Trust & Security
HarborGuard scans the software supply chain, so we treat our own security posture as a first-class product feature. This section is the public-facing summary that vendor-risk and procurement teams can rely on during due diligence.
HarborGuard is an early-stage product, and this Trust section is an honest snapshot of where we are today rather than a roadmap of where we plan to be. SOC 2 Type II controls are implemented internally; a formal third-party audit is planned for 2026. ISO 27001 and FedRAMP audits are not currently scheduled. We will update each page as the product matures, audits begin, and certifications are issued — so customers and prospects can follow our progress with confidence.
At a glance
| Area | Status |
|---|---|
| SOC 2 Type II | Controls implemented internally; formal third-party audit planned for 2026 |
| ISO 27001 | Control mapping only; formal audit not currently scheduled |
| HIPAA | Control mapping only; HarborGuard does not process PHI and is not a Business Associate. No BAA required or offered |
| PCI-DSS scope | Out of scope (card data handled by Stripe) |
| FedRAMP | Moderate control templates only; platform is not FedRAMP-authorized |
| Encryption in transit | TLS 1.2+ |
| Encryption at rest | AES-256-GCM envelope encryption for credentials |
| Customer data residency | US (primary) |
In this section
Certifications
Where HarborGuard stands on formal audits today, and how that will change as we mature.
Data Protection
Encryption, key management, retention, and deletion commitments.
Sub-processors
Third parties that may process HarborGuard customer data.
Incident Response
Notification commitments and the incident severity model.
Vulnerability Disclosure
Coordinated disclosure policy and researcher safe-harbor terms.
Contact
- General inquiries and partnerships:
hello@harborguard.co - Security and disclosure:
security@harborguard.co - Privacy and DPA requests:
privacy@harborguard.co - Vendor due diligence:
trust@harborguard.co