Certifications
HarborGuard is early in its journey. SOC 2 Type II controls are implemented internally; a formal third-party audit is planned for 2026. ISO 27001 and FedRAMP audits are not currently scheduled. This page documents that honestly today, and will be updated as we begin and complete each program.
Current posture
| Framework | Status | Scope | Latest report |
|---|---|---|---|
| SOC 2 Type II | Controls implemented internally; formal third-party audit planned for 2026 | HarborGuard SaaS platform and supporting infrastructure | None yet |
| ISO 27001:2022 | Control mapping only; formal audit not currently scheduled | Information security management system covering the SaaS platform | None yet |
| HIPAA | Control mapping only. HarborGuard processes only technical metadata (SBOMs, vulnerability data, image manifests) and does not receive, store, or transmit PHI. HarborGuard is not a Business Associate; no BAA required or offered | Technical safeguards mapping for container-security posture | N/A |
| PCI-DSS | Out of scope | HarborGuard does not store, process, or transmit cardholder data; Stripe handles all card data | N/A |
| FedRAMP | FedRAMP Moderate control templates only; platform itself is not FedRAMP-authorized | Control mapping for federal customers operating their own FedRAMP boundaries | N/A |
| GDPR / UK GDPR | DPA available on request | EU and UK customer data | DPA on request |
| CCPA / CPRA | Aligned to CCPA / CPRA principles — see DPA addendum | California consumer data | DPA on request |
Requesting reports
Once formal audit reports, ISO certificates, penetration-test summaries, or signed DPAs are available, customers and prospects will be able to request them under a mutual NDA. To be notified when each artifact becomes available:
- Email
trust@harborguard.cofrom a corporate domain. - Tell us which artifact you are interested in tracking.
- We will reach out as soon as the artifact is issued.
We will publish bridge letters, audit reports, and certificates here as soon as they are issued. Until then, this page reflects the current state honestly rather than implying audits in flight.
Continuous monitoring
HarborGuard does not yet operate a formal continuous-controls-monitoring program. Adopting a GRC platform — and the controls evidence that comes with it — is part of the work that will accompany our first SOC 2 engagement.
Penetration testing
HarborGuard has not yet commissioned an independent third-party penetration test. We intend to do so as the product matures, and will publish a redacted summary here once the first engagement completes.