Security & Trust
We're a security company.
Our own security is non-negotiable.
You trust us to protect your infrastructure. That means we hold ourselves to a higher standard than we hold anyone else. Here is exactly how we do it.
Practices
How we secure ourselves.
These are not aspirational goals. They are current, enforced practices that apply to every line of code, every deployment, and every employee.
Local-First Architecture
Panguard runs entirely on your machine. No data is sent to any server unless you opt in to Threat Cloud. Your security data, scan results, and configuration never leave your device.
End-to-End Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Local encryption for configuration and credential storage. Key material stays on your device.
Detection Stays On-Device
Detection is deterministic and runs entirely on your machine -- event payloads are never sent anywhere to be classified. The only data that can leave is an optional, anonymized threat pattern contributed to Threat Cloud (PII stripped first).
Auditable, Deterministic Decisions
Every automated action is logged with the rule, confidence score, and signals behind it. Because detection is deterministic, you can reproduce exactly why an event was flagged and what response was executed.
Open Source Transparency
Panguard is fully open source (MIT license). Every line of code is auditable on GitHub. Community security reviews and contributions are welcome. We maintain a bug bounty program for external researchers.
Secure Development Lifecycle
Every code change goes through automated SAST/DAST scanning, dependency auditing, and peer review. We follow OWASP best practices and maintain a bug bounty program for external researchers.
Compliance
Frameworks we follow.
Compliance is not a checkbox exercise. It is the minimum bar. We build to the spirit of these frameworks, not just their letter.
Our own SOC 2 Type II readiness program is in progress, with controls aligned to the trust service criteria covering Security, Availability, and Confidentiality. Formal attestation is targeted for Q4 2026 / Q1 2027.
ISO 27001 certification is on our roadmap for 2026. Our information security management system (ISMS) is being built to ISO 27001 standards from day one, making certification a formalization rather than a transformation.
Panguard is designed for GDPR compliance by default. Data minimization, purpose limitation, and the right to erasure are built into the architecture. We offer Data Processing Agreements (DPA) to all customers.
For customers operating under Taiwan's semiconductor cybersecurity requirements, Panguard's reporting and audit capabilities are designed to map to SEMI E187 controls for fab equipment and industrial environments.
Data Handling
What stays local. What goes to the cloud.
Transparency about data flows is fundamental. Here is a complete breakdown of where your data lives and what -- if anything -- leaves the device.
On-Device (Local)
- Raw system logs and telemetry
- Context Memory baseline database
- ATR rule engine and results
- Behavioral baseline, AST, and correlation (all detection)
- Incident response playbook execution
- Full event history and forensic logs
Cloud (Ephemeral, optional)
- Anonymized threat patterns for new rule proposals (PII stripped)
- Collective threat intelligence contributions (hashed IOCs only)
- Software update checks and rule feed syncs
Never Transmitted
- IP addresses or hostnames
- User credentials or tokens
- File contents or source code
- Database contents or query logs
- Personal or business data
Anonymization Pipeline
Before any threat pattern is contributed to the collective intelligence network, it passes through a multi-stage anonymization pipeline. IP addresses are hashed, hostnames are replaced with generic identifiers, file paths are normalized, and user data is removed entirely.
The pipeline is deterministic, so the same threat pattern always produces the same anonymized signature -- enabling correlation without exposing identity.
Responsible Disclosure
Found a vulnerability in Panguard? We appreciate security researchers who help us keep our users safe. Please report any security issues through our responsible disclosure program.
We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours.
ENCRYPTION & KEY MANAGEMENT
Encryption, Key Rotation & Audit Logging
How we protect data at rest, in transit, rotate keys, and track every access.
Data in Transit
TLS 1.3 for all API communication. Certificate pinning for Threat Cloud connections. HTTPS enforced with HSTS (1-year max-age + preload).
Data at Rest
AES-256 encryption for credential storage. Configuration files with restricted permissions (0600). Baseline data stored locally, never transmitted.
Audit Logging
Every detection, response action, and configuration change is logged with timestamp, source, and actor. Logs stored locally with optional syslog forwarding.
Permission Model
Runs as unprivileged user where possible. Root only required for network monitoring and IP blocking. Sandboxed execution for scan operations.
SERVICE LEVEL
SLA Summary
Our commitments to all users.
Panguard is 100% free and open source. Community support via GitHub issues.
Trust Center
Documentation you can verify.
Download our security documentation, request audit reports, or review our compliance artifacts.
SOC 2 Type II Report
Coming Q3 2026
Penetration Test Summary
Available on request
Data Processing Agreement (DPA)
Available
Security Whitepaper
Available
Architecture Overview
Available
Incident Response Plan
Available on request
Questions about our security?
Our team is happy to discuss our security practices or provide documentation. Reach out via GitHub or email.