Confidentiality Policy

GUARDIAN ASSESSMENT · TRUST & COMPLIANCE

Confidentiality Policy — Guardian’s Information Protection Framework

This Policy documents how Guardian Assessment Private Limited (India) and Guardian Assessment UK Ltd protect confidential information shared with Guardian during certification engagements, surveillance audits, recertification, and the standalone VAPT service. It is the operational implementation of ISO/IEC 17065:2012 Clause 4.5 (Confidentiality), against which we are accredited by UAF (accreditation 52605385601, valid until 05 May 2030). The Policy covers what information Guardian treats as confidential, the limited disclosures permitted under our accreditation framework, the personnel obligations and retention disciplines that enforce the commitments, and how cross-border data flows between our India and UK entities are handled. It is publicly available per ISO/IEC 17065 Clause 4.6 and is reviewed by UAF during annual surveillance audits.

Read the Impartiality Statement↗

View Our Accreditation ↓

ISO/IEC 17065 Accredited

UAF Accreditation No. 52605385601

Valid until 05 May 2030

Statement of Commitment

Guardian’s Commitment to Confidentiality

Guardian Assessment Private Limited (India) and Guardian Assessment UK Ltd, together constituting the Guardian Assessment certification body, treat all information obtained from applicants and certified clients during certification engagements, surveillance audits, recertification, change-driven re-evaluations, and the standalone Guardian VAPT service as confidential — except information explicitly designated as public under ISO/IEC 17065 Clause 4.6 and Clause 7.8 (Section 3.4 of this Policy below). The confidentiality commitments documented in this Policy are operational requirements under our UAF accreditation, embedded in our Certification Agreement and VAPT Engagement Agreement, and implemented through documented procedures audited annually by UAF during accreditation surveillance.

This Policy is the operational implementation of ISO/IEC 17065:2012 Clause 4.5 (Confidentiality), against which Guardian is accredited by UAF. It is companion to the Impartiality Statement at /impartiality (which implements Cl. 4.2) and the Complaints and Appeals procedure at /complaints-appeals (which implements Cl. 7.13). Together these three documents form the foundational trust framework that procedurally distinguishes accredited certification from any commercial assessment relationship without comparable structural disciplines.

Scope of This Policy

This Policy applies to all information Guardian receives from or about applicants, certified clients, products under evaluation, and personnel of applicants and certified clients in the course of certification activities and the VAPT service. The Policy applies whether the information is received in writing, orally, electronically, through system access, through interview, through observation, or through any other means. The Policy applies whether the information is held by Guardian Assessment Private Limited (India), Guardian Assessment UK Ltd, or by personnel acting on Guardian’s behalf — including employees, contractors, Decision Authority personnel, Reviewers, Impartiality Committee members, and other authorised parties.

The Policy continues to apply after engagements end. Confidential information received during a certification engagement remains subject to confidentiality discipline after the engagement closes, after the certificate expires or is withdrawn, and after the relationship between Guardian and the certified client otherwise ends. Confidentiality is not time-limited to the engagement duration; it is structural to Guardian’s role as an accredited certification body.

Underlying Standards and Frameworks

This Policy implements:

ISO/IEC 17065:2012 Clause 4.5 (Confidentiality) — the principal standard governing certification body confidentiality discipline
ISO/IEC 17065:2012 Clause 4.6 (Publicly Available Information) — defining what information is public, and therefore not confidential
ISO/IEC 17065:2012 Clause 7.8 (Status of Certification) — defining the public status notifications Guardian makes regarding certificates
IAF MD 12:2023 (Application of ISO/IEC 17011 to Certification Bodies’ Activities in Multi-Country Activities) — governing the multi-jurisdictional structure of Guardian’s operations through its Critical Location in the UK
Indian Digital Personal Data Protection Act 2023 (DPDP Act) — applicable to personal data handled by Guardian Assessment Private Limited
United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 — applicable to personal data handled by Guardian Assessment UK Ltd

Section 3.8 below addresses the privacy frameworks in additional detail. This Policy does not constitute legal advice on data protection compliance, which depends on factors specific to each applicant; readers requiring legal advice should consult independent legal counsel familiar with the applicable jurisdictions.

