Security Policy

Last Updated: November 14, 2025

Effective Date: November 14, 2025

1. Introduction

Security is fundamental to Guard.ch's mission of providing privacy-focused virtual machine services. This Security Policy outlines the technical and organizational measures we implement to protect customer data, ensure platform integrity, and maintain the confidentiality, availability, and resilience of our services.

This policy applies to all Guard.ch systems, infrastructure, employees, contractors, and third-party service providers.

2. Security Principles

Guard.ch's security program is built on the following core principles:

2.1 Privacy by Design and Default

Minimal data collection (only what is necessary)
Strong encryption for data in transit and at rest
Complete VM isolation and content privacy
Automatic data deletion after VM termination
No monitoring of VM content

2.2 Defense in Depth

Multiple layers of security controls
Network segmentation and isolation
Access controls at multiple levels
Redundant security mechanisms

2.3 Least Privilege

Access granted only as needed to perform job functions
Regular access reviews and revocation
Separation of duties for critical operations

2.4 Continuous Improvement

Regular security assessments and penetration testing
Security awareness training for personnel
Monitoring of security threats and vulnerabilities
Proactive security updates and patches

2.5 Transparency and Accountability

Clear communication about security practices
Incident response and notification procedures
Regular security audits and reviews
Documentation of security controls

3. Infrastructure Security

3.1 Data Center Security

Primary Data Center: Hetzner Helsinki (Finland)

Physical security: 24/7 monitoring, access controls, surveillance
Environmental controls: Redundant power, cooling, fire suppression
Network security: DDoS protection, firewalls, intrusion detection
Certifications: ISO 27001, ISO 9001, PCI DSS

US Data Center: OVH Hillsboro (Oregon, USA)

Used only for US customer VM sessions (no persistent data storage)
Physical security: Secured facilities with access controls
Network security: DDoS mitigation, redundant connectivity

3.2 Network Security

Network Architecture:

Network segmentation using VLANs and Kubernetes network policies
Isolated networks for VMs, management, and public access
Strict firewall rules limiting inter-VM communication
NAT and port mapping for controlled VM access

DDoS Protection:

Cloudflare DDoS mitigation (automatic and always-on)
Rate limiting and traffic filtering
Capacity to absorb large-scale attacks

Firewalls:

Hardware firewalls at data center perimeter
Software firewalls (iptables, nftables) on all servers
Application-level firewalls for web services
Default-deny policies with explicit allow rules

Intrusion Detection and Prevention:

Network-based intrusion detection (monitoring for malicious traffic)
Log aggregation and analysis via Axiom
Automated alerting for suspicious activity
Regular review of security logs

3.3 Server and Host Security

Operating System Hardening:

Minimal OS installations (only necessary packages)
Regular security updates and patches (automated where possible)
Kernel hardening (AppArmor, SELinux, seccomp)
Disabled unnecessary services and ports

Access Controls:

SSH key-based authentication only (password authentication disabled)
Multi-factor authentication (MFA) for administrative access
Bastion hosts for secure administrative access
No direct root login (sudo with logging)

Monitoring and Logging:

Centralized logging via Axiom (30-day retention)
Real-time monitoring of system resources and security events
Automated alerts for anomalies and security incidents
Audit trails for all administrative actions

3.4 Virtualization Security

KVM/libvirt Isolation:

Hardware-assisted virtualization (Intel VT-x / AMD-V)
Full VM isolation using KVM hypervisor
Dedicated resources per VM (no oversubscription)
Memory isolation and CPU pinning

VM Image Security:

Base Windows images from official Microsoft sources
Regular updates to base images
Integrity verification of images
QCOW2 linked clones for efficient provisioning

VM Network Isolation:

Each VM on isolated virtual network
Port-based access control (RDP, VNC, HTTP)
No direct VM-to-VM communication
NAT-based internet access

VM Lifecycle Security:

Automated VM provisioning with secure defaults
Unique MAC addresses and IP assignments
Automatic VM termination and cleanup
Secure wiping of VM disks upon deletion

