Data Privacy
Guardian Pro is built with data privacy as a foundational design principle, not an afterthought. Every aspect of the platform -- from how data is collected, to how it is stored and processed -- is designed to protect the confidentiality and integrity of your information.
This page explains Guardian Pro's data handling practices, encryption standards, tenant isolation guarantees, and your rights over your data.
What Data Does Guardian Pro Collect?
Guardian Pro collects resource configuration metadata from your AWS accounts. This includes:
| Data Type | Examples | What Is NOT Collected |
|---|---|---|
| Resource configurations | Encryption status, public access settings, logging configuration | File contents, database records, application data |
| Resource metadata | Resource IDs, ARNs, names, tags, regions | Secrets, passwords, API keys |
| Cost data | Aggregated spending by service and region | Individual transaction details |
| IAM metadata | User and role names, policy names, access key ages | Credential values, secret keys |
| Network configuration | Security group rules, VPC layouts, subnet CIDRs | Network traffic, packet data |
Guardian Pro reads how your infrastructure is configured, not what your infrastructure contains. Configuration metadata tells Guardian Pro whether your storage is encrypted, not what is stored in it.
Encryption
At Rest
All data stored by Guardian Pro is encrypted at rest using industry-standard encryption. Your resource configurations, findings, cost data, compliance records, and all other stored information is encrypted using AES-256 encryption with keys managed through a dedicated key management service.
In Transit
All data transmitted between your AWS accounts and Guardian Pro, and between your browser and the Guardian Pro console, is encrypted in transit using TLS 1.2 or higher. This applies to:
- API calls from the Guardian Pro console to the backend
- Cross-account role assumption and AWS API calls
- Real-time communication channels for live updates
- Webhook notifications to external systems
Guardian Pro enforces HTTPS for all connections. HTTP requests are automatically redirected to HTTPS.
Tenant Isolation
Guardian Pro is a multi-tenant platform, and tenant isolation is enforced at the architectural level. Your data is physically separated from other tenants' data through the data model design itself.
How Isolation Works
Every piece of data stored in Guardian Pro is scoped to your organization and account using a composite key structure. This means:
- Your data is physically keyed to your organization -- Queries cannot accidentally (or intentionally) retrieve another tenant's data.
- Cross-tenant access is architecturally impossible -- The data access layer enforces tenant scoping on every operation, not just at the application layer.
- No shared tables without isolation -- There are no "global" tables where data from multiple tenants is mixed without key-level isolation.
Verification
Guardian Pro's tenant isolation is verified through:
- Automated integration tests that confirm cross-tenant queries return zero results
- Regular security reviews of the data access layer
- Architectural design that makes isolation a property of the key structure, not application logic
If your organization requires a dedicated, single-tenant deployment for regulatory reasons, contact us about our Enterprise plan options. See Subscription Plans.
Data Residency
Guardian Pro processes and stores data in the AWS region where the platform is deployed. Your resource metadata is collected from all AWS regions where your workloads run, but it is stored centrally in the Guardian Pro deployment region.
Data Collected from Your Accounts
When Guardian Pro scans your AWS accounts, it reads resource configurations via AWS APIs. This data transits directly from your AWS account to the Guardian Pro service within the AWS network.
Data Retention
| Data Type | Retention Period |
|---|---|
| Active findings | Retained while the finding is active, plus historical records |
| Resolved findings | Retained for historical trend analysis and compliance auditing |
| Cost data | Up to 12 months of historical cost data |
| Scan results | Full history retained for trend analysis |
| Compliance records | Full history retained for audit reporting |
| AI Assistant conversations | Retained for the duration of your subscription |
| Audit logs | Retained for the duration of your subscription |
Data Deletion
When you remove an account from Guardian Pro, all data associated with that account is permanently deleted. When you cancel your subscription, all organizational data is deleted after a 30-day grace period.
You can request immediate data deletion at any time by contacting support. All data will be permanently removed within 72 hours of your request.
AI and Your Data
Guardian Pro uses AI capabilities to provide intelligent insights, power the AI Assistant, and generate infrastructure recommendations. Here is how your data is handled in AI interactions:
- Your data is never used to train AI models -- Conversations with the AI Assistant and infrastructure analysis are processed but never used as training data.
- Context is session-scoped -- The AI Assistant receives relevant context about your current environment to answer questions accurately, but this context is not persisted beyond the conversation.
- No data sharing -- Your infrastructure data is never shared with third parties, including AI model providers.
Compliance Certifications
Guardian Pro's infrastructure and data handling practices are aligned with industry security standards. The platform is deployed on infrastructure that maintains certifications including:
- SOC 2 Type II
- ISO 27001
- GDPR compliance
For specific compliance questions or to request Guardian Pro's security documentation, contact support.
Your Rights
As a Guardian Pro customer, you have the right to:
- Access your data -- Export your findings, cost data, and compliance records at any time through the platform's export features.
- Delete your data -- Request deletion of specific account data or your entire organization's data.
- Understand data processing -- This page, along with our privacy policy, provides transparency into how your data is handled.
- Control data collection -- You control which AWS accounts are connected and can revoke access at any time by removing the IAM role.
Security Incident Response
In the unlikely event of a security incident affecting your data, Guardian Pro will:
- Notify affected organizations within 72 hours of discovery.
- Provide a detailed incident report including scope, impact, and remediation steps.
- Offer direct support to help you assess any impact to your AWS environment.
To report a security concern, contact our security team at the email provided on the Contact page.
Next Steps
- IAM Permissions -- Review the permissions Guardian Pro requires.
- Multi-Factor Authentication -- Add an extra layer of protection to your Guardian Pro account.
- Audit Logging -- Track every action taken in your Guardian Pro organization.
- Subscription Plans -- Learn about Enterprise options for dedicated deployments.