This Security Policy outlines the measures, procedures, and guidelines that Guardey follows to ensure the security of data and systems. This policy applies to all employees, contractors, and third parties who have access to Guardey’s systems and data.
Guardey aims to:
• Protect the confidentiality, integrity, and availability of data.
• Prevent unauthorized access and threats.
• Comply with relevant laws, regulations, and industry standards.
• Least Privilege: Access is granted only to the necessary data and systems.
• Accountability: Everyone within Guardey is responsible for adhering to security measures.
• Identification and Authentication: All users must authenticate via multi-factor authentication (2FA) using email. Single Sign-On (SSO) via Microsoft is also utilized to streamline and secure access.
• Authorization: Guardey employs a role-based access control (RBAC) model that governs organizational units, user accounts, and user groups.
• Account Management: The creation, maintenance, and deletion of accounts follow strictly defined procedures.
• Encryption: All data in transit is protected with TLS.
• Data Classification: Data is classified based on sensitivity and handled accordingly.
• Backups: Daily backups of the database are made and stored encrypted in multiple regions within our hosting. In the event of loss of production data, these backups can be used to restore the data.
• Firewall: Guardey uses the Cloudflare Web Application Firewall (WAF) to protect applications from attacks.
• Network Segmentation: A dedicated production environment is maintained, ensuring that customer data is never stored or processed in non-production systems.
• Intrusion Detection: Continuous monitoring and logging of network infrastructure to detect and prevent unauthorized access.
• Development Guidelines: Developers follow security guidelines and best practices for secure coding.
• Secure Application Development: All our code changes are checked by a second developer and through CI for quality, bugs and vulnerabilities.
Then the changes to a pre-production environment are checked again. If everything works properly, one of our administrators can approve the change, after which an automated roll-out of the change takes place in the production environment.
• Vulnerability Management: Regular scans and updates to identify and fix vulnerabilities.
• Security Testing: Periodic penetration testing and code reviews.
• Data Centers: Guardey’s data is housed in secure data centers located in the Netherlands (EU) to comply with EU data protection and privacy regulations. These data centers employ physical access restrictions, surveillance systems, and environmental safeguards.
• Access to Physical Locations: Only authorized personnel have access to sensitive locations.
• Incident Response Plan: Detailed procedures for reporting and handling security incidents.
• Communication: Defined internal and external communication protocols during incidents.
• Forensics: Investigation and analysis of incidents to determine causes and impacts.
• Monitoring Tools: Guardey uses various monitoring tools to oversee and manage changes to its infrastructure.
• Logging: All changes and actions within the Guardey environment are meticulously logged. Alerts are generated based on the severity or potential impact of changes.
• Data Erasure: Customers are responsible for their data and can instruct Guardey to delete all their data in compliance with applicable laws, unless regulations mandate retention.
• Qualys SSL Labs: Guardey has an A-grade qualification.
• Regulatory Compliance: Guardey ensures that all security measures comply with relevant laws and regulations, such as the GDPR.
• Review and Updates: This policy is regularly reviewed and updated to ensure it remains aligned with changing threats and technologies.
• Monitoring and Enforcement: Guardey monitors and enforces compliance with this policy among all involved parties.
At Guardey, we practice what we preach. As a company that offers security awareness training through weekly nano learning sessions, we ensure that all our employees are also rigorously trained using our own product. This not only keeps our team up to date with the latest security practices but also demonstrates our commitment to security from within. Our employees participate in these engaging and informative training sessions, ensuring that security awareness is always top of mind.
