Security Whitepaper

This document provides a comprehensive overview of the security architecture, practices, and compliance standards that underpin the Panguard AI platform. As a security company, we hold ourselves to the highest standards and believe in transparency about how we protect our customers and their data.

1. Architecture Overview

The Panguard platform is built on a cloud-native, microservices architecture designed for resilience, scalability, and defense in depth.

1.1 Infrastructure

Panguard operates on SOC 2 Type II certified cloud infrastructure with multi-region deployment across Asia-Pacific, North America, and Europe. Our infrastructure is provisioned using infrastructure as code (IaC) with automated security scanning at every deployment stage. All production systems run on hardened, minimal operating system images with automatic patching enabled.

1.2 Network Architecture

Our network architecture employs a zero-trust model with strict network segmentation. All services communicate through encrypted channels, and no service is directly exposed to the public internet without passing through our application load balancers and web application firewall (WAF). Internal service-to-service communication uses mutual TLS (mTLS) for authentication and encryption.

1.3 Data Isolation

Customer data is logically isolated at the application layer using tenant-aware access controls. Each customer's data is stored in dedicated, encrypted partitions. Our architecture ensures that no customer can access another customer's data, even in the event of an application-level vulnerability.

2. Encryption

2.1 Data at Rest

All customer data stored on our platform is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service (KMS) with hardware security module (HSM) backing. Encryption keys are rotated automatically every 90 days. Customers on the Business plan may bring their own encryption keys (BYOK) for an additional layer of control.

2.2 Data in Transit

All data transmitted between client endpoints and Panguard infrastructure is encrypted using TLS 1.3 with forward secrecy. We support only modern cipher suites and have disabled all legacy protocols (SSLv3, TLS 1.0, TLS 1.1). Our TLS configuration is regularly tested and maintains an A+ rating on SSL Labs.

2.3 Agent Communication

The Panguard Guard endpoint agent communicates with our backend using certificate-pinned TLS connections with mutual authentication. Each agent receives a unique cryptographic identity during enrollment, preventing impersonation and man-in-the-middle attacks.

3. Access Control

3.1 Authentication

Panguard supports multiple authentication methods: email and password with enforced complexity requirements, SAML 2.0 and OIDC for single sign-on (SSO) integration, and hardware security key support (WebAuthn/FIDO2). Multi-factor authentication (MFA) is available for all accounts and is enforced for all Panguard employees.

3.2 Authorization

Our platform implements role-based access control (RBAC) with predefined roles (Owner, Admin, Analyst, Viewer) and the ability to create custom roles on the Business plan. All API endpoints enforce authorization checks, and access decisions are logged for audit purposes.

3.3 Internal Access

Panguard employee access to production systems follows the principle of least privilege. Access requires multi-factor authentication, is granted through just-in-time (JIT) provisioning, and is automatically revoked after a defined period. All access to customer data is logged and subject to regular review.

4. Monitoring and Logging

Panguard maintains comprehensive monitoring and logging across all platform components:

• Infrastructure Monitoring: Real-time monitoring of all servers, networks, and services with automated alerting for anomalies
• Application Logging: Structured logging of all application events, API requests, and authentication events
• Audit Logs: Immutable audit logs for all administrative actions, configuration changes, and data access events, retained for a minimum of one year
• Threat Detection: We use our own platform to monitor our own infrastructure, providing continuous threat detection and automated response
• SIEM Integration: All security-relevant logs are aggregated in a centralized SIEM platform with correlation rules and automated alerting

5. Incident Response

Panguard maintains a documented incident response plan that is tested and updated at least annually. Our incident response process follows industry best practices:

• Preparation: Dedicated security operations team with 24/7 on-call rotation, pre-defined runbooks for common incident types, and regular tabletop exercises
• Detection: Automated detection through our monitoring systems, supplemented by our responsible disclosure program and bug bounty
• Containment: Immediate containment measures to limit the scope and impact of incidents, including automated isolation capabilities
• Eradication: Root cause analysis and complete removal of threats from affected systems
• Recovery: Restoration of affected services with verification of integrity before returning to normal operations
• Post-Incident: Blameless post-incident reviews with published findings and preventive measures. Customers affected by security incidents are notified within 72 hours.

6. Compliance

Panguard maintains the following compliance certifications and adherences:

7. Third-Party Audits

Panguard engages independent, reputable third-party firms to conduct regular security assessments:

• Annual Penetration Testing: Comprehensive penetration tests covering external network, web application, API, and mobile application attack surfaces, conducted by certified penetration testing firms
• SOC 2 Type II Audit: Annual audit by an independent CPA firm validating our security, availability, and confidentiality controls
• ISO 27001 Certification Audit: Regular certification and surveillance audits by an accredited certification body
• Code Security Review: Periodic third-party code audits of critical platform components, including our AI threat detection models and agent software

Audit reports and certifications are available to customers and prospective customers under NDA. Please contact security@panguard.ai to request access.