Guardsquare Security Statement

Privacy

Customers of Guardsquare are required to register for a Guardsquare account to obtain access to download products, licenses, and manuals. This platform has a minimal collection of personal information, limited to the name and email address of individuals who need access to Guardsquare products. In addition, Guardsquare SaaS products may collect additional personal information. The data processing requirements for these products are outlined in our Data Processing Agreement (DPA). In addition to your Guardsquare account and our SaaS products, you may establish a relationship with Guardsquare through our website or direct interactions with our employees; in these cases, you will be covered by the Guardsquare Privacy Policy.

Information Security

Guardsquare is committed to ensuring the highest level of protection for its and its customers’ information assets. To achieve this, the company has implemented a comprehensive information security program encompassing various measures such as risk assessments, security awareness training, incident response planning, access control, encryption, monitoring, and compliance with relevant regulations. Guardsquare follows the internationally recognized CIS Critical Security Controls framework to safeguard its systems and data from cyberattacks.

Production Infrastructure Access

Guardsquare follows industry best practices to maintain the security and integrity of sensitive systems and data in our production environments, including following the principle of least privilege and role-based access control and using strong authentication mechanisms such as multi-factor authentication. Additionally, the release and deployment of software to our production environments are controlled using automated continuous integration (CI) services and restricted service accounts. All user and service accounts require a unique identifier.

Access Reviews

To ensure that only authorized personnel have access to production systems, we conduct access reviews on in-scope systems every quarter. These reviews are in addition to our automated controls, and they help us limit administrative access based on appropriate roles and responsibilities. Our Chief Information Officer leads the governance efforts, and our Information Technology team completes the necessary internal audits.

Systems Change Management Procedures

Guardsquare has established a Systems Change Management Policy and supporting procedures that define the minimum requirements for managing changes to our production environments (systems, supporting infrastructure, and key corporate systems). The goal is to reduce the risk of unauthorized changes to production systems by providing consistency in the way changes are made from the initial change request to production deployment.

Guardsquare Employees

Employees must review and understand their responsibilities outlined in our Acceptable Use Policy (AUP). Additionally, employees must sign a confidentiality and non-disclosure agreement (NDA), agreeing not to disclose proprietary or confidential information, including customer information, to unauthorized parties.

Guardsquare has a robust security awareness training program. All new hires are required to complete selected training within their first week. Furthermore, all employees and contractors are required to participate in monthly micro-trainings covering various topics related to general security and privacy and ad-hoc role-based awareness as required. This approach ensures that security is at the forefront for Guardsquare employees at all times. Additionally, periodic phishing simulation campaigns are conducted for all employees to increase awareness and test employee knowledge of the tactics and techniques used by malicious actors. Employees are enrolled in supplemental phishing training following failed phishing simulations.

Guardsquare security incident management involves the processes and practices to detect, respond to, mitigate, and recover from security incidents. If you have a security concern or wish to report an incident, you may report it directly to security@guardsquare.com.

Cyber Incident Response Planning

Guardsquare maintains a comprehensive cyber incident response plan that outlines the steps to be taken during a security incident. This includes defining roles and responsibilities, establishing communication channels, and creating incident response playbooks.

Product Security

Guardsquare SaaS products are hosted and managed on Google’s secure data centers and utilize the Google Cloud Platform (GCP) technology. As a result, we employ a shared responsibility model, with Google Cloud Platform products regularly undergoing independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance, or audit reports against standards worldwide. For more information on GCP compliance, see their website. Our SaaS infrastructure on GCP is configured to undergo continuous vulnerability scanning. This scanning process identifies vulnerabilities, such as unpatched software, misconfigurations, and potential malware threats. It also provides valuable insights into external exposures, excessive permissions, exposed secrets, and possible lateral movement paths within our infrastructure. This proactive approach helps us ensure the robust security of our SaaS services. Guardsquare downloadable products are hosted in our customers’ environments and are not dependent on any Guardsquare infrastructure to perform as intended. Software Development Lifecycle Our Engineering teams follow a comprehensive software development lifecycle process and prioritize thoroughness in implementing application changes. Before any changes are implemented in the production environment, they conduct a series of tests. These tests include source code reviews, security evaluations, functional testing, and performance testing. An independent person, separate from the original developer, typically performs these tests. To maintain separation and prevent any impact on our production environments, we execute development and testing activities in separate environments. Our commitment to diligent testing ensures that our applications are rigorously evaluated and safe for use.

For our Saas products, we protect and encrypt your confidential data in Guardsquare environments, both in transit and at rest where data is stored. Customer data is transferred over a Transport Layer Security (TLS v1.2+) connection and is encrypted (AES256) at rest.

Internal

During the development of product features, security design reviews are conducted in coordination with our internal security research Team. All application changes by our development teams also undergo peer code reviews. Through annual penetration testing and through release review by our security research team (where applicable), any security concerns or vulnerabilities are managed. The engineering and security teams review the results of these testing efforts and implement measures to address vulnerabilities.

External

Guardsquare contracts third-party firms to perform annual penetration tests to ensure no malicious code or other vulnerabilities are present in Guardsquare applications and infrastructure. The engineering and security teams review the results and implement measures to address vulnerabilities.

Backups and Recovery

Guardsquare has implemented a plan to ensure that Guardsquare meets business and availability requirements for our products, where applicable.

We utilize GCP's "Cloud Snapshots" service to ensure the backup of our SaaS infrastructure. These snapshots are created as point-in-time copies of persistent disks within our GCP environment. They capture the complete state of the disks, including both data and metadata, enabling us to restore them to previous states when necessary. For our databases, we have a daily backup schedule in place, and the resulting snapshots are retained for a period of seven days. As part of our disaster recovery strategy, these snapshots are stored in a separate region within the European Union (EU), ensuring redundancy and availability in case of unforeseen events. Similarly, our storage instance snapshots are strategically distributed across multiple zones within a single EU region. This setup strengthens our disaster recovery capabilities by providing additional resilience and fault tolerance. In summary, our SaaS infrastructure benefits from the reliability and flexibility of GCP's Cloud Snapshots, enabling us to safeguard our data and maintain operational continuity in the face of potential disruptions.

Our development infrastructure is separate from our production infrastructure and is not used for any public-facing services or hosting of production data. It is mainly used to support our development teams, and it may occasionally contain limited customer data for testing purposes to support a customer. This infrastructure is backed up both locally and to a secondary location. Depending on the system or service, backups are performed on a daily, weekly, and monthly basis. Backups for critical services are retained for five weeks, and backups for all other services are retained for three weeks. Restoration from backups is tested twice yearly.

Responsible Disclosure

At Guardsquare, we are committed to ensuring the security and integrity of our web applications and protecting the privacy of our users. We recognize that security researchers and ethical hackers play a vital role in helping us identify and address potential vulnerabilities in these applications. We have developed a responsible disclosure policy that outlines how we handle the responsible disclosure of web application security vulnerabilities.