GuardivionGuardivion← guardivion.com

Security Overview

Effective 26 June 2026 · Last updated 11 July 2026

How Guardivion protects your organisation and users with a device-based authentication architecture.

Draft — pending legal review. Guardivion is a pre-incorporation venture; a UK entity will be registered ahead of any formal commercial agreement. Items marked [TO BE CONFIRMED] are placeholders to be completed before publication. Guardivion is built with SOC 2, ISO/IEC 27001, and GDPR principles in mind and is not yet certified.
Scope. This overview describes the Guardivion platform as currently deployed for design-partner testing. It is provided for information; it is not a certification and does not constitute a contractual guarantee.

1. Our security model

Guardivion is built on a device-based authentication model. In the Guardivion mobile app, each user authenticates with an ECDSA P-256 key pair generated inside the device's hardware-backed keystore (e.g. Android Keystore / StrongBox), unlocked by the device's biometric or credential. The private key never leaves the device and is never transmitted to Guardivion — we hold only the public key. Authentication requests are delivered by push notification and approved on the device.

2. Administrator authentication

Access to the web portals uses an email and password plus a time-based one-time passcode (TOTP) for MFA. Passwords and API keys are hashed with Argon2id; session and activation values are stored only as SHA-256 hashes. Key management and org-lifecycle actions are restricted to owner-role accounts.

3. Compliance status

SOC 2Not yet certified. Built with SOC 2 principles in mind; a report is not yet available.
ISO/IEC 27001Not yet certified. Our information security management practices are designed with ISO/IEC 27001 in mind.
GDPR & UK GDPRDesigned to align with GDPR/UK GDPR through data minimisation and a published DPA (available on request — contact@guardivion.com).
PSD2 SCA (EU/UK)Designed with PSD2 SCA principles in mind: hardware-backed possession element with challenge signing and audit logging. Login supported today; payment approval with dynamic linking planned. SCA obligations remain with the payment service provider.

[TO BE CONFIRMED] target dates and the auditor / certification body, once engaged.

4. Data protection

5. Access control

6. Infrastructure & operations

The platform runs on Railway (PaaS; SOC 2 Type II and SOC 3 certified), with all application services, PostgreSQL, and Redis deployed in Railway's EU region. TLS terminates at Railway's edge; every service additionally enforces HSTS, a Content-Security-Policy, X-Content-Type-Options: nosniff, and X-Frame-Options: DENY. Tenant isolation is enforced with PostgreSQL row-level security scoped per organisation, and the internal administration service has no public domain — it is reachable only over Railway's private network. The platform maintains an append-only audit trail of administrative and key actions.

7. Secure development

Dependency vulnerability scanning (pip-audit) runs in every deployment build and fails the build on known CVEs. Code review and third-party penetration testing: [TO BE CONFIRMED] — describe current practice before publishing.

8. Resilience & continuity

Backup cadence, restore testing, and disaster-recovery targets (RPO/RTO): [TO BE CONFIRMED]. A public status page is [TO BE CONFIRMED] (not yet live).

9. Incident response

A documented incident-response process governs detection, triage, containment, and recovery. Customers affected by a personal data breach are notified without undue delay, consistent with our DPA (available on request — contact@guardivion.com) [TO BE CONFIRMED] (formalise the runbook and timeline).

10. Report a vulnerability

We welcome responsible disclosure. Email contact@guardivion.com with details and we will acknowledge promptly. Please do not access or modify data that is not yours.