Category	Specific Information Treated as Confidential
Source Code and Technical Implementation	Source code provided to Guardian for review, Levels 2 and 3 commonly include source code review; compiled binaries; build configurations; deployment scripts; infrastructure-as-code definitions; technical implementation details that reveal proprietary engineering approaches.
Architecture and Design	Architecture diagrams; data flow diagrams; component decomposition; integration topologies; technology stack specifications; deployment architecture; multi-tenant isolation designs, Module B; API surface and partner integration designs, Module C; authentication and authorisation architecture across all Modules.
Threat Models and Security Posture	Documented threat models supplied by the applicant; threat-modelling artefacts produced during scoping conversations; security control inventories; security architecture documents; incident response procedures shared during evaluation; the applicant’s internal assessment of security posture.
Evaluation Evidence	Evidence captured during Stage 4 Technical Evaluation, including request and response captures, screenshots, logs, screen recordings; evidence captured during VAPT engagements; evidence supporting individual findings; evidence underlying severity classification decisions.
Findings and Reports	Individual findings, including description, severity, affected component, reproduction steps, and evidence; the Evaluation Report produced at the end of Stage 4; the Technical Findings Report produced at the end of VAPT; surveillance audit findings; targeted re-evaluation reports; mandatory re-evaluation reports at Level 3.
Risk Treatment Plans	Risk Treatment Plans submitted by applicants for Decision Authority review; the Decision Authority’s RTP review notes; RTP-related correspondence between applicant and Guardian; residual risk acceptances and their justifications.
Applicant Business Information	Customer names disclosed during scoping or evaluation, such as reference customers used for testing; commercial terms shared during scoping; financial information shared in support of small-organisation pricing tiers; corporate ownership and group structure where disclosed; future product roadmap information shared during scoping for context; any information about the applicant’s business that is not in the public domain.
Personnel and Contact Information	Names, contact details, role descriptions and engagement-relevant attributes of applicant personnel, including engineering team members, security personnel, legal counsel, and executive sponsors. Personal data of personnel is also subject to the privacy framework safeguards described in Section 3.8.
Evaluator Competence Records	Internal records of Guardian’s evaluator qualifications, training history, performance assessments, declarations of impartiality, and engagement assignments. These records are confidential to Guardian internally and are accessible to UAF during accreditation surveillance per Section 3.3 below.
Internal Procedures and Records	Guardian’s internal procedural documentation; evaluation methodology details beyond what is disclosed publicly in the scheme document GSA-PR-01; internal training materials; Impartiality Committee minutes; internal audit findings; UAF surveillance findings communicated to Guardian.

Disclosures

When Guardian May Disclose Confidential Information

ISO/IEC 17065 Clause 4.5 acknowledges that absolute non-disclosure is incompatible with the procedural integrity of accredited certification — accreditation oversight, regulatory compliance, and legal compulsion all create circumstances where limited disclosure is required or permitted. The disclosures permitted under this Policy are itemised exhaustively below; disclosures not on this list are not permitted, and Guardian’s personnel are trained to refuse them.

Disclosure to UAF During Accreditation Surveillance

Guardian’s accreditation by UAF is contingent on UAF’s ability to verify Guardian’s procedural compliance with ISO/IEC 17065 — and that verification requires UAF’s assessors to access Guardian’s records, including engagement-specific records that contain confidential applicant information. UAF assessor access during surveillance audits is mandated by accreditation. The disclosure is not optional, and Guardian’s Certification Agreement and VAPT Engagement Agreement explicitly authorise it.

