Security & Trust
We're a security company.
Our own security is non-negotiable.
You trust us to protect your infrastructure. That means we hold ourselves to a higher standard than we hold anyone else. Here is exactly how we do it.
Practices
How we secure ourselves.
These are not aspirational goals. They are current, enforced practices that apply to every line of code, every deployment, and every employee.
Local-First Architecture
Panguard runs entirely on your machine. No data is sent to any server unless you opt in to Threat Cloud. Your security data, scan results, and configuration never leave your device.
End-to-End Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Local encryption for configuration and credential storage. Key material stays on your device.
Zero Data Retention
Cloud AI queries are ephemeral. Payloads sent to Claude or GPT are not stored, not used for training, and not logged beyond the request lifecycle. PII is stripped before any data leaves the device.
Auditable AI Decisions
Every automated action taken by Panguard is logged with a full reasoning chain. You can trace exactly why an event was flagged, what confidence score it received, and what response was executed.
Open Source Transparency
Panguard is fully open source (MIT license). Every line of code is auditable on GitHub. Community security reviews and contributions are welcome. We maintain a bug bounty program for external researchers.
Secure Development Lifecycle
Every code change goes through automated SAST/DAST scanning, dependency auditing, and peer review. We follow OWASP best practices and maintain a bug bounty program for external researchers.
Compliance
Frameworks we follow.
Compliance is not a checkbox exercise. It is the minimum bar. We build to the spirit of these frameworks, not just their letter.
Panguard helps generate compliance reports aligned to SOC 2 Type II trust service criteria covering Security, Availability, and Confidentiality. Use these reports to accelerate your own audit preparation.
ISO 27001 certification is on our roadmap for 2026. Our information security management system (ISMS) is being built to ISO 27001 standards from day one, making certification a formalization rather than a transformation.
Panguard is designed for GDPR compliance by default. Data minimization, purpose limitation, and the right to erasure are built into the architecture. We offer Data Processing Agreements (DPA) to all customers.
For customers operating under Taiwan's Cybersecurity Management Act, Panguard's reporting and audit capabilities are designed to meet regulatory requirements for critical infrastructure providers.
Data Handling
What stays local. What goes to the cloud.
Transparency about data flows is fundamental. Here is a complete breakdown of where your data lives and what -- if anything -- leaves the device.
On-Device (Local)
- Raw system logs and telemetry
- Context Memory baseline database
- ATR rule engine and results
- Local LLM inference (Ollama)
- Incident response playbook execution
- Full event history and forensic logs
Cloud (Ephemeral)
- Anonymized event payloads (PII stripped)
- Cloud AI inference requests (not stored)
- Collective threat intelligence contributions (hashed IOCs only)
- Software update checks and rule feed syncs
Never Transmitted
- IP addresses or hostnames
- User credentials or tokens
- File contents or source code
- Database contents or query logs
- Personal or business data
Anonymization Pipeline
Before any event data is sent to cloud AI or the collective intelligence network, it passes through a multi-stage anonymization pipeline. IP addresses are hashed, hostnames are replaced with generic identifiers, file paths are normalized, and user data is removed entirely.
The pipeline is deterministic, so the same threat pattern always produces the same anonymized signature -- enabling correlation without exposing identity.
Responsible Disclosure
Found a vulnerability in Panguard? We appreciate security researchers who help us keep our users safe. Please report any security issues through our responsible disclosure program.
We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours.
ENCRYPTION
Encryption & Audit Logging
How we protect data at rest, in transit, and track every access.
Data in Transit
TLS 1.3 for all API communication. Certificate pinning for Threat Cloud connections. HTTPS enforced with HSTS.
Data at Rest
AES-256 encryption for credential storage. Configuration files with restricted permissions (0600). Baseline data stored locally, never transmitted.
Audit Logging
Every detection, response action, and configuration change is logged with timestamp, source, and actor. Logs stored locally with optional syslog forwarding.
Permission Model
Runs as unprivileged user where possible. Root only required for network monitoring and IP blocking. Sandboxed execution for scan operations.
SERVICE LEVEL
SLA Summary
Our commitments to all users.
Panguard is 100% free and open source. Community support via GitHub issues.
Trust Center
Documentation you can verify.
Download our security documentation, request audit reports, or review our compliance artifacts.
SOC 2 Type II Report
Coming Q3 2026
Penetration Test Summary
Available on request
Data Processing Agreement (DPA)
Available
Security Whitepaper
Available
Architecture Overview
Available
Incident Response Plan
Available on request
Questions about our security?
Our team is happy to discuss our security practices or provide documentation. Reach out via GitHub or email.