GuardivionGuardivion← Back to app

Security Overview

Effective 26 June 2026 · Last updated 26 June 2026

How Guardivion protects your organisation and users with a device-based authentication architecture.

Draft — pending legal review. Guardivion is a pre-incorporation venture; a UK entity will be registered ahead of any formal commercial agreement. Items marked [TO BE CONFIRMED] are placeholders to be completed before publication. Guardivion is working toward formal SOC 2 and ISO/IEC 27001 certification and is not yet certified.

1. Our security model

Guardivion is built on a device-based authentication model. In the Guardivion mobile app, each user authenticates with an ECDSA P-256 key pair generated inside the device's hardware-backed keystore (e.g. Android Keystore / StrongBox), unlocked by the device's biometric or credential. The private key never leaves the device and is never transmitted to Guardivion — we hold only the public key. Authentication requests are delivered by push notification and approved on the device.

2. Administrator authentication

Access to the web portals uses an email and password plus a time-based one-time passcode (TOTP) for MFA. Passwords are hashed with Argon2id; session, activation, and API-key values are stored only as SHA-256 hashes. Key management and org-lifecycle actions are restricted to owner-role accounts.

3. Compliance status

SOC 2In progress. We are building toward a SOC 2 examination; a report is not yet available.
ISO/IEC 27001In progress. We are working toward certification of our information security management system.
GDPR & UK GDPRDesigned to align with GDPR/UK GDPR through data minimisation and a published DPA.

[TO BE CONFIRMED] target dates and the auditor / certification body, once engaged.

4. Data protection

5. Access control

6. Infrastructure & operations

Hosting provider, network controls (WAF/DDoS), logging and monitoring are deployment-dependent and should be documented here: [TO BE CONFIRMED]. The platform maintains an append-only audit trail of administrative and key actions.

7. Secure development

Practices such as code review, dependency scanning, and third-party penetration testing: [TO BE CONFIRMED] — describe what you currently do before publishing.

8. Resilience & continuity

Backup cadence, restore testing, and disaster-recovery targets (RPO/RTO): [TO BE CONFIRMED]. A public status page is [TO BE CONFIRMED] (not yet live).

9. Incident response

A documented incident-response process governs detection, triage, containment, and recovery. Customers affected by a personal data breach are notified without undue delay, consistent with our DPA [TO BE CONFIRMED] (formalise the runbook and timeline).

10. Report a vulnerability

We welcome responsible disclosure. Email [TO BE CONFIRMED] (security contact) with details and we will acknowledge promptly. Please do not access or modify data that is not yours.