Specific safeguards apply:

UAF assessors are themselves bound by confidentiality obligations to Guardian and to the applicants whose information they review — confidentiality obligations enforced by UAF’s own accreditation procedures and contractual arrangements with assessor personnel.
UAF assessor access is limited to information necessary for surveillance — assessors do not browse Guardian’s records freely; access is scoped to specific engagements selected for surveillance.
Witness audits — where UAF assessors observe Guardian conducting actual evaluation work — require the applicant’s awareness; Guardian notifies the applicant when an engagement is selected for witness audit and obtains the applicant’s consent before assessor presence.
UAF assessor access does not extend to information beyond what is necessary for accreditation oversight — for example, customer names disclosed for evaluation context that are not relevant to UAF’s procedural assessment are not specifically surfaced for UAF review unless UAF’s assessment requires them.

Disclosure to Regulators or Courts Under Legal Compulsion

Where applicable law, regulatory order, or court process compels Guardian to disclose specific confidential information, Guardian complies with the legal obligation. Where the legal compulsion is from a regulator or court in India, Guardian Assessment Private Limited handles the compulsion; where the compulsion is from a UK regulator or court, Guardian Assessment UK Ltd handles it. Compulsions from other jurisdictions are handled through the entity most directly subject to the jurisdiction, with internal coordination between the two entities.

Specific safeguards apply:

Where law permits, Guardian notifies the applicant of the compelled disclosure before complying — providing the applicant the opportunity to seek protective orders or other legal remedies. Where law prohibits notification (e.g., certain national-security contexts), Guardian complies with the prohibition.
Guardian discloses only the specific information compelled — not broader categories of information beyond what the legal instrument requires.
Guardian’s legal counsel reviews compulsions to confirm validity and to ensure that disclosed information is the minimum necessary.
Compelled disclosures are recorded in Guardian’s confidentiality breach register — not because they are breaches (they are lawful), but because the records support audit transparency.

Disclosure for Accreditation Peer Review and Mutual Recognition

In limited circumstances, peer-review processes operated by IAF, ILAC, or other accreditation-coordination bodies may require Guardian or UAF to share specific information for peer-evaluation purposes. Where this occurs:

The peer reviewers are themselves bound by accreditation-body confidentiality obligations equivalent to UAF’s.
Information shared is the minimum necessary for the peer-review purpose.
Disclosures of this type are infrequent and do not form part of routine operations.

Disclosures Not Permitted

Disclosures that are NOT permitted under this Policy include:

Disclosure to other applicants — Guardian does not share information about one applicant with another, including competitors. Standardised methodology is what other applicants benefit from, not engagement-specific information.
Disclosure to media or marketing materials — except with the specific applicant’s prior written consent. Guardian does not use case studies or testimonials without explicit case-by-case approval.
Disclosure to commercial partners — Guardian does not have referral, partnership, or marketing arrangements that would create disclosure obligations.
Disclosure for Guardian’s commercial advantage — confidential information learned during engagements is not used to inform Guardian’s commercial activities (such as scheme development, marketing strategy, or competitive positioning).

The bright line: If a disclosure is not on the explicit permitted list above, it is not permitted. Guardian’s personnel are trained to recognise disclosure requests outside the permitted list as requests to refuse — not as judgments to weigh case-by-case. Refusal is the default; permission is the exception, and the permitted exceptions are exhaustively listed in this Policy.

Public Information

Information Guardian Discloses Publicly

ISO/IEC 17065 Clauses 4.6 and 7.8 require certain certification-related information to be publicly available. This information is, by design, NOT confidential — making it public is part of how accredited certification provides procurement-grade attestation. Applicants and certified clients should expect the information below to be publicly visible; the Certification Agreement explicitly authorises its public disclosure.

