Built Secure
About Guardian Assessment Pvt. Ltd.
Guardian Assessment Pvt. Ltd. is an independent third party Product Certification Body accredited by the United Accreditation Foundation (UAF) in compliance with ISO/IEC 17065:2012, based out of Mumbai, India. What we believe in our life is to do only one thing but very efficiently that too independently. That is cybersecurity certification of software products.
Who We Are
An Accredited Certification Body, Built for One Job
Guardian Assessment Pvt. Ltd. is a third-party Product Certification Body — a Conformity Assessment Body in the formal language of international accreditation — established to bring globally recognised assurance to the cybersecurity of software products. We are headquartered in Mumbai, India, and we operate under a single, deliberately narrow remit: we evaluate and certify the conformity of products against published certification schemes, and we do nothing else.
That narrowness is not a limitation; it is the source of our credibility. A body that does both certifies its own work, and a certificate from such a body cannot withstand scrutiny.
ISO/IEC 17065:2012 — the international standard under which our work is accredited — requires certification bodies to be impartial, and impartiality is incompatible with consulting, design, development, training-to-pass, or remediation services. We chose to build Guardian as a pure certification body so that every certificate we issue is structurally defensible, not merely commercially attractive.
Our flagship program, Guardian SecureApp™, evaluates the security of three distinct types of products – web applications, SaaS/multi-tenant applications, and APIs/microservices, against OWASP Application Security Verification Standard (ASVS), OWASP Top 10, and OWASP API Security Top 10 respectively. This is done through three distinct levels of assurance – Basic, Advanced, and High-Risk/Critical.
Mission, Vision & Values
Why We Exist
Mission
To raise the baseline of software security worldwide by issuing accredited, independent, third-party certifications that customers, regulators and procurement teams can trust without reservation. Where buyers today are forced to take security on faith, we want them to be able to verify it instead.
Vision
To be the certification body of choice for product security in the application, SaaS and API space — recognised internationally for technical depth, procedural integrity, and unwavering impartiality. We want a Guardian SecureApp™ certificate to be a procurement-grade signal, on its own, in any market we operate in.
Our Five Values
Independence
Impartial evaluation with conflicts screened and managed before work begins.
Competence
Qualified evaluators and decision makers assessed for the work they perform.
Transparency
Scheme rules, fees, directory, complaints process and policies are publicly readable.
Confidentiality
Client information is protected and accessed only by authorised personnel.
Stewardship
Certificates are issued only when the decision can be properly defended.
Our Scope
Where Our Service Begins, and Where It Ends
There is more clarity in saying what a certification body does not do than in saying what it does. Our scope is bounded — deliberately and explicitly.
What Guardian Does
- Certify Guardian SecureApp™ third-party products as per ISO/IEC 17065.
- Assess web applications, SaaS platforms and APIs using OWASP ASVS, OWASP Top 10 and OWASP API Top 10.
- Perform independent VAPT testing engagements either as standalone services or as part of the certification process.
- Maintain a publicly accessible database for certified, suspended and withdrawn products.
- Perform surveillance, recertification, and handle complaint and appeal processes.
- License the Guardian SecureApp™ Certification mark to certified organizations.
What Guardian Does Not Do
- Advice is given on the design, construction or operation of a product that will be able to meet certification requirements.
- Development, configuration, deployment or remediation of all types of software products.
- Remediation advice, fix support or preparation for certification is provided.
- Suggest consultants, tool vendors or remediation services providers.
- Train applicants how to pass our certification process.
- Sell, promote or accept inducements associated with certification results.
This separation is not a marketing position; it is a regulatory requirement. ISO/IEC 17065 Clause 4.2 prohibits the certification body from offering services that compromise impartiality.
Our Accreditation
Our Accreditation, in Verifiable Detail
Note: United Accreditation Foundation is a member of the International Accreditation Forum (IAF) and a signatory to the IAF MLA. The IAF MLA scope of recognition varies by accreditation type. To check the current scope, please verify directly at www.iaf.nu.
Governance
How Guardian Is Governed
Guardian’s governance is engineered to make the impartiality and competence requirements of ISO/IEC 17065 structurally durable rather than merely declared.
