Our commitment to data protection and security is embedded in every area of our organisation.
Use this Trust Center to learn more about our security measures and to review our security documentation.
The foundation of security at ResGuard is infrastructure security. ResGuard relies on our Virtual Private Cloud (VPC) to logically isolate our internal networks. We maintain configured security groups to control and restrict network access through defined inbound and outbound rules.
We develop highly available products that meet a variety of monitoring and observability requirements of our customers through the scalability of our CSP. We uphold our Service Level Agreements (SLAs) with an availability of 99.7%. For more information about our SLA, please refer to our Master Services Agreement.
At ResGuard, we encourage all employees to participate in protecting customer data and company assets. Where legally permissible, ResGuard conducts background checks prior to joining the organisation. All ResGuard employees complete regular security and privacy awareness training that integrates security into both technical and non-technical roles. Our training materials are role-specific to ensure that employees have the tools to address the specific security challenges of their work.
Product security is a top priority at ResGuard. We integrate security from the outset into the design of our products within the Software Development Lifecycle. We develop products following common Agile methodologies and integrate security throughout the Agile Release Cycle. This allows us to discover vulnerabilities earlier and remediate them faster than would be possible with longer release cycles. Clearly defined change management policies and procedures determine when and how changes are made. This philosophy is central to DevOps security and the development practices that have driven the adoption of ResGuard.
ResGuard releases software patches as part of our continuous integration process. We strive to deliver patches that may affect end users as quickly as possible and within our defined Service Level Agreements (SLA), by sending end-user notifications and scheduling maintenance windows.
As a SaaS provider, ResGuard's production infrastructure is hosted in Cloud Service Provider (CSP) environments. These CSPs manage the physical and environmental security controls for ResGuard's production servers, including buildings, locks and door keys.
Physical security measures at ResGuard offices include strict enforcement of badge access to enter the building as well as access to ResGuard floors and secured work areas. All visitors must present identification to receive a visitor badge and are accompanied by a ResGuard employee at all times.
ResGuard grants access to resources and confidential information on a need-to-know basis according to role. Access is controlled on the principle of least privilege, meaning users only have the level of access required to perform their duties. In addition, we enforce multi-factor authentication, which includes strong passwords and a second factor. Third parties of ResGuard do not have direct access to production systems.
We monitor and log access to all production environments for security purposes. In addition, access is audited and baselined to meet our security and compliance requirements.
Data submitted by authorised users to the ResGuard service is considered confidential. This data is protected during transmission over public networks and encrypted at rest. Customer data may only leave the ResGuard production environment in limited cases, for example to support a customer request.
All data transmitted between ResGuard and our users is protected by Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted, the ResGuard application becomes unreachable.
ResGuard has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and we enforce disk encryption and unique credentials for workstations.
ResGuard monitors critical infrastructure for security-relevant events using a proprietary implementation of open-source and commercial technologies. Activity data such as API calls and operating system calls are centrally logged, where the information passes through a series of custom rules designed to detect malicious or unauthorised behaviour. The results of these rules are fed into an orchestration platform that triggers automated actions -- including direct notification of the security team or requiring additional authentication.
AWS Cloud -- ResGuard does not operate its own on-premise data centres.
ResGuard has an extensive product logging mechanism including a customer-accessible audit log console. In addition, audit logging is enabled for all customer support, web end-user and technical operations applications as well as staging and production management infrastructure.
A centralised identity provider and multi-factor authentication are enabled for all customer support, web end-user and technical operations applications as well as staging and production management infrastructure. ResGuard users are required to use multi-factor authentication when accessing the production environment.
Formal role-based access controls restrict access to systems and system components and are enforced by the access control system. Where formal role-based access controls are not possible, authorised user IDs with two-factor authentication are used. ResGuard also follows the principle of least privilege.
ResGuard maintains a real-time backup that can be restored immediately at any time, unless a disaster event has occurred. Backups are performed daily, with full incremental backups every week. We do not use tapes. We archive data and back it up incrementally to ensure that the data is usable and available at all times.
Data at rest is encrypted with AES 256.
All data transmitted between ResGuard and ResGuard users is protected by Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted, the ResGuard application becomes unreachable.
As part of our secure development lifecycle, peer reviews, static analysis and dynamic analysis testing take place before code is deployed to production.
ResGuard performs monthly scans of servers and networks, and identified vulnerabilities are tracked and remediated in accordance with ResGuard's vulnerability management procedures. ResGuard also performs monthly vulnerability scans of critical environments as well as static code analysis to ensure the security and integrity of ResGuard's environments and products. All identified vulnerabilities are assigned to a responsible owner and remediated in accordance with ResGuard's vulnerability management procedures.