Public Information	What Is Disclosed and Where
The Certificate Itself	Each issued certificate is a public document. Certificate number, certified party name, certified product name, certified scope, Module + Level, certificate validity dates, and Guardian’s accreditation reference are all visible on the certificate face. Holders may share the certificate with prospects, regulators, auditors and other parties.
Public Scope Statement	A short formal statement of certified scope produced by Guardian for each certified client, suitable for public reference. The Public Scope Statement summarises what is certified, including Module, Level, product / version coverage, and geographic coverage where relevant, without disclosing confidential implementation details.
Public Directory Listing	Guardian maintains a Public Directory at /directory listing all currently certified products with their certificate references, scope summaries, and current status. The Directory implements ISO/IEC 17065 Clauses 4.6 and 7.8 requirements for public access to certification information.
Status Changes	Suspension, withdrawal, expiry and reinstatement of certificates are reflected in the Public Directory promptly per Cl. 7.8. Status changes themselves are public information; the underlying reasons, which may involve confidential evaluation findings, are not disclosed publicly except where the public Directory listing itself communicates the status type, such as Suspended or Withdrawn.
Mark Usage Authorisation	Where a certified client is authorised to use the Guardian SecureApp™ certification mark on their product, the existence of that authorisation is public, consistent with the Public Directory listing. The detail of mark usage agreements is per /marks-policy.
Guardian’s Accreditation	Guardian’s UAF accreditation, 52605385601, valid 06 May 2026 to 05 May 2030, is public information, verifiable on UAF’s directory at uafaccreditation.org. Guardian’s identity as an ISO/IEC 17065-accredited certification body is itself a public attribute.
This Policy and Companion Documents	This Confidentiality Policy, the Impartiality Statement at /impartiality, the Complaints and Appeals procedure at /complaints-appeals, the Marks Policy at /marks-policy, the Code of Conduct at /code-of-conduct, and the scheme document GSA-PR-01, where publicly disclosed, are public documents. Their public availability is itself part of the trust framework.

Information beyond the items listed in this section retains its confidential status, regardless of whether the certified client believes it should be public or whether third parties request public disclosure of it. The Public Directory and Public Scope Statement are deliberately constructed to disclose what procurement and audit audiences need without disclosing confidential implementation, finding-level, or business information.

Confidentiality

How Guardian’s People Maintain Confidentiality

The confidentiality commitments documented in this Policy are operationalised by the personnel who handle confidential information — Guardian’s employees, contractors, Decision Authority personnel, Reviewers, Impartiality Committee members, and other authorised parties. Personnel discipline is the layer where confidentiality discipline most often succeeds or fails in practice; Guardian invests substantively in this layer.

Confidentiality Agreements

All Guardian personnel — employees, contractors, Decision Authority personnel, Reviewers, Impartiality Committee members — sign confidentiality agreements before being granted access to confidential information. The agreements:

Cover all categories of confidential information described in Section 3.2 above
Apply during employment or engagement and continue after the relationship ends — surviving obligations are not time-limited and apply for the lifetime of the information’s commercial sensitivity
Specify civil liability for breach and acknowledge that breach may be grounds for termination of employment or engagement
Are reviewed and updated when material changes to the regulatory environment, the Guardian operational structure, or the threat environment warrant revision

The agreements are between the personnel and Guardian Assessment Private Limited (for India-based personnel) or Guardian Assessment UK Ltd (for UK-based personnel), reflecting the entity through which the personnel are engaged. Both entities maintain consistent agreement substance — only the contracting entity differs by jurisdiction.

Awareness and Training

Confidentiality agreements alone are insufficient — they create legal accountability but do not produce day-to-day operational compliance on their own. Guardian’s confidentiality programme includes:

Onboarding training for all new personnel covering confidentiality categories (Section 3.2), permitted disclosures (Section 3.3), public information boundaries (Section 3.4), and personal-data handling discipline
Annual refresher training for all personnel covering updates to this Policy and to handling procedures, recent regulatory developments (DPDP Act updates, UK GDPR developments), and lessons learned from internal audit findings
Engagement-specific awareness — at the start of each certification engagement, the lead evaluator briefs the engagement team on engagement-specific confidentiality factors (e.g., the applicant has unusual sensitivity around specific product roadmap information; certain customer references are not to be discussed beyond the immediate evaluator team)
Incident-response training for personnel likely to encounter confidentiality concerns first — front-line evaluators trained to recognise and escalate, rather than judging case-by-case

