Security and privacy for high-risk AI monitoring
Guardian is designed for organisations that need a secure, EU-oriented way to monitor high-risk AI systems, maintain operational evidence, and control access to sensitive governance records. For how this fits in the product, see the product, methodology, and a typical first step, the 4-week Readiness Sprint. For structured incident and evidence practice, see the resource on the AI incident register. Contractual terms, your DPA, and the published security policy remain the source of truth.
How Guardian approaches security
Guardian is built for teams that need to maintain operational records around high-risk AI systems without turning security into an afterthought.
The platform is designed around a metrics- and records-oriented model: monitoring signals, incidents, oversight actions, and documentation metadata rather than unnecessary raw personal data.
That helps organisations maintain a more practical balance between operational visibility, privacy, and controlled access.
What this means in practice
- EU-oriented hosting and operational posture
- Role-based access to monitoring, incident, and evidence records
- Operational focus on metrics, signals, and documentation rather than unnecessary raw data
- Structured audit trails around follow-up, review, and oversight actions
- Controlled visibility across compliance, legal, risk, and AI teams
What becomes easier with the right security model
- Sharing governance records with the right stakeholders without oversharing
- Maintaining operational evidence in a more controlled environment
- Supporting audit and regulator review with clearer access boundaries
- Reducing the need to move sensitive information across scattered tools and documents
Designed for regulated environments
Metrics-oriented architecture
Guardian is designed to operate on compliance metrics and records rather than unnecessary raw personal data.
EU-hosted infrastructure
Guardian data is processed and stored within the European Union, with cloud infrastructure configured for EU delivery.
Access controls
Zero Trust principles, MFA, RBAC and tenant-scoped access controls reduce unauthorized access risk.
Audit-ready operations
Formal incident response, logged administrative actions, and exportable documentation support internal and external review.
Controls and roadmap
Available today
- EU-hosted infrastructure
- Metrics-only platform design
- MFA and RBAC
- Encryption in transit and at rest
- Incident response process
- Security policy and responsible disclosure
Planned / roadmap
- Enterprise SSO (SAML / OIDC)
- SOC 2 Type II programme
- ISO 27001 programme
We separate current controls from roadmap items to keep our security communications precise and transparent. Ask for the security pack if you need certification detail.
How data is handled
What we process
Compliance metrics, model metadata, alerts, incidents, and audit outputs.
What we avoid
Clients should avoid submitting raw personal data through the platform or API.
Retention
Platform retention windows are defined by product and contractual settings. Where AI explanation features are enabled, prompt and output retention may be shorter than standard platform retention.
Security FAQ
- Does Guardian require raw personal data?
- Guardian is designed around metrics, monitoring signals, incident records, and documentation metadata rather than unnecessary raw personal data.
- How is access controlled?
- Guardian is designed to support role-based access so compliance, legal, risk, and AI teams can work from the same operating record with appropriate visibility.
- Is Guardian intended for EU-regulated environments?
- Yes. Guardian is designed for organisations operating in EU regulatory contexts, especially where high-risk AI systems require stronger monitoring, documentation, and review practices.
- Does Guardian replace existing security controls?
- No. Guardian is intended to support the monitoring and evidence layer around high-risk AI systems, not replace an organisation’s broader security programme.
Need security documentation?
Security policy, security questionnaire responses, and subprocessor information are available for customers and qualified prospects.