Impartiality Committee
Independent committee with balanced stakeholder representation. Unrestricted access to all certification records and financial information. Authority to escalate directly to UAF.
Certification Decision Authority
Named role independent of evaluation personnel, per ISO/IEC 17065 Clause 7.6. Three decisions: grant, defer, or refuse. All documented with reasoning.
Technical Review Panel
Senior evaluators and SMEs ensuring methodological consistency and maintaining scheme alignment with evolving OWASP standards.
Appeals Panel
Independent body hearing appeals against certification decisions. Composed of personnel not involved in the original decision, with documented timelines and rights.
Unparalleled customer service
Holds overall accountability for the certification body’s operation, accreditation maintenance and governance performance. Does not participate in individual certification decisions.




Our Pool of Evaluators
Who Performs the Evaluation
Guardian’s evaluations are conducted by a pool of qualified, independent technical evaluators with verified backgrounds in application security, secure coding, penetration testing, threat modelling and conformity assessment. We do not disclose individual evaluator identities in advance of engagement allocation — this protects evaluators from targeted social-engineering attempts and protects applicants from any commercial-relationship-based selection bias — but we publish the aggregate competence requirements that every Guardian evaluator must satisfy.
Technical education: Bachelor’s or Master’s degree in Computer Science, Information Security, Software Engineering or an equivalent technical discipline.
Industry credentials: Recognised credentials such as OSCP, OSWE, CEH, CISSP, CSSLP, GWAPT, GPEN, CRTP, or equivalent specialised credentials.
Hands-on experience: At least five years’ worth of practical application security testing experience in web applications, APIs, and cloud native environment.
OWASP competence: Evidence-based understanding of OWASP ASVS, OWASP Top 10, OWASP API Security Top 10, and threat modeling techniques.
Scheme-specific training: Demonstrated competence against the Guardian SecureApp™ scheme through training, orientation, witness assessment, and CPD.
Declarations: Signed confidentiality and impartiality declarations, renewed annually and on a per-engagement basis.
Every proposed evaluator is screened for conflicts of interest before each engagement. Prior consultancy involvement within two years automatically bars participation.
Impartiality
The Discipline Behind Independent Decisions
In our industry, impartiality isn’t just a nice-to-have — it’s a real competitive advantage. But more importantly, it’s the fundamental requirement for issuing a certificate that actually means something.
Guardian maintains a detailed Impartiality Risk Register, owned by our Impartiality Committee and reviewed at regular, defined intervals. For every potential threat we identify, we record the nature of the threat whether it’s self-interest, self-review, advocacy, familiarity, or intimidation along with its source, the likelihood and impact, the specific mitigation or elimination steps we’ll take, who owns it, and the schedule for reviewing it.
Threats that are unable to be mitigated to an acceptable degree are rejected; they are not managed. We have rejected engagements on impartiality reasons and will continue to do so, because otherwise we would be producing a certificate which does not hold up to scrutiny. Threats which we specifically screen for are consultancy (whereby any person who has consulted on the product within the past two years is unable to certify it), finance (where no single application provides us with enough income to cause a threat from financial dependency – quarterly monitored) and personal connections.
Our fee structure reinforces this. Fees are determined and contracted in advance, payable for the work performed regardless of the certification outcome. We do not offer success-fee structures, contingent pricing, or refunds linked to certification outcomes. Decision-makers are paid as employees; their remuneration is not linked to certification volume or the outcome of any specific engagement. The full impartiality framework — including how to report a threat to our impartiality — is documented at /impartiality.
Information Protection
How We Protect What You Share With Us
Certification engagements involve sharing — and producing — sensitive information: architecture diagrams, threat models, authentication designs, source code, prior assessment reports, vulnerability findings. We treat that information as confidential by default, governed by our Confidentiality Policy and applicable law (in particular, the Digital Personal Data Protection Act 2023 in India, and contractually agreed cross-border data-handling obligations where applicable).
In practice, this means: information shared with Guardian is accessible only to personnel involved in the specific engagement, under signed individual confidentiality undertakings; technical evaluation environments are isolated from general operational systems; source code, where reviewed, is accessed via secure remote channels within the applicant’s environment wherever feasible, and is not retained beyond the engagement; findings reports are issued only to the applicant; and disclosure to third parties is limited to the specific facts that ISO/IEC 17065 Clause 4.6 requires to be public (certificate facts: number, product, level, validity), to UAF in connection with accreditation oversight, and to legal authorities only where formally required.