Surviving Obligations

Confidentiality obligations survive the end of employment or engagement. A Guardian employee who leaves Guardian remains subject to confidentiality obligations regarding information they accessed during employment. A Guardian contractor whose engagement ends remains subject to confidentiality obligations regarding information they accessed during the engagement. The Impartiality Committee is informed where former personnel are subsequently identified as a possible vector for confidentiality concerns; the Committee assesses and recommends action where concerns are substantive.

The continuing obligations are not unique to Guardian — they are standard for accredited certification bodies and align with industry practice for organisations handling sensitive client information. They are documented in confidentiality agreements signed at the start of employment or engagement.

Data Handling

How Confidential Information Is Stored and Eventually Disposed Of

Operational confidentiality discipline depends on the technical and procedural controls applied to confidential information across its lifecycle — from receipt during engagement to eventual secure destruction at end of retention. Guardian’s data handling discipline is described below, addressed at policy level (specific implementation details are internal procedures audited by UAF rather than published).

Storage and Encryption

Confidential information is stored on Guardian-controlled systems with encryption at rest and encryption in transit applied across all storage and communication paths. Storage systems are operated by both entities (India-domiciled storage for Guardian Assessment Private Limited, UK-domiciled storage for Guardian Assessment UK Ltd, with appropriate cross-border safeguards covered in Section 3.7). Storage architectures are reviewed during UAF accreditation surveillance and adjusted where surveillance findings or environment changes warrant. Source code provided by applicants is handled under additional safeguards — typically segregated storage with role-based access limited to the specific evaluator team for the engagement.

Access Control

Access to confidential information is on a need-to-know basis — limited to personnel whose role requires access for the specific engagement. Within an engagement team, finer access boundaries apply where they support the work without creating operational friction (e.g., source code access limited to evaluators conducting code review; reproduction evidence accessible to all evaluators on the team). Access is logged in audit trails reviewed periodically by Guardian’s internal audit function and accessible to UAF during accreditation surveillance.

Retention Period

Engagement records — including the substantive confidential information described in Section 3.2 — are retained for a defined period after the certification cycle ends or the VAPT engagement closes. Standard retention is three years post-cycle for certification engagements (matching the certification cycle length and supporting cycle-end recertification continuity) and three years post-engagement for VAPT engagements. Specific retention periods may be longer where applicable law requires (e.g., tax, audit, or regulatory record-keeping requirements). Retention periods are documented in the Certification Agreement and VAPT Engagement Agreement.

Secure Destruction

After the retention period expires, confidential information is securely destroyed using methods appropriate to the storage medium — cryptographic erasure for encrypted digital storage, certified physical destruction for physical media. Destruction is recorded — Guardian maintains a Destruction Register that documents what was destroyed, when, by whom, and using what method. The Register supports audit transparency and provides applicants the ability to verify retention and destruction discipline through the Complaints and Appeals procedure if they wish.

Backup and Continuity

Confidential information is backed up under the same access-control and encryption discipline as primary storage. Backup retention is aligned to primary-storage retention — backups containing information past its retention period are securely destroyed alongside the primary copies. Continuity arrangements (disaster recovery, business continuity) preserve confidentiality discipline; emergency access procedures require specific authorisation and are logged.

Data Flows

How Information Flows Between Guardian’s Two Entities

Guardian operates as a multi-country certification body with the principal operating entity in India (Guardian Assessment Private Limited) and a Critical Location in the UK (Guardian Assessment UK Ltd). The two-entity structure is itself disclosed earlier in this Policy (the Two-Entity Disclosure Block above) and reflects the multi-country activities framework defined in IAF MD 12:2023. Information flow between the two entities and to evaluators wherever they are based is unavoidable in delivering accredited certification across jurisdictions; managing those flows safely is a substantive part of this Policy.

