Last Updated: January 18, 2026
Compliance Approach
ChangeGuard is designed for production and regulated environments. Our architecture emphasizes a self-hosted agent that runs inside your environment, with clear boundaries between your workload data and any optional cloud-connected features.
Self-hosted first: Core safety evaluation executes in your environment. If you enable cloud-connected features, the agent sends only the minimum operational and safety signals needed for the product experience.
Data Processing
- Customer control: You deploy and configure the agent and control its access via Kubernetes RBAC and network policies.
- Data minimization: We are designed to avoid collecting Kubernetes Secrets, full workload manifests, or application data.
- Outbound-only option: When cloud-connected, the agent initiates outbound TLS connections; no inbound access into your cluster is required.
Security Controls
- Encryption in transit (TLS) and encryption at rest when data is stored in a ChangeGuard control plane
- Role-based access controls for administrative features
- Logging for auditability of security-relevant actions
Compliance Programs
Many customers have requirements such as SOC 2, ISO 27001, HIPAA, PCI DSS, or FedRAMP. ChangeGuard can support these programs by reducing change risk and improving audit trails. Specific attestations depend on deployment mode, plan, and customer requirements.
Vendor and Subprocessor Management
We may use trusted vendors for website hosting, analytics, and payment processing. When cloud-connected features are enabled, vendors may provide infrastructure for hosting the control plane. We evaluate vendors for appropriate security practices and limit their access to what is necessary.
Contact
If you have compliance requirements or need a security/compliance briefing, contact us via the Contact page.