Skip to content

Trust

A security company has to act like one.

HarborGuard scans your containers for vulnerabilities — so the bar for our own platform is high. This page is a plain-language summary of how we protect customer data and how we respond to disclosed issues.

Encryption everywhere

  • TLS 1.3 in transit, AES-256-GCM at rest for registry credentials.
  • Envelope encryption with org-scoped data keys; master key never leaves KMS.
  • Field-level encryption for SSO secrets (SAML certs, OIDC client secrets).

Authentication and access

  • NextAuth-backed credentials, with bcrypt password hashing and per-user MFA.
  • Multi-tenant SAML and OIDC with SCIM provisioning.
  • Role-based access (Owner / Admin / Member / Viewer) with row-level org scoping.
  • API keys are HMAC-bound and scoped; rotate from /settings/api-keys without downtime.

Tenant isolation

  • Every Postgres query goes through an org-scoped middleware that injects the tenant predicate.
  • Workers receive only the org context they need; cross-org data access fails closed.
  • Sensor-side scans run in single-use Docker containers, destroyed after each run.

Audit and observability

  • Every policy edit, role change, key rotation, and report export emits an immutable audit event.
  • Audit-log exports are themselves audited.
  • Structured Pino logs to stdout; integrate with Datadog, CloudWatch, or any OpenTelemetry-compatible collector.

Compliance posture

  • SOC 2 Type II controls implemented and audit-tested.
  • GDPR data subject rights honored via /settings/danger.
  • All sub-processors documented in our DPA at /legal/dpa.

Vulnerability disclosure

If you find a security issue in HarborGuard, please report it directly to security@harborguard.co. We follow RFC 9116; our policy is published at /.well-known/security.txt . We aim to acknowledge reports within one business day and to ship a fix or mitigation within fourteen days for high-severity findings.

We don't run a public bug bounty yet, but we credit reporters in our changelog and never threaten or pursue researchers acting in good faith.

Read

Data Processing Addendum

Read

Privacy policy

Read

Trust documentation