The Multi-Country Structure

Guardian Assessment Private Limited (India) is the principal operating entity and holds Guardian’s UAF accreditation. Guardian Assessment UK Ltd is a Critical Location supporting UK and European operations — including UK-domiciled applicants who prefer UK-entity contracting, scoping conversations conducted from the UK office, and engagement coordination involving UK-based personnel. Both entities operate to common Guardian procedures; the procedural-quality identity is what supports a single accreditation covering both entities, in line with IAF MD 12:2023’s accreditation-of-multi-country-activities framework.

Flows Between the Two Entities

Information flows between the two entities occur where engagements involve personnel from both entities — for example, a UK-domiciled applicant where scoping is conducted from the UK office and substantive evaluation work is conducted by India-based evaluators with UK Critical Location coordination. The flows are subject to:

Audit trails that record cross-entity information access for transparency to UAF surveillance
Same access-control and encryption discipline as within-entity storage (Section 3.6 above)
Confidentiality agreements that bind personnel of both entities to consistent obligations
Documented internal procedures specifying which information is shared between entities and on what basis — not free flow, but engagement-relevant flow

Flows to Evaluators Accessing Applicant Systems

Evaluation activities at Stages 3 and 4 commonly involve evaluators accessing applicant systems — staging environments for testing, source code repositories for code review, documentation platforms for review of confidential design materials. These access flows are governed by:

Specific access provisions in the Certification Agreement specifying access scope, duration, and conditions
Applicant-controlled access provisioning — applicants typically provision specific named-user accounts for specific named evaluators, not generic-user accounts. Access is revoked at engagement end.
Evaluator-side controls — evaluator workstations are configured with controls limiting risk of inadvertent confidential-information disclosure (full-disk encryption, screen lock, controlled removable media use)
Network controls limiting evaluator access to applicant systems — typically through applicant-controlled VPN or similar boundary, with applicant retention of audit logs

Cross-Border Transfer Safeguards

Where confidential information crosses jurisdictional borders — between India and UK Guardian entities, between Guardian and applicants in third countries, between Guardian and contractors based outside India and UK — appropriate safeguards apply per the privacy frameworks described in Section 3.8 below. The specific safeguards depend on the jurisdictions involved and on the nature of the information; data protection officers at applicant organisations who require specific transfer-mechanism information are encouraged to raise the request through scoping conversation, where Guardian’s leadership can address it specifically rather than at the policy-overview level.

This Policy does not commit to specific cross-border transfer mechanisms (Standard Contractual Clauses, adequacy decisions, binding corporate rules) at the policy level because the appropriate mechanism varies by applicant jurisdiction and by the specific data involved. The safeguards-actually-applied are documented in the Certification Agreement on a per-engagement basis and are reviewed during UAF accreditation surveillance.

Privacy Frameworks

Personal Data Handling Across Two Jurisdictions

Confidential information includes personal data — names, contact details, role descriptions, and other personal attributes of applicant personnel and Guardian personnel. Personal data is subject to additional safeguards beyond general confidentiality discipline, governed by the privacy frameworks applicable to the entity holding the data. Both Guardian entities operate in compliance with their respective applicable frameworks.

India — Digital Personal Data Protection Act 2023

Guardian Assessment Private Limited (India) handles personal data subject to the Indian Digital Personal Data Protection Act 2023 (DPDP Act) and rules issued thereunder. Operational implications include:

Personal data is handled for the specific purpose of conducting certification engagements and the VAPT service; secondary uses inconsistent with that purpose require explicit consent or fall under specified DPDP exemptions
Data principals (in DPDP terminology — the individuals whose personal data is processed) have rights documented under the Act, including correction, erasure (subject to record-retention exceptions), and grievance redressal
Guardian’s role under the DPDP Act in respect of certification engagements is typically as Data Fiduciary for personal data of Guardian’s own personnel, and as a service provider acting on behalf of the applicant Data Fiduciary in respect of personal data of applicant personnel disclosed during engagement
Cross-border transfer of personal data complies with DPDP requirements, including transfer to whitelisted jurisdictions where the central government has notified them and to other jurisdictions under permitted bases

