Trust Centre
Hello and welcome to the guard.me Trust Centre.
guard.me recognizes the vastly changing digital world and is committed to protecting the security and privacy of all data entrusted to us. Whether you are an individual or an institution, guard.me cares about keeping your data safe.
On this page, you will find how we use a combination of enterprise-class security features and comprehensive audits of our applications, systems, and networks to protect the confidentiality, integrity, and availability of your data.
Compliance
guard.me is ISO 27001:2013 certified.
guard.me is ISO 27701:2019 certified.
guard.me is compliant with SOC 2, Type I standards.
Security
Infrastructure security
Data centre physical security
guard.me hosts its data only on servers in Canadian data centres.
Our current data centre providers ensure further layers of protection by providing backup power, HVAC systems, and fire suppression equipment.
Security includes pre-clearance requirements, biometric entry requirements, graduated levels of entry, and coded access.
Vendor security
guard.me reduces the risks associated with third party vendors by performing annual risk assessments regarding any level of access they have to our systems or the data we manage.
Network security
Our network security architecture ensures separation by required function and security level.
Network security scanning helps us quickly identify out-of-compliance or potentially vulnerable systems.
In addition to our internal scanning and testing, we employ external security experts to perform a broad penetration test across guard.me’s network.
guard.me makes use of third party tools to scan our application continuously and dynamically for common web application security risks.
Our Security Incident Event Management (SIEM) system gathers logs from network devices and host systems, then triggers alerts to our IT team based on correlated events for investigation and response.
We utilize multiple levels of firewalls and intrusion detection commensurate with the classification level of the data contained on the systems.
We participate in several threat intelligence sharing programs, allowing us to act based on risk.
Our colocation partners now employ third party DDoS mitigation services.
Access to our network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our IT team. Employees accessing the network are required to use multiple factors of authentication.
If a system alert occurs, events are tracked and escalated to the appropriate team within guard.me. Employees are trained on response processes, including communication channels and escalation paths.
Encryption
All communications with guard.me are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and guard.me is secure during transit. For email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
guard.me data is encrypted at rest using AES-256 bit key encryption.
Availability & Continuity
guard.me has a disaster recovery program that returns our systems to full operation in the case of a disaster. This is accomplished through building a robust technical environment, creating a Disaster Recovery Plan, and testing activities.
Application security
Security Development
guard.me ensures all software engineers receive secure code training, based on OWASP Top 10 security risks.
We leverage certification frameworks with security controls to ensure our Information Security Management System (ISMS) and Privacy Information Management System (PIMS) limits our exposure to risk.
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated QA automation analysts identify, test, and triage security vulnerabilities in code.
The testing and QA environments are logically separated from the production environment. No customer or client data is used in our development or test environments. Only anonymized data is used for these purposes.
Product security
Authentication security
Pre-approved parties only, secure passwords required
Additional product security features
Access to data within guard.me is governed by role-based access control (RBAC). guard.me supports various permission levels for users.
guard.me applies IP restrictions to non-public facing applications, in-bound connections, and all APIs. Port restriction is also used for added protection.
HR security
Security awareness
guard.me has a comprehensive set of privacy and security policies and procedures covering a range of topics. These policies are shared with and made available to all employees and contractors with access to guard.me information assets.
All employees attend security awareness training, which is given upon hire and annually thereafter. The IT team provides additional security awareness updates via email and in presentations during internal events.
Employee vetting
guard.me performs background checks on all new employees and contractors in accordance with local laws.
All new hires are required to sign an Employment Agreement that includes clauses around non-disclosure and confidentiality.
guard.me’s privacy program
The robust privacy program run by guard.me adheres to specific guidelines around protecting the personally identifiable information (PII) and personal health information (PHI) that we may collect, process, or disclose during our normal business operations.
As with all legal requirements that apply to guard.me’s business, we maintain a program to ensure any changes to legislation are immediately reviewed and actioned for implementation.
Compliance
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA went into effect in Canada in 2000 and focuses on ten fair information principles that underlie the rules for the collection, use, access, and disclosure of personal information. Coming changes may include greater privacy and transparency rights, as requested in 2021 by the International Technology Association of Canada and Information Technology Industry Council.
Other provincial privacy legislation that guard.me complies with includes:
- British Columbia
- Freedom of Information and Protection of Privacy Act
- E-Health Personal Health Information Access and Protection of Privacy Act
- Alberta
- Freedom of Information and Protection of Privacy Act
- Health Information Act
- Saskatchewan
- Freedom of Information and Protection of Privacy Act
- Health Information Protection Act
- Manitoba
- Freedom of Information and Protection of Privacy Act
- Personal Health Information Act
- Ontario
- Freedom of Information and Protection of Privacy Act
- Personal Health Information Protection Act
- New Brunswick
- Right to Information and Protection of Privacy Act
- Personal Health Information Privacy and Access Act
- Nova Scotia
- Freedom of Information and Protection of Privacy Act
- Personal Health Information Act
- Prince Edward Island
- Freedom of Information and Protection of Privacy Act
- Newfoundland and Labrador
- Access to Information and Protection of Privacy Act
- Personal Health Information Act
General Data Protection Regulation (GDPR)
guard.me’s business approach has been anchored by a strong commitment to privacy, security, compliance, and transparency. This approach includes supporting our customer and client compliance with EU data protection requirements, such as those set out in the General Data Protection Regulation (“GDPR”).
If guard.me collects, transmits, hosts, or analyzes personal data of EU citizens, GDPR requires us to use third-party data processors who guarantee their ability to implement the technical and organizational requirements of the GDPR.
Data Protection Act (DPA)
Although the United Kingdom has withdrawn from the European Union, the European Commission adopted adequacy decisions that ensures personal data can flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.
Privacy-related policies
Detailed information about how and when we use cookies on guard.me websites, as well as how to control and delete them.
Detailed information about how guard.me protects the data it collects, processes, and discloses.
Information regarding the privacy program in place at guard.me.
Directions and guidance for how we respond to breaches of personal information.
Application features related to privacy
guard.me has tools to assist with user requests and other obligations under applicable privacy and data protection laws and regulations, such as data access, correction, portability, deletion, and objection.
Any individual who seeks to exercise their data protection rights can contact us.
Upon receipt of a DSAR request, we will respond to such request within thirty (30) days. We will retain personal data in accordance with our industry guidelines.
guard.me provides an advanced set of access and encryption features to help clients and customers effectively protect their information. We do not access or use client or customer data for any purpose other than providing, maintaining, and improving our services and as otherwise required by applicable law. Additional information is available here.
guard.me has demonstrated compliance with internationally recognized frameworks, including ISO and SOC. Our certifications are described here.
Our global privacy and data protection program takes a unified approach to ensuring that personal data is automatically protected while it is under our control.
Legal
Policies
Details of our executive commitment to ethics and managing conflicts of interest.
Our approach for ensuring secure data collection, processing, and disclosure.