Multi-factor authentication is required to access the ResGuard production environment. Where multi-factor authentication is not possible, ResGuard follows the following password standards:
Systems and network devices use a common time synchronisation service. The NTP check is included in the ResGuard agent.
ResGuard maintains a staging environment separate from the production environment for testing.
Disk Encryption: All ResGuard employee laptops use full disk encryption.
Endpoint Detection & Response: Anti-malware controls protect workstations and servers. The engines of these anti-malware tools are continuously updated.
Firewall: ResGuard's firewall rules are set to block by default.
SIEM: All security-relevant log data is ingested into our centralised SIEM system to analyse and detect suspicious activity across all technical layers.
At ResGuard, when an incident is detected, a security incident ticket is created with the details of the event, including the date and time of the incident, the type of incident and the impact on customers. The creation of the ticket triggers the notification of the responsible security team members. They immediately initiate an investigation to assess the scope and impact of the situation and to determine the actions necessary for remediation.
Regular penetration tests are conducted by third-party providers.
ResGuard has a dedicated 24x7 incident response capability with on-call personnel to handle critical incidents and service outages. If the incident is determined to be security-related, the responsible security team members are included in the response procedures.
A - SSL Report
Our standard support covers all issues, incidents or requests regarding our RCM cloud solution:
Support with enhanced SLA definitions can be provided through individual subscription models. Please contact your Account Manager for further details.
Regular patch, update and feature upgrade activities are carried out during our scheduled maintenance window on the first Sunday of every month between 02:00 CET and 03:00 CET. Customers are informed about planned downtime via the information table below.
Last updated: 1 March 2026
This privacy notice explains how the ResGuard group of companies ("ResGuard", "we", "us") collects, uses, stores and protects personal data when you visit our website, use our ResGuard Compliance Manager (RCM) platform, or otherwise interact with us.
We are committed to protecting your privacy and processing your personal data in compliance with the EU General Data Protection Regulation (GDPR), the Singapore Personal Data Protection Act (PDPA) and all other applicable data protection legislation.
Depending on your region, one of the following entities acts as the data controller responsible for the processing of your personal data:
Our Data Protection Officer (DPO) can be contacted for any questions regarding the processing of your personal data or to exercise your data subject rights.
DPO: Sven Kreiter
Submit a Data Protection Request
When you visit our website, we may collect:
When you submit an enquiry through our contact form or by email, we collect:
When your organisation uses the ResGuard Compliance Manager platform, we process:
RCM platform data is processed on behalf of your organisation under a Data Processing Agreement (DPA). Your organisation is the data controller for the content it stores in the platform; ResGuard acts as a data processor.
When you apply for a position with us, we collect:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Delivering and securing our website | Legitimate interest (Art. 6(1)(f)) |
| Responding to enquiries and providing quotes | Pre-contractual measures (Art. 6(1)(b)) |
| Providing the RCM SaaS platform | Performance of contract (Art. 6(1)(b)) |
| Sending service-related communications (e.g. maintenance notices) | Legitimate interest (Art. 6(1)(f)) |
| Analytics and website improvement | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations (e.g. tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Processing job applications | Pre-contractual measures (Art. 6(1)(b)) |
| Protecting our IT infrastructure and preventing fraud | Legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.
We may share your personal data with the following categories of recipients, only to the extent necessary for the purposes described above:
We do not sell your personal data to third parties.
As ResGuard operates across multiple jurisdictions (Singapore, Europe, Latin America), personal data may be transferred between our entities. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
Our website uses cookies and similar technologies. We distinguish between:
These are required for the website to function correctly (e.g. session management, CSRF protection). They cannot be disabled. Legal basis: legitimate interest.
We use Google Analytics (with IP anonymisation enabled) to understand how visitors use our website. These cookies are only set with your consent. You can withdraw consent at any time via your browser settings or by using the Google Analytics opt-out browser add-on.
You can manage your cookie preferences through your browser settings. Disabling non-essential cookies will not affect the core functionality of our website.
Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Obtain confirmation of whether we process your data and request a copy |
| Rectification (Art. 16) | Correct inaccurate or incomplete personal data |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten") |
| Restriction (Art. 18) | Request restriction of processing in certain circumstances |
| Data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time, without affecting the lawfulness of prior processing |
To exercise any of these rights, please use our Data Protection Request Portal or contact our DPO. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. The relevant authority depends on your location:
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include:
For more details, please review the Security Approach and Security Controls tabs above.
We do not use automated decision-making, including profiling, that produces legal effects or similarly significantly affects you.
Our website may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read the privacy notice of each website you visit.
Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.
We may update this privacy notice from time to time to reflect changes in our processing activities or legal requirements. Material changes will be communicated via our website. The "last updated" date at the top of this notice indicates the most recent revision.