UK — UK GDPR and Data Protection Act 2018

Guardian Assessment UK Ltd handles personal data subject to the UK General Data Protection Regulation and the Data Protection Act 2018. Operational implications include:

Personal data is processed lawfully under UK GDPR, with the lawful basis depending on the specific processing activity — typically contractual necessity (for engagement-related personal data) or legitimate interest (for general business operations)
Data subjects have UK GDPR rights including access, rectification, erasure (subject to record-retention exceptions), restriction, portability, and objection
Guardian Assessment UK Ltd is registered with the UK Information Commissioner’s Office (ICO) where required by Data Protection Act 2018
International transfers of personal data — including to Guardian Assessment Private Limited (India) — are governed by appropriate UK GDPR mechanisms (UK-IDTA, ICO-approved Standard Contractual Clauses, or other valid bases per Schedule 21 of DPA 2018 transitional provisions)

Privacy Contact for Data Subjects

Data subjects with privacy-related inquiries — exercising rights under DPDP or UK GDPR, raising privacy concerns, requesting clarification on personal data handling — can contact Guardian through the privacy contact established for the entity that holds their personal data. The privacy contact is reachable through /contact, with privacy inquiries routed to the appropriate entity. Response timelines comply with the applicable privacy framework’s statutory requirements.

Limitations of this section: This section provides operational orientation on Guardian’s privacy compliance, not legal advice. Privacy frameworks are evolving — the DPDP Act in India is still in implementation rollout; UK GDPR is subject to ongoing regulatory and legislative developments. Applicants whose engagement requires specific privacy-framework analysis (e.g., specific personal data flow assessment for their compliance programmes) should raise the requirement during scoping conversation; Guardian’s leadership will address it specifically rather than relying on this policy-level overview.

Impartiality Concern

Recourse for Stakeholders

Stakeholders who become aware of confidentiality concerns relating to Guardian’s certification activities or VAPT service — actual breaches, suspected breaches, concerns about specific information handling — are encouraged to raise them. The available recourse paths are described below; they parallel the impartiality recourse paths in Page 22 Section 3.9 and are administered through the same procedural framework.

Through the Complaints and Appeals Procedure

Guardian’s documented Complaints and Appeals procedure under ISO/IEC 17065 Clause 7.13 — at /complaints-appeals — handles confidentiality concerns as an explicit complaint category. Investigation is conducted by personnel independent of the matter complained about, with structured escalation to senior leadership where investigation reveals concerns warranting action. The procedure is available to applicants, certified clients, third parties (including individuals whose personal data may be involved), and members of the public.

Through the Privacy Contact

Privacy-specific concerns — exercising data subject rights, raising specific personal data handling concerns — are handled through Guardian’s privacy contact, accessible through /contact with privacy routing. Privacy inquiries receive responses within timelines required by the applicable privacy framework (DPDP Act timelines for India-domiciled inquiries; UK GDPR timelines for UK-domiciled inquiries).

Through UAF

Stakeholders who wish to raise confidentiality concerns directly with Guardian’s accreditation body may contact UAF at uafaccreditation.org. UAF’s accreditation oversight includes verifying Guardian’s confidentiality discipline; concerns raised with UAF can inform UAF’s surveillance focus and, where substantive, can produce accreditation-level action.

Non-Retaliation Commitment

Guardian commits to non-retaliation against complainants raising confidentiality concerns. The commitment matches the impartiality non-retaliation commitment documented in Page 22 Section 3.9, applies through the same procedural framework, and is verified during UAF surveillance through review of complaints handling records. Raising a confidentiality concern does not affect any current or future certification engagement, surveillance audit, or commercial relationship between Guardian and the complainant.