Confidentiality survives termination of the engagement and termination of certification. Full detail at /confidentiality.
Operating Reach
Where We Operate, and How
Guardian is accredited to issue UAF-accredited Guardian SecureApp™ certificates in India, and we welcome enquiries from applicants worldwide. Where applications originate outside India, certificate issuance and the applicable surveillance arrangements are determined in accordance with UAF policy and IAF MD 12:2023 (Accreditation Assessment of CABs with Activities in Multiple Countries). Where an engagement involves activities across borders, that fact is declared in the application and reflected in the surveillance schedule.
Evaluation activities themselves are routinely conducted using Information and Communication Technology (ICT) — secure remote access, video-attended interviews, virtual document review — in accordance with IAF MD 4:2025. ICT-based evaluation is the default for documentation review and most technical evaluation activities, particularly at Levels 1 and 2; Level 3 engagements may benefit from limited on-site presence, determined at scoping based on the product’s deployment model and the activities required.
We do not operate in jurisdictions covered by the UAF Policy on CAB Operations in Sanctioned Countries; the policy is applied on each engagement at scoping and at any later change in the engagement’s geographic footprint.
Our Commitments
What We Owe Each Stakeholder
Different stakeholders have different stakes in our work. The commitments below are explicit and operationalised — each one maps to documented procedures, governance roles, or both.
Applicants
Transparent scoping, fair and uniform evaluation against the published scheme, defined turnaround times, written reasoning for every decision, full appeals rights, and protection of confidential information.
Certified Clients
Fair surveillance proportionate to the assurance level, clear communication on changes to scheme criteria, predictable recertification, licensed use of the certification mark per published rules, and a defined process for managing complaints against the certification.
Customers and Procurement Teams
A public directory enabling independent verification, public scheme rules so the meaning of a certificate is unambiguous, and a documented complaints process if a certified product is alleged to be misrepresented.
Regulators
Procedural conformance with ISO/IEC 17065, accreditation by UAF (independently verifiable), public information per Clause 4.6, and cooperative engagement on regulatory enquiries within the bounds of confidentiality obligations.
Evaluators
Clear competence requirements, fair allocation, protected impartiality (including the right to recuse), professional development support, and a non-retaliatory environment for raising methodological or impartiality concerns.
The Public
A documented, accessible mechanism to raise concerns about a certified product or about Guardian’s conduct as a certification body, with response timelines and escalation paths to UAF where applicable.
Find Us
Registered Office
Guardian Assessment Pvt. Ltd.
812 B Wing, CTS NO. 1/222A,
Samartha Aishwarya, High Land, Oshiwara,
Opp. Samartha Vaibhav,
Mumbai 400053, Maharashtra, India.
General Enquiries
hello@guardiansecureapp.comWorking Hours
Monday to Friday, 09:30 to 18:30 IST
Frequently Asked Questions
Common Questions, Answered
Guardian is exclusively a third-party certification body, accredited under ISO/IEC 17065:2012 by United Accreditation Foundation (UAF). We do not provide consulting, design, development, training-to-pass, or remediation services of any kind. This separation is required by Clause 4.2 of ISO/IEC 17065 to preserve impartiality, and a body that breaches this requirement loses its accreditation and the validity of its certificates.
Guardian is headquartered in Mumbai, India, at 812 B Wing, CTS NO. 1/222A, Samartha Aishwarya, High Land, Oshiwara, Opp. Samartha Vaibhav, Mumbai 400053. We operate as Guardian Assessment Pvt. Ltd. under Indian company law.
Guardian is accredited by United Accreditation Foundation Inc. (UAF) — an internationally operating accreditation body headquartered in Virginia Beach, Virginia, USA — under ISO/IEC 17065:2012, accreditation number 52605385601, valid from 06 May 2026 to 05 May 2030. The accreditation can be independently verified at www.uafaccreditation.org.
