Security doctrine.

Security is the product. Every line of code, every architectural choice, every vendor we work with is filtered through one question: would we trust this with our own family's data?

We publish this page so you can verify our practices, not just believe them. Where we have certifications, they are listed. Where we do not yet hold them, we say so.

Data is encrypted at every stage of its life with the Digital Guardian Suite.

• In transit — TLS 1.2 or higher on every endpoint and webhook. HSTS is enforced on all public domains. We do not accept connections from deprecated cipher suites.
• At rest — AES-256 across primary databases, document stores, backups, and offsite snapshots.
• Vault-grade fields — The most sensitive fields (journal text, financial credentials, family contact PII, Guardian Mind reflections) are double-encrypted with per-tenant keys derived from a hardware-backed root.
• Field-level redaction — Display systems unwrap only the fields required for the current view. The full vault is never decrypted into memory at once.

The suite runs on hardened, Kubernetes-managed infrastructure with continuous baseline monitoring.

• Network isolation — Private VPCs with default-deny ingress. Public surfaces are limited to the edge load balancer and our static marketing pages.
• Secrets management — No secrets in source code. Production credentials live in encrypted secret stores with audited access.
• Defence in depth — Multiple layers — WAF, rate limiting, anomaly detection, request fingerprinting — between the public internet and any data plane.
• Backups — Encrypted, versioned, geo-redundant. Restore drills are conducted quarterly.

Who can touch what — and when — is one of the questions we obsess over most.

• Least privilege — Role-based access. No standing access to production data; every access is just-in-time and time-bound.
• Multi-factor — Mandatory hardware-backed MFA for any human access to production systems.
• Audit logging — Every administrative action is logged immutably and reviewed periodically by a second pair of eyes.
• Key rotation — Customer segment keys are rotated on a published schedule. Master keys live in hardware-backed key vaults and are never exported.

We hope you never need to read this section. We've written it carefully so that if you do, you'll know exactly what to expect.

• Detection — 24/7 automated monitoring with on-call rotation. Anomalies trigger paging within minutes.
• Containment — Documented runbooks for the most common incident classes. We isolate first, investigate second.
• Notification — In the event of a confirmed breach involving your personal information, we will notify you within 72 hours, in line with the Australian Notifiable Data Breaches scheme and GDPR Article 33.
• Postmortem — Every material incident receives a public, blameless writeup, posted to security@digital-guardian.info subscribers.

Several features rely on large language models. We treat AI as a security-relevant surface, not a free pass.

• Minimum context — We send only the prompt context required for the feature. Your full vault is never streamed to a third-party model.
• No training without consent — Your personal content is not used to train our underlying models unless you have explicitly opted into a research program.
• Prompt-injection defence — User-supplied content is sandboxed from system instructions. We scan inbound text for injection patterns before downstream calls.
• Output filtering — AI outputs that touch finance, family safety, or mental wellness pass through a guardrail layer before being shown.

We choose vendors who are themselves serious about security:

• Stripe — PCI DSS Level 1 certified. We never see your full card number; all payment data is tokenised at the edge.
• Resend — SOC 2 Type II. Email is transactional only — no marketing lists, no third-party tracking pixels in our emails.
• MongoDB Atlas / Equivalent — ISO 27001, SOC 2 Type II, HIPAA-ready. Network-isolated, at-rest encrypted.
• AI providers — Selected for zero-retention API endpoints where available. We do not use consumer-grade LLM accounts in production.

A full sub-processor list is available on request to security@digital-guardian.info.

Where we stand today, written honestly:

• Australian Privacy Principles — Aligned. See our Privacy Policy for the section-by-section breakdown.
• GDPR — Aligned for users in the EU. Article 33 breach notification protocols in place.
• CCPA — Aligned for users in California.
• SOC 2 Type II — In preparation. Anticipated audit completion within 12 months of general availability.
• ISO 27001 — Under consideration for the medium term.

We will not claim certifications we do not hold. This section is updated quarterly.

If you believe you have discovered a security vulnerability, we want to hear from you. We commit to:

• Not pursue legal action — against researchers operating in good faith under this policy.
• Acknowledge — within 48 hours.
• Triage — within 5 business days.
• Patch — on a timeline commensurate with severity, communicated to you.
• Credit — publicly in our security hall of recognition (with your permission).

In scope:

• Authentication or authorisation flaws
• Server-side or client-side injection
• Privilege escalation
• Information disclosure of sensitive data
• Encryption weaknesses
• Business-logic flaws with security impact

Out of scope:

• Volumetric DoS / DDoS
• Social engineering against staff or customers
• Physical attacks against our offices or staff
• Reports requiring stolen credentials or already-known leaks
• Issues in third-party services we do not control

For confidential reports:

Security
Digital Guardian Suite
security@digital-guardian.info

Please include a clear reproduction path, the impact you observed, and any proof-of-concept that would help us triage. PGP key available on request.

Thank you for helping us keep the perimeter quiet.