Trust Center

Security is what we do. Transparency is how we do it.

As a Product Security company, we hold ourselves to the highest standard when it comes to security. This page outlines how we protect your data, our compliance posture, and the practices that keep our platform secure.

Security

How we protect your data

Security is embedded in everything we build and operate. We apply rigorous controls across every layer of our platform to keep your data safe.

Encryption

All data in transit is encrypted using TLS 1.2 or above with TLS 1.3 preferred. All data at rest including databases, backups and file storage is encrypted using NIST-recommended cryptographic algorithms.

Key Management

Encryption keys are securely managed through a dedicated key management service. Secrets are stored in a centralized secrets manager. Keys are rotated annually or immediately upon suspected compromise.

Infrastructure Security

All code and infrastructure changes are scanned for security vulnerabilities prior to deployment. Infrastructure is provisioned using infrastructure-as-code and production environments are hardened with tightly restricted access. All infrastructure components are hosted within the EU.

Data Isolation

Multi-tenant SaaS environment with logical separation. Each customer's data is isolated and access is enforced at every layer of the stack. Customer source code is temporarily processed during scans and then discarded.

Authentication & Access Control

Role-based access control (RBAC) across all systems with the principle of least privilege. MFA is enforced for all accounts, supporting FIDO2/WebAuthn, authenticator apps, and passkeys.

Vulnerability Management

Continuous automated scanning covers source code, dependencies, and infrastructure. We enforce strict remediation SLAs: Critical within 1 day, High within 7, Medium within 30, and Low within 90 days.

Logging & Audit

Both application and database level operations are logged, including all privileged actions. Admin audit logs are retained for 400 days and general logs for 30 days. Logs are stored with strict access controls to prevent tampering.

Input Validation & API Security

All inputs are validated and outputs are encoded to prevent common injection attacks. API access uses per-user API keys. Web login supports authentication with SAML SSO (Okta, Google, Microsoft).

Supplier Management

All third-party suppliers and subprocessors are subject to security reviews before onboarding. Suppliers are bound by data protection agreements and must meet our security requirements. Critical suppliers are reviewed annually.

Compliance

Standards and certifications

We are committed to meeting the compliance requirements our customers depend on.

GDPR

Compliant

Gardera is EU-based and fully GDPR compliant. We maintain a Data Processing Agreement (DPA) as part of our MSA. We assist customers in fulfilling data subject requests including access, rectification, erasure, restriction, portability, and objection.

ISO 27001

In Progress

Our Information Security Management System (ISMS) is aligned with ISO 27001 requirements. We are working towards formal certification.

SOC 2 Type I & II

Planned

We are planning to pursue SOC 2 Type I & II certification to independently validate our security controls across availability, confidentiality, and processing integrity.

Data Handling

Your data, your control

Full transparency about how your data is processed, stored, and protected.

Data Residency

All data is stored and processed exclusively within the EU. Primary infrastructure is hosted on Google Cloud in European regions. Database services are also hosted within the EU. Data is accessed exclusively from within the EU; no employees or subprocessors access customer data from outside the EU.

Data Retention & Deletion

Customer data is retained for the duration of the service agreement. Upon termination, customers may request data in a machine-readable format. Data is then securely deleted from all systems, including subprocessors, within 30 days. Evidence of deletion can be provided upon request.

Source Code Handling

Source code is temporarily stored only to perform scans and is then discarded. Only security findings, metadata, and asset information persist for the purpose of delivery of the service.

No Training on Your Data

Customer data is never used to train or fine-tune AI models. We may use anonymized and aggregated data for statistics and benchmarking without the customer's identity being identifiable. Production data containing sensitive information is not used in testing environments.

Subprocessors

Third-party data processors

All subprocessors are bound by written agreements with data protection obligations equivalent to our DPA. We conduct annual reviews of critical suppliers.

ProviderLocationPurpose
Google CloudBelgiumPrimary cloud infrastructure
Neo4jBelgiumGraph database
PineconeNetherlandsVector database
CloudflareGlobal edge networkEdge compute, DDoS protection, and WAF

AI Usage

How we use AI

Gardera uses AI for risk prioritization, contextualization, and remediation recommendations. Customer data is never used to train or fine-tune any models.

LLM-Agnostic Architecture

Gardera is LLM-agnostic and not tied to any single model provider. Currently, all models run in Europe on Google Cloud infrastructure. We do not train or fine-tune any models ourselves. Customer data is never used for model training or improvement.

Agentic AI

The platform supports agentic AI capabilities where agents are heavily guided to follow a defined methodology. Agents use custom tools with no external integrations.

Incident Response

How we handle security incidents

We are committed to rapid, transparent communication in the event of any security incident.

Breach Notification

We commit to notifying customers within 24 hours of becoming aware of a data breach affecting the confidentiality, integrity, or availability of customer data.

Ongoing Communication

We provide ongoing status updates until a breach is fully resolved and perform post-incident reviews to identify root causes and corrective actions.

Security Contact

Our security team is available for urgent matters. All employees have the necessary security competence to respond to incidents.

Personnel

People and access

Security starts with the people who build and operate the platform.

Background Checks

All current and future employees are subject to background checks, including criminal records. All employees are bound by strict Non-Disclosure Agreements (NDAs).

Security Expertise

All employees have strong security backgrounds and the necessary competence to respond to security incidents. Security awareness training is embedded into onboarding for all new hires.

Access Revocation

Upon termination of employment, all access rights are revoked immediately. Shared credentials are not permitted or used internally. Sensitive actions are reserved for service accounts belonging to deployment pipelines.

Policies

Documentation and policies

Review our policies and legal documents.

Still have questions?

Our team is happy to answer questions about our security practices, provide additional documentation, or discuss your specific compliance requirements.

Contact Security Team

© 2026 Gardera Security. All rights reserved.