Trust Centre

ISO 27001 is a globally recognized standard for building and implementing a strong information security management system (ISMS) that helps organizations protect sensitive data, manage risks, and comply with international standards such as GDPR.

GuardMe was first certified under this standard in 2022 and has consistently maintained full compliance since then, adhering to all requirements and best practices.

ISO 27701 is also an international standard, but one that serves as a privacy extension to ISO 27001. Its primary purpose is to help organizations establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).

By building on the existing ISMS framework with privacy-specific requirements and controls, this certification (first achieved by GuardMe in 2023 and repeated yearly thereafter) provides assurance to stakeholders that any personal data entrusted to us is managed in compliance with all international privacy regulations.

The American Institute of Certified Public Accountants (AICPA) is the professional organization responsible for developing and maintaining the SOC (System and Organization Controls) reporting framework. SOC 3 was created by the AICPA to help organizations demonstrate their commitment to strong internal controls across five key areas: security, availability, processing integrity, confidentiality, and privacy.

By undergoing an extensive independent audit and achieving SOC 3 attestation in 2024, GuardMe affirms its dedication to maintaining robust operational controls and safeguarding customer data. SOC 3 compliance offers transparent assurance to customers, clients, partners, and the public that GuardMe’s systems are designed and operated with high standards of security and reliability.

GuardMe hosts its backup data and current call centre on servers in our Canadian Data Centre with strict physical and environmental controls. Access is controlled through pre-clearance requirements, graduated levels of entry, and coded access. Further, our Data Centre ensures additional layers of protection by utilizing backup power, enhanced HVAC systems, and waterless fire suppression.

Our network architecture is built with security and resilience in mind and ensures separation by required function and security level. We use a variety of architectural methods including purpose-based physical segmentation and air-gapping where required. This allows GuardMe to isolate systems, enforce strict access controls, and minimize risk. We utilize multiple levels of firewalls and intrusion detection to prevent threats. Redundancy and DDoS protection ensure high availability, while Zero Trust principles guide our access policies.

We partner with leading cloud providers who offer robust security controls and compliance certifications. Their infrastructure is regularly audited and aligned with global standards, and we ensure that they meet all contractual and industry security requirements, including maintaining data sovereignty in Canada.

Security is integrated into every phase of our development process, from design to deployment. We follow secure coding practices and conduct regular threat modeling.

All code undergoes peer review and automated testing to catch vulnerabilities early. We also use static and dynamic analysis tools to ensure code quality and security. As well, our Quality Assurance (QA) department reviews and tests our code base while dedicated QA automation analysts identify, test, and triage security vulnerabilities.

We regularly scan to quickly identify out-of-compliance or potentially vulnerable systems, and apply patches based on severity and risk. Our team tracks emerging threats and responds quickly to new advisories.

In line with industry best practices, all electronic communications between you and GuardMe are encrypted. In addition, all data at rest is also encrypted, using AES 256-bit key encryption.

Encryption keys are managed securely using centralized key management systems. Access to keys is tightly restricted and logged for auditability.

Client data is logically separated to prevent cross-tenant access. Access is based on job function, granted on a least privilege basis, and regularly reviewed.

Access to our network is restricted on an explicit need-to-know basis, utilizes the principle of least privilege, is frequently audited and monitored, and is controlled by our IT team.

Permissions are assigned based on roles to ensure GuardMe personnel only access what they need, in order to minimize risk.

MFA is required for access to all GuardMe systems, whether by GuardMe or client personnel, adding an extra layer of protection against unauthorized access.

Our systems are regularly monitored for suspicious activity using automated tools and human oversight. Alerts are triaged and investigated in real time.

We maintain a detailed Incident Response Plan that is regularly tested and updated. Our team is trained to respond quickly and effectively to any security event.

In the event of a breach, we follow clear protocols to protect the personal information under our control. GuardMe ensures that we notify all affected parties promptly and within the timeframes specified by the stakeholder’s requirements and in line with all applicable data protection legislation.

In addition to our internal scanning and testing, we employ external security experts to perform a broad penetration test across GuardMe’s network. These tests help identify and remediate vulnerabilities before they can be exploited.

Our security controls are independently audited against industry standards. Certifications like SOC 3 and ISO 27001 demonstrate our commitment to best practices.

GuardMe has implemented, and continues to improve, a full business continuity process to ensure we can maintain or quickly resume critical operations during and after disruptive events, thereby minimizing downtime and protecting stakeholder trust. Our Business Continuity Plan is regularly updated, and all staff are trained on how to respond appropriately in an emergency.

GuardMe has a disaster recovery program that returns our systems to full operation in the case of a disaster. This is accomplished through building a robust technical environment, creating a Disaster Recovery Plan, and conducting regular testing activities.

All employees complete privacy & security training during onboarding and yearly thereafter. Training covers phishing, data handling, and secure practices.

We monitor for unusual behavior and enforce strict access controls to reduce insider risk. Employees are held accountable through clear policies and audits.

Our acceptable use policies define how systems and data should be handled. These policies are reviewed regularly and agreed to annually by all staff.

This policy reviews the details of our senior leadership’s commitment to ethics and managing conflicts of interest.

Corporate Ethics Policy

This policy outlines our comprehensive approach to the secure collection, processing, and disclosure of data.

Data Protection Policy