Last Updated: January 18, 2026
Security Overview
ChangeGuard is built for infrastructure teams who need strong controls and clear boundaries. Our core design is a self-hosted agent that runs in your environment and evaluates change safety close to the cluster.
Outbound-only connectivity: When cloud-connected features are enabled, the agent initiates outbound TLS connections to the ChangeGuard control plane. We do not require inbound network access into your cluster.
Data Minimization
ChangeGuard is designed to minimize the data that leaves your environment. By default, we do not collect Kubernetes Secrets, full workload manifests, or application data. You control what the agent can access via Kubernetes RBAC and configuration.
Encryption
- In transit: Data transmitted by the agent uses TLS encryption.
- At rest: When stored in a ChangeGuard control plane, operational data is encrypted at rest using industry-standard mechanisms.
Access Controls
- Least privilege: Recommended Kubernetes RBAC grants the agent only the read/write permissions required for enabled features.
- Authentication: Admin access is controlled by account credentials and role-based controls.
- Logging: Security-relevant actions are logged for auditability.
Secure Development
- Dependency management and vulnerability monitoring
- Patch and update process for security releases
- Principle-of-least-privilege defaults and safe failure modes where possible
Customer Responsibilities
Because the agent runs in your environment, you control its deployment and configuration. You are responsible for:
- Securing your Kubernetes cluster and underlying cloud or on-prem infrastructure
- Configuring RBAC, network policies, and secrets management for the agent
- Reviewing change workflows and approvals consistent with your policies
Reporting Security Issues
If you believe you have found a security issue, please contact us via the Contact page with details so we can investigate.