Security

Last updated: 13 April 2026

1. Security Overview

Customer data security is the foundation of Guardiso. As an ISMS platform, we apply the highest data protection standards at every level — from infrastructure through application to organizational processes.

Encryption at rest	AES-256
Encryption in transit	TLS 1.3
Access control	RBAC with server-side row filtering by organization_id enforced in the query layer (query-builder.ts)
Database isolation	Private VPC network, public endpoint closed, ACL limited to specific administrator IPs
Monitoring	Access logs, security alerts, anomaly monitoring, and automated Snyk, Semgrep, Gitleaks and Aikido scanners in CI/CD
Backups	Automatic, daily, encrypted, stored in EU

2. Infrastructure

Guardiso is hosted on Scaleway infrastructure — a European cloud provider with ISO 27001, SOC 2, and HDS certifications.

Component	Details	Location
Application servers	Scaleway Serverless Containers (autoscaling, per-container isolation)	Warsaw, Poland
Database	Scaleway Managed PostgreSQL 16 on a private VPC, public endpoint closed	Warsaw, Poland
Object Storage	Scaleway S3 — server-side encryption, separate bucket per environment	Warsaw, Poland
Private network	Scaleway VPC with ACL limiting database access to individual administrator IPs	Warsaw, Poland
Disk encryption	AES-256 at rest	-
DNS / CDN / WAF	Cloudflare — DNS, DDoS protection, WAF, edge caching	Global (EU PoPs)

3. Data Residency

By default, all customer data is stored in the Scaleway data center in Warsaw (Poland). All locations are within the European Union and subject to GDPR.

Location	Region	Status
Warsaw, Poland	pl-waw	Default
Paris, France	fr-par	Available
Amsterdam, Netherlands	nl-ams	Available

Region selection is available on Professional and Enterprise plans. Please contact us for configuration.

4. AI Data Flow

AI features (Copilot, policy generation, risk analysis) are entirely optional. The platform works fully without them.

What is sent	What is NOT sent
User query text (e.g., "generate password policy")	Database, files, personal data, org configuration, passwords, tokens

Anthropic processes data transiently — it does not store query content after processing and does not use it for AI model training. Transfer based on Standard Contractual Clauses (SCCs).

5. Authentication

Guardiso uses Google OAuth 2.0 for user authentication. We do not store user passwords.

Google OAuth 2.0 — secure login without password storage
NextAuth.js — authentication framework with session and CSRF token management
Session tokens — HTTP-only cookies, Secure flag, SameSite=Lax
SSO / SAML — available on Enterprise plan Enterprise

6. Application Security

The Guardiso application is built with security in mind at every stage of the software development lifecycle.

OWASP Top 10 — protection against the 10 most common web threats (XSS, injection, CSRF, etc.)
Content Security Policy (CSP) — strict CSP headers limiting external resource loading
Security headers — X-Frame-Options, X-Content-Type-Options, HSTS, Referrer-Policy
Input validation — schema validation (Zod) at all system boundaries
Parameterized queries — SQL injection protection at the query layer — column and table names validated through an allowlist, values bound as parameters
Organisation isolation — server-side row filtering by organization_id enforced in the query layer (lib/db/query-builder.ts) and by RBAC in middleware
Automated scanning — Snyk, Semgrep, Gitleaks, Aikido and Dependabot scan every code change in CI/CD

7. Responsible Disclosure

We value cooperation with the security community. If you discover a vulnerability in Guardiso, we ask for responsible disclosure.

Scope

*.guardiso.com

How to Report

Send your report to: security@guardiso.com

Include in your report:

Description of the vulnerability and reproduction steps (PoC)
Potential impact
Suggested fix (optional)

Response Time

Acknowledgment	Within 48 hours
Fix target	Within 30 days

Safe Harbor

We will not pursue legal action against security researchers who act in good faith and follow these guidelines:

Do not exfiltrate customer data
Do not disrupt service availability
Allow us reasonable time to fix before public disclosure

Out of Scope

Social engineering (phishing, vishing)
DoS / DDoS attacks
Physical attacks on infrastructure
Vulnerabilities in third-party software (e.g., browsers)
Missing best practices that do not lead to a specific attack

8. Compliance & Certifications

GDPR / RODO	Compliant
SOC 2 Type II	Planned
ISO 27001	Planned

9. Contact

If you have questions about Guardiso security:

Security reports: security@guardiso.com
General inquiries: info@guardiso.com