Security & Trust

We're a security company.Our own security is non-negotiable.

You trust us to protect your infrastructure. That means we hold ourselves to a higher standard than we hold anyone else. Here is exactly how we do it.

Practices

How we secure ourselves.

These are not aspirational goals. They are current, enforced practices that apply to every line of code, every deployment, and every employee.

Single-Tenant Architecture

Every customer deployment runs in an isolated environment. There is no shared database, no shared compute, and no shared network segment. A breach in one tenant cannot propagate to another.

End-to-End Encryption

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are managed per-tenant with automatic rotation every 90 days. Key material never leaves the hardware security module.

Zero Data Retention

Cloud AI queries are ephemeral. Payloads sent to Claude or GPT are not stored, not used for training, and not logged beyond the request lifecycle. PII is stripped before any data leaves the device.

Auditable AI Decisions

Every automated action taken by Panguard is logged with a full reasoning chain. You can trace exactly why an event was flagged, what confidence score it received, and what response was executed.

Continuous Penetration Testing

We engage independent third-party security firms to conduct penetration tests on a quarterly basis. Critical findings are remediated within 48 hours. Test results are available to enterprise customers upon request.

Secure Development Lifecycle

Every code change goes through automated SAST/DAST scanning, dependency auditing, and peer review. We follow OWASP best practices and maintain a bug bounty program for external researchers.

Compliance

Frameworks we follow.

Compliance is not a checkbox exercise. It is the minimum bar. We build to the spirit of these frameworks, not just their letter.

SOC 2 Type IIIn Progress

We are actively pursuing SOC 2 Type II certification covering Security, Availability, and Confidentiality trust service criteria. Our audit is conducted by a Big Four firm. Expected completion: Q3 2026.

ISO 27001Planned

ISO 27001 certification is on our roadmap for 2026. Our information security management system (ISMS) is being built to ISO 27001 standards from day one, making certification a formalization rather than a transformation.

GDPRCompliant

Panguard is designed for GDPR compliance by default. Data minimization, purpose limitation, and the right to erasure are built into the architecture. We offer Data Processing Agreements (DPA) to all customers.

Taiwan Cybersecurity Management ActCompliant

For customers operating under Taiwan's Cybersecurity Management Act, Panguard's reporting and audit capabilities are designed to meet regulatory requirements for critical infrastructure providers.

Data Handling

What stays local. What goes to the cloud.

Transparency about data flows is fundamental. Here is a complete breakdown of where your data lives and what -- if anything -- leaves the device.

On-Device (Local)

  • Raw system logs and telemetry
  • Context Memory baseline database
  • Sigma/YARA rule engine and results
  • Local LLM inference (Ollama)
  • Incident response playbook execution
  • Full event history and forensic logs

Cloud (Ephemeral)

  • Anonymized event payloads (PII stripped)
  • Cloud AI inference requests (not stored)
  • Collective threat intelligence contributions (hashed IOCs only)
  • Software update checks and rule feed syncs

Never Transmitted

  • IP addresses or hostnames
  • User credentials or tokens
  • File contents or source code
  • Database contents or query logs
  • Personal or business data

Anonymization Pipeline

Before any event data is sent to cloud AI or the collective intelligence network, it passes through a multi-stage anonymization pipeline. IP addresses are hashed, hostnames are replaced with generic identifiers, file paths are normalized, and user data is removed entirely. The pipeline is deterministic, so the same threat pattern always produces the same anonymized signature -- enabling correlation without exposing identity.

Responsible Disclosure

Found a vulnerability in Panguard? We appreciate security researchers who help us keep our users safe. Please report any security issues through our responsible disclosure program. We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours.

Disclosure Policy security@panguard.ai

Trust Center

Documentation you can verify.

Download our security documentation, request audit reports, or review our compliance artifacts.

SOC 2 Type II Report

Coming Q3 2026

Penetration Test Summary

Available on request

Data Processing Agreement (DPA)

Available

Security Whitepaper

Available

Architecture Overview

Available

Incident Response Plan

Available on request

Questions about our security?

Our security team is happy to discuss our practices, provide documentation, or schedule a deep-dive call with your CISO.

Contact Security Team