4. Data Security

4.1 Encryption

Encryption in Transit:

TLS 1.3 for all HTTPS connections (API, web interface)
Perfect Forward Secrecy (PFS) using ECDHE key exchange
Strong cipher suites (AES-256-GCM, ChaCha20-Poly1305)
HSTS (HTTP Strict Transport Security) enabled
Certificate pinning for critical connections

Encryption at Rest:

Encrypted storage for sensitive data (passwords, API keys, tokens)
Database encryption using AES-256
Encrypted backups
Secure key management practices

VM Content:

Customers are responsible for encrypting sensitive data within VMs
We recommend full-disk encryption for highly sensitive workloads
VM disks are securely wiped upon deletion

4.2 Data Isolation

Customer Data Isolation:

Strict access controls preventing access to other customers' data
Database-level isolation using unique customer identifiers
VM-level isolation using Kubernetes namespaces and network policies
No shared storage between customers

VM Content Privacy:

Guard.ch has no access to the content of customer VMs
No monitoring, logging, or inspection of VM activity
VM content is encrypted at the hypervisor level
Complete content deletion upon VM termination

4.3 Data Deletion

VM Deletion:

Immediate and irreversible deletion of VM disks upon termination
QCOW2 backing files overwritten using secure deletion methods
No VM content retained after deletion
Automated cleanup of orphaned resources

Account Deletion:

Complete deletion of personal data within 30 days of account deletion
All VMs immediately terminated and deleted
Billing records retained only as required by law (10 years for Swiss tax compliance)
Backups purged within 90 days

4.4 Backup and Disaster Recovery

Infrastructure Backups:

Regular automated backups of infrastructure configuration
Encrypted backup storage
Geographically distributed backup locations
Tested disaster recovery procedures

Customer Responsibility:

Guard.ch does not back up VM content
Customers are responsible for backing up data within VMs
VMs can be terminated at any time; export data regularly

5. Application Security

5.1 Secure Development Practices

Development Standards:

Secure coding guidelines for all developers
Code reviews for all changes (pull request approval required)
Static code analysis (linters, security scanners)
Dependency vulnerability scanning (npm audit, Snyk)
Regular security training for developers

Input Validation and Output Encoding:

Strict input validation for all user inputs
Parameterized queries to prevent SQL injection
Output encoding to prevent XSS attacks
Content Security Policy (CSP) headers

Authentication and Authorization:

Secure password hashing (bcrypt with strong work factor)
Support for WebAuthn/passkeys (FIDO2)
OAuth 2.0 integration (Google, Microsoft)
Session management with secure cookies (HttpOnly, Secure, SameSite)
Multi-factor authentication support
Rate limiting on authentication endpoints

API Security:

Bearer token authentication for API access
API key rotation and expiration
Rate limiting and throttling
Input validation and sanitization
CORS policies to prevent unauthorized access

5.2 Vulnerability Management

Vulnerability Scanning:

Regular automated vulnerability scans of infrastructure and applications
Dependency vulnerability monitoring
Third-party penetration testing (periodic)
Bug bounty program (under consideration)

Patch Management:

Critical security patches applied within 24 hours
High-priority patches within 7 days
Regular patch cycles for routine updates
Testing before production deployment

Responsible Disclosure:

Security researchers encouraged to report vulnerabilities responsibly
Email: security@guard.ch
Acknowledgment within 48 hours
Good-faith commitment not to pursue legal action against researchers acting in good faith

5.3 Third-Party Security

Vendor Risk Management:

Security assessments of all third-party service providers
Review of security certifications (ISO 27001, SOC 2, etc.)
Data Processing Agreements with all subprocessors
Regular vendor security reviews

Open Source Dependencies:

Regular dependency updates
Vulnerability scanning of dependencies
License compliance review
Minimal dependency footprint

6. Access Control

6.1 Identity and Access Management

User Authentication:

Strong password requirements (minimum 12 characters, complexity rules)
Support for WebAuthn/passkeys (phishing-resistant)
OAuth 2.0 integration for enterprise SSO
Session timeout after 7 days of inactivity
Account lockout after repeated failed login attempts

Administrative Access:

Multi-factor authentication (MFA) required for all administrative access
SSH key-based authentication with passphrase protection
Privileged access management (PAM) for sensitive operations
Just-in-time (JIT) access provisioning

Access Reviews:

Quarterly access reviews for all personnel
Immediate revocation upon termination or role change
Principle of least privilege enforced
Separation of duties for critical operations

6.2 Role-Based Access Control (RBAC)

Customer Roles:

Account Owner: Full control over account and billing
Team Manager: User management and VM control
Team Member: VM usage within limits

Internal Roles:

Administrator: Infrastructure management
Developer: Code deployment and development
Support: Customer assistance (limited data access)
Read-only: Monitoring and reporting

6.3 Logging and Monitoring

Access Logging:

All authentication events logged
All administrative actions logged
API access logged with IP addresses and timestamps
Logs retained for 30 days in Axiom

Monitoring and Alerting:

Real-time monitoring of access patterns
Automated alerts for suspicious activity
Failed login attempt monitoring
Privileged action auditing

7. Incident Response

7.1 Security Incident Response Team (SIRT)

Team Composition:

Incident Response Lead
Technical Investigators
Communications Lead
Legal/Compliance Advisor (as needed)

Contact: security@guard.ch

7.2 Incident Response Process

Detection and Triage:

Automated detection via monitoring systems
Manual reports from users or security researchers
Initial assessment and severity classification
Assignment to appropriate response team

Containment:

Isolate affected systems to prevent further damage
Preserve evidence for investigation
Implement temporary controls

Investigation:

Determine root cause and scope of incident
Identify affected data and systems
Document timeline and actions

Remediation:

Remove threat and vulnerabilities
Restore systems to secure state
Implement permanent fixes

Recovery:

Restore normal operations
Verify system integrity
Monitor for recurrence

Post-Incident Review:

Document lessons learned
Update security controls and procedures
Communicate findings to stakeholders

7.3 Data Breach Notification

Customer Notification: If a data breach affects customer personal data, we will:

Notify affected customers without undue delay (within 72 hours where feasible)
Provide details about the breach, affected data, and remediation steps
Offer assistance and support

Regulatory Notification:

Notify Swiss Federal Data Protection and Information Commissioner (FDPIC) as required
Comply with GDPR notification requirements (where applicable)
Cooperate with regulatory investigations

Breach Communication:

Email notification to affected account email addresses
Platform notification for logged-in users
Public disclosure (if severity warrants)

8. Organizational Security

8.1 Personnel Security

Background Checks:

Background verification for employees with access to customer data (where legally permitted)
Reference checks for all hires
Ongoing monitoring for security clearances (if applicable)

Confidentiality Agreements:

All employees sign confidentiality agreements
Contractors bound by confidentiality clauses
Non-disclosure obligations survive termination

Security Training:

Security awareness training for all personnel (onboarding and annual)
Role-specific training for developers, administrators, support staff
Phishing simulation exercises
Incident response drills

Access Termination:

Immediate revocation of access upon termination
Return of company devices and credentials
Exit interviews covering security obligations

8.2 Physical Security

Office Security:

Controlled access to office premises
Visitor logs and escort policies
Secured storage for sensitive documents
Clean desk and screen lock policies

Device Security:

Full-disk encryption on all company laptops
Device management (MDM) for mobile devices
Remote wipe capabilities
Anti-malware and endpoint protection

8.3 Business Continuity and Disaster Recovery

Business Continuity Planning:

Documented business continuity plans
Regular testing and updates
Identified critical processes and recovery priorities

Disaster Recovery:

Recovery Time Objective (RTO): 24 hours for critical services
Recovery Point Objective (RPO): 1 hour for customer data
Redundant infrastructure and failover capabilities
Regular disaster recovery drills

High Availability:

Redundant servers and load balancing
Database replication and failover
Multi-zone deployment (where feasible)
Automated health checks and failover

9. Compliance and Certifications

9.1 Regulatory Compliance

Swiss Federal Act on Data Protection (FADP):

Full compliance with Swiss data protection law
Data Processing Agreements with subprocessors
Privacy by design and default
Data subject rights procedures

EU General Data Protection Regulation (GDPR):

GDPR compliance for EU customers
Standard Contractual Clauses for international transfers
Data Protection Impact Assessments (DPIAs) conducted as needed
Appointment of data protection contact (support@guard.ch)

Other Compliance:

PCI DSS (via Stripe for payment processing)
Export control compliance
Anti-money laundering (AML) requirements

9.2 Security Certifications (Subprocessors)

Our key subprocessors maintain the following certifications:

Hetzner: ISO 27001, ISO 9001
Stripe: PCI DSS Level 1, SOC 1, SOC 2
Cloudflare: ISO 27001, SOC 2 Type II
Axiom: SOC 2 Type II

Guard.ch is evaluating pursuing ISO 27001 certification for our own operations.

9.3 Audits and Assessments

Internal Audits:

Quarterly security reviews
Annual comprehensive security assessments
Continuous monitoring and improvement

External Audits:

Third-party penetration testing (periodic)
Vendor security assessments
Compliance audits as required

Customer Audits:

Customers may request security documentation
On-site audits permitted under DPA (with reasonable notice)
Third-party audit reports available (subject to confidentiality)

10. Customer Security Responsibilities

While Guard.ch implements strong security measures, customers share responsibility for security:

10.1 Account Security

Customer Responsibilities:

Choose strong, unique passwords
Enable multi-factor authentication (MFA)
Use WebAuthn/passkeys when possible
Keep authentication credentials confidential
Report suspicious activity immediately

Team Management:

Grant access only to authorized users
Review team member access regularly
Remove access for departing team members
Use appropriate role assignments

10.2 VM Security

Customer Responsibilities:

Secure VMs and applications running within them
Apply security updates to software in VMs
Implement firewalls and access controls within VMs
Encrypt sensitive data stored in VMs
Back up critical data (Guard.ch does not back up VM content)
Comply with software licensing terms

Best Practices:

Use strong passwords for Windows login
Enable Windows Firewall
Install antivirus software
Keep Windows and applications updated
Avoid storing sensitive data unnecessarily

10.3 Compliance

Customer Responsibilities:

Comply with Acceptable Use Policy
Ensure lawful use of VMs
Comply with data protection laws for data processed in VMs
Obtain necessary consents and authorizations
Implement appropriate security measures for personal data in VMs

11. Security Reporting

11.1 Vulnerability Disclosure

If you discover a security vulnerability in Guard.ch services:

How to Report:

Email: security@guard.ch
Include detailed description of vulnerability
Provide steps to reproduce (if applicable)
Allow reasonable time for us to address the issue before public disclosure

What We Commit:

Acknowledgment within 48 hours
Investigation and response within 7 days
Credit for responsible disclosure (if desired)
No legal action against good-faith security researchers

11.2 Abuse Reporting

To report abuse, violations of Acceptable Use Policy, or security incidents:

Email: abuse@guard.ch
Include evidence (URLs, timestamps, screenshots)
We investigate all reports promptly

12. Updates to This Policy

This Security Policy may be updated to reflect:

Changes in security practices
New threats and vulnerabilities
Regulatory requirements
Industry best practices

Notification: Material changes will be communicated via email and posted on this page with an updated "Last Updated" date.

13. Contact Information

For questions about this Security Policy or Guard.ch security practices:

Security Team: security@guard.ch General Support: support@guard.ch

Postal Address: See our Imprint for full contact details.

Last Review Date: November 14, 2025

Next Scheduled Review: May 14, 2026

This Security Policy demonstrates Guard.ch's commitment to protecting customer data and maintaining the highest security standards. For more information, see our Privacy Policy, Terms of Service, and Data Processing Agreement.