnerability in Guard0:

  1. Do not publicly disclose the vulnerability
  2. Email security@guard0.ai with a detailed description, including steps to reproduce the vulnerability, potential impact or severity, and your contact information
  3. Expect acknowledgment of your report within 48 hours
  4. Allow reasonable time for Guard0 to develop and deploy a fix before public disclosure

We are committed to working with security researchers to address vulnerabilities responsibly and promptly. We will make good-faith efforts to address valid reported vulnerabilities, and we welcome the opportunity to credit researchers appropriately (with permission).

Enterprise Security

Security Documentation & Assessments

Enterprise customers have access to additional security documentation and can request:

  • Security Questionnaire Responses: Completed responses to your organization's security assessment questionnaires
  • Data Processing Agreements (DPA): Customized data processing agreements for GDPR and other regulatory requirements
  • Penetration Test Summaries: Summaries from our annual third-party penetration tests
  • Architecture Documentation: Technical documentation of Guard0's security architecture and controls
  • Additional Assessments: Other security assessments, audit reports, or documentation your organization requires

Enterprise customers should contact security@guard0.ai or their account manager to request any of these materials.

Questions or Concerns?

If you have questions about Guard0's security practices or have identified a potential vulnerability, please contact:

security@guard0.ai

For enterprise customers with dedicated support, you can also reach out to your account manager. We are committed to transparent communication about security and appreciate your trust in Guard0.