Guardian is accredited by UAF, which is an internationally operating accreditation body. UAF is a member of the IAF and a signatory to the IAF Multilateral Recognition Arrangement (MLA). The IAF MLA recognises accreditations across borders, but the MLA scope varies by accreditation type — the current scope of UAF’s IAF MLA recognition by accreditation type can be verified at www.iaf.nu. International recognition of any specific certificate depends on the accepting party’s requirements; in regulated procurement, recognition typically follows from the underlying accreditation registry status.
Under our current accreditation scope (IAF Scope Code 33 — Information Technology), Guardian certifies web applications, SaaS / multi-tenant platforms, and APIs / microservices, through the Guardian SecureApp™ scheme. The scheme has three modules — Module A (Web), Module B (SaaS), Module C (API) — and three assurance levels — Level 1 (Basic), Level 2 (Advanced), Level 3 (High-Risk / Critical). Each certificate is issued for a named product and version, against the named module(s) and level.
Yes. Guardian conducts independent VAPT (Vulnerability Assessment and Penetration Testing) as a technical assessment activity, either as a stand-alone engagement or as part of a certification evaluation. Our VAPT engagements deliver a findings report; Guardian does not provide remediation, fix-support, or post-VAPT advisory — these are outside the scope of our service offering, and providing them would compromise our impartiality as a certification body.
No. Pre-certification preparation, advisory, gap assessments and ‘how to pass’ assistance are all forms of consultancy, and Clause 4.2 of ISO/IEC 17065 prohibits a certification body from providing these services in respect of a product it later certifies. Applicants are responsible for their own preparation, with their own resources or any third party they engage. We evaluate the product as it is presented at application.
An independent Impartiality Committee, comprising representatives drawn from a balance of stakeholder interests (industry, applicants, technical experts, public-interest representation), oversees Guardian’s impartiality. The Committee has unrestricted access to certification records, financial information and conflict-of-interest declarations, meets at defined intervals and on request, and has authority to take independent action — including escalation to UAF — where it identifies threats to impartiality that have not been adequately addressed.
Visit www.uafaccreditation.org and search by accreditation number 52605385601, or download the Certificate of Accreditation and Schedule of Accreditation from /accreditation. Both routes confirm the same facts: accreditation status, scope (IAF Scope Code 33), validity dates, and any conditions or limitations.
Our Public Directory of Certified Products is at /directory, searchable by certificate number, product name or applicant name. The directory lists currently valid certificates as well as suspended and withdrawn certificates, with the date and reason for status changes (where applicable). Public listing of certificate facts is required by ISO/IEC 17065 Clause 4.6.
Application review is conducted under ISO/IEC 17065 Clause 7.3, against four criteria: scope (does the product fit our accredited certification scope?), feasibility (can we resource the engagement competently and to the required timeline?), impartiality (are there any conflicts of interest, including consultancy involvement within the last two years, that we cannot mitigate?), and completeness (is the submitted documentation sufficient to begin scoping?). Outcome is acceptance, a request for clarification, or rejection with documented reasons.
UAF is our accreditation body. UAF audits Guardian’s compliance with ISO/IEC 17065 and supporting mandatory documents annually, conducts witness assessments of selected certification engagements, and maintains the public accreditation register on which our status is published. UAF does not direct or participate in Guardian’s individual certification decisions; that would compromise the independence of certification from accreditation, which is itself a core principle of the international conformity assessment infrastructure.
Guardian works with organisations of all sizes. Our indicative starting fees for small organisations (USD 2,000 / 4,000 / 7,000 for Levels 1 / 2 / 3) are designed to make accredited certification accessible to start-ups and growth-stage companies. Final fees depend on scope, technology and complexity; quotation is on request.
Guardian is funded through certification fees paid by applicants and certified clients. We do not receive grants, government funding, or other revenue streams that would create dependency on third parties. Our financial structure is monitored quarterly by the Impartiality Committee to ensure no single applicant or sector creates a financial dependence threat to impartiality.
Any change of control or material change in business activities is a notifiable event under our accreditation, requiring prior or concurrent notification to UAF and a fresh impartiality risk assessment. A merger with a consultancy that creates a structural impartiality conflict — particularly one that would mix certification with advisory in respect of certifiable products — is incompatible with continued accreditation. The Impartiality Committee and Top Management are accountable for maintaining a structure that preserves accreditation status.
