Trust Center
Security is what we do. Transparency is how we do it.
As a Product Security company, we hold ourselves to the highest standard when it comes to security. This page outlines how we protect your data, our compliance posture, and the practices that keep our platform secure.
Security
How we protect your data
Security is embedded in everything we build and operate. We apply rigorous controls across every layer of our platform to keep your data safe.
Encryption
All data in transit is encrypted using TLS 1.2 or above with TLS 1.3 preferred. All data at rest including databases, backups and file storage is encrypted using NIST-recommended cryptographic algorithms.
Key Management
Encryption keys are securely managed through a dedicated key management service. Secrets are stored in a centralized secrets manager. Keys are rotated annually or immediately upon suspected compromise.
Infrastructure Security
All code and infrastructure changes are scanned for security vulnerabilities prior to deployment. Infrastructure is provisioned using infrastructure-as-code and production environments are hardened with tightly restricted access. All infrastructure components are hosted within the EU.
Data Isolation
Multi-tenant SaaS environment with logical separation. Each customer's data is isolated and access is enforced at every layer of the stack. Customer source code is temporarily processed during scans and then discarded.
Authentication & Access Control
Role-based access control (RBAC) across all systems with the principle of least privilege. MFA is enforced for all accounts, supporting FIDO2/WebAuthn, authenticator apps, and passkeys.
Vulnerability Management
Continuous automated scanning covers source code, dependencies, and infrastructure. We enforce strict remediation SLAs: Critical within 1 day, High within 7, Medium within 30, and Low within 90 days.
Logging & Audit
Both application and database level operations are logged, including all privileged actions. Admin audit logs are retained for 400 days and general logs for 30 days. Logs are stored with strict access controls to prevent tampering.
Input Validation & API Security
All inputs are validated and outputs are encoded to prevent common injection attacks. API access uses per-user API keys. Web login supports authentication with SAML SSO (Okta, Google, Microsoft).
Supplier Management
All third-party suppliers and subprocessors are subject to security reviews before onboarding. Suppliers are bound by data protection agreements and must meet our security requirements. Critical suppliers are reviewed annually.
Compliance
Standards and certifications
We are committed to meeting the compliance requirements our customers depend on.
GDPR
Gardera is EU-based and fully GDPR compliant. We maintain a Data Processing Agreement (DPA) as part of our MSA. We assist customers in fulfilling data subject requests including access, rectification, erasure, restriction, portability, and objection.
ISO 27001
Our Information Security Management System (ISMS) is aligned with ISO 27001 requirements. We are working towards formal certification.
SOC 2 Type I & II
We are planning to pursue SOC 2 Type I & II certification to independently validate our security controls across availability, confidentiality, and processing integrity.
Data Handling
Your data, your control
Full transparency about how your data is processed, stored, and protected.
Data Residency
All data is stored and processed exclusively within the EU. Primary infrastructure is hosted on Google Cloud in European regions. Database services are also hosted within the EU. Data is accessed exclusively from within the EU; no employees or subprocessors access customer data from outside the EU.
Data Retention & Deletion
Customer data is retained for the duration of the service agreement. Upon termination, customers may request data in a machine-readable format. Data is then securely deleted from all systems, including subprocessors, within 30 days. Evidence of deletion can be provided upon request.
Source Code Handling
Source code is temporarily stored only to perform scans and is then discarded. Only security findings, metadata, and asset information persist for the purpose of delivery of the service.
No Training on Your Data
Customer data is never used to train or fine-tune AI models. We may use anonymized and aggregated data for statistics and benchmarking without the customer's identity being identifiable. Production data containing sensitive information is not used in testing environments.
Subprocessors
Third-party data processors
All subprocessors are bound by written agreements with data protection obligations equivalent to our DPA. We conduct annual reviews of critical suppliers.
| Provider | Location | Purpose |
|---|---|---|
| Google Cloud | Belgium | Primary cloud infrastructure |
| Neo4j | Belgium | Graph database |
| Pinecone | Netherlands | Vector database |
| Cloudflare | Global edge network | Edge compute, DDoS protection, and WAF |
AI Usage
How we use AI
Gardera uses AI for risk prioritization, contextualization, and remediation recommendations. Customer data is never used to train or fine-tune any models.
LLM-Agnostic Architecture
Gardera is LLM-agnostic and not tied to any single model provider. Currently, all models run in Europe on Google Cloud infrastructure. We do not train or fine-tune any models ourselves. Customer data is never used for model training or improvement.
Agentic AI
The platform supports agentic AI capabilities where agents are heavily guided to follow a defined methodology. Agents use custom tools with no external integrations.
Incident Response
How we handle security incidents
We are committed to rapid, transparent communication in the event of any security incident.
Breach Notification
We commit to notifying customers within 24 hours of becoming aware of a data breach affecting the confidentiality, integrity, or availability of customer data.
Ongoing Communication
We provide ongoing status updates until a breach is fully resolved and perform post-incident reviews to identify root causes and corrective actions.
Security Contact
Our security team is available for urgent matters. All employees have the necessary security competence to respond to incidents.
Personnel
People and access
Security starts with the people who build and operate the platform.
Background Checks
All current and future employees are subject to background checks, including criminal records. All employees are bound by strict Non-Disclosure Agreements (NDAs).
Security Expertise
All employees have strong security backgrounds and the necessary competence to respond to security incidents. Security awareness training is embedded into onboarding for all new hires.
Access Revocation
Upon termination of employment, all access rights are revoked immediately. Shared credentials are not permitted or used internally. Sensitive actions are reserved for service accounts belonging to deployment pipelines.
Policies
Documentation and policies
Review our policies and legal documents.
Still have questions?
Our team is happy to answer questions about our security practices, provide additional documentation, or discuss your specific compliance requirements.
Contact Security Team