Trust Center
Security You Can Verify
Transparency is the foundation of trust. Review our compliance status, security architecture, data handling practices, and subprocessor relationships -- all in one place.
Compliance Status
Certifications and frameworks.
Real-time visibility into our compliance posture. We publish status honestly -- including what is in progress, not just what is complete.
Expected Q3 2026. Panguard helps generate compliance reports aligned to SOC 2 trust service criteria covering Security, Availability, and Confidentiality.
Planned for Q4 2026. Risk assessment framework in place. ISMS built to ISO 27001 standards from day one, making certification a formalization.
Full GDPR compliance with automated data subject request handling. Data Processing Agreements available for all customers. Privacy by design across the platform.
BAA planned. Encryption controls implemented. Access audit logging and automatic session management enforced.
Security Architecture
Defense in depth.
Our security model is layered. A failure at any single layer does not compromise the system. Each layer operates independently with its own controls.
Data Layer
- AES-256 encryption at rest
- TLS 1.3 for all data in transit
- Local encryption for configuration and credential storage
- Automatic key rotation (90 days)
- Hardware security module backed
Application Layer
- Input validation and sanitization
- Local configuration file permissions (0600)
- CLI authentication via local tokens
Infrastructure Layer
- Local-first architecture -- all data stays on your machine
- 24/7 infrastructure monitoring
- DDoS protection at edge
- Immutable deployment pipeline
- Automated vulnerability scanning
Data Handling
How we treat your data.
Every data handling practice is documented, enforced through policy, and verified through automated controls.
Data Encryption
AES-256 at rest, TLS 1.3 in transit. Local encryption for configuration and credential storage.
Data Residency
All data stored locally on your device. No cloud storage unless you opt in to Threat Cloud.
Data Retention
Configurable retention policies per data type. Automatic purging with cryptographic verification.
Access Controls
File-system permissions restrict access to configuration and data. Runs as unprivileged user where possible.
Audit Logging
Immutable audit trail for all administrative actions. Logs retained for a minimum of 12 months.
Incident Response
24-hour breach notification SLA. Documented IR plan tested quarterly with tabletop exercises.
Subprocessors
Third parties we work with.
We limit subprocessor usage to essential services only. Each subprocessor undergoes security review before onboarding and is re-evaluated annually.
Last updated: February 2026. We notify customers at least 30 days before adding new subprocessors. Subscribe to updates via our GitHub repository.
DATA LIFECYCLE
Data Retention Policy
Clear policies on what data we store and for how long.
Detection events, alerts, and response logs stored locally on your endpoint.
Environment baseline updated continuously. Replaced when new learning period starts.
Anonymized threat signatures only. No PII, no source code, no raw logs.
PDF reports stored locally. Cloud copies (if any) auto-deleted after 30 days.
INCIDENT RESPONSE
Security Incident Process
Our commitment to transparency when things go wrong.
Detection
< 1 hourAutomated monitoring detects anomalies. On-call engineer alerted.
Assessment
< 4 hoursSeverity classification. Affected users identified. Containment initiated.
Notification
< 24 hoursAffected customers notified via email. Status page updated. Regulatory bodies informed if required.
Remediation
< 72 hoursRoot cause identified and fixed. Patches deployed. Post-mortem published.
Need compliance documentation?
Request SOC 2 reports, penetration test summaries, or our Data Processing Agreement. All documentation is available to the community.