Closing commitment: The confidentiality framework documented in this Policy is foundational to Guardian’s role as an accredited certification body. Applicants disclose substantial confidential information during certification — source code, architecture details, finding evidence, business information — and the confidence to make those disclosures depends on confidentiality discipline that is operationally real, not just documented. The commitments in this Policy are operational; they are audited; they are enforced; and they are publicly stated so stakeholders can hold Guardian accountable to them. We welcome that accountability through any of the recourse channels described above.

Frequently Asked Questions

Common Questions, Answered

Yes. Source code provided to Guardian for review (typically at Levels 2 and 3) is treated as confidential information under ISO/IEC 17065 Cl. 4.5. Specific safeguards: segregated storage with role-based access limited to the specific evaluator team for the engagement; encryption at rest and in transit; access logging; secure destruction after retention period (typically 3 years post-cycle). Source code is not used by Guardian for any purpose beyond the specific engagement, is not shared with other applicants, and is not retained beyond the documented retention period. The Certification Agreement formalises these commitments.

UAF assessor access during accreditation surveillance is mandated by Guardian’s accreditation. Specific safeguards apply: UAF assessors are themselves bound by confidentiality obligations enforced through UAF’s accreditation procedures; access is scoped to specific engagements selected for surveillance, not free browsing; witness audits (UAF observing actual evaluation work) require applicant consent; access does not extend beyond what is necessary for accreditation oversight. The Certification Agreement explicitly authorises UAF assessor access. Without this access, UAF could not verify Guardian’s procedural compliance with ISO/IEC 17065 — which is what makes Guardian’s accreditation meaningful.

In limited circumstances, yes — where applicable law, regulatory order, or court process compels disclosure. Specific safeguards: where law permits, Guardian notifies the affected applicant before complying so the applicant can seek protective orders; Guardian discloses only the specific information compelled, not broader categories; legal counsel reviews compulsions to ensure validity and minimum disclosure. Compulsions from Indian regulators or courts are handled by Guardian Assessment Private Limited; UK regulators or courts by Guardian Assessment UK Ltd. Compulsions are recorded in our internal disclosure register for transparency.

The certificate itself, the Public Scope Statement, the Public Directory listing at /directory, and any status changes (suspension, withdrawal, expiry, reinstatement) per ISO/IEC 17065 Cl. 4.6 and Cl. 7.8. The detail of evaluation findings, source code, architecture, threat models, business information, and other engagement-specific substance remains confidential and is NOT disclosed publicly. The Public Directory and Public Scope Statement are deliberately constructed to disclose what procurement and audit audiences need without disclosing confidential implementation, finding-level, or business information.

Yes. Guardian Assessment Private Limited (India) handles personal data subject to the Indian Digital Personal Data Protection Act 2023 (DPDP Act) and rules issued thereunder. Personal data is handled for the specific purpose of certification engagements and the VAPT service; data principals have rights under the Act including correction and grievance redressal; cross-border transfer of personal data complies with DPDP requirements. This page is not legal advice; applicants requiring specific DPDP compliance assessment should raise the requirement during scoping conversation.

Yes. Guardian Assessment UK Ltd handles personal data subject to UK GDPR and the Data Protection Act 2018. Personal data is processed lawfully under UK GDPR with appropriate lawful basis per processing activity; data subjects have UK GDPR rights (access, rectification, erasure, restriction, portability, objection); Guardian Assessment UK Ltd is registered with the UK ICO where required. International transfers — including to Guardian Assessment Private Limited (India) — are governed by appropriate UK GDPR mechanisms. Specific UK GDPR compliance details for an engagement are addressed in scoping conversation.

Guardian Assessment Private Limited (India, CIN U74999MH2018PTC307933) is the principal operating entity holding our UAF accreditation. Guardian Assessment UK Ltd (Companies House 15450822) is a Critical Location supporting UK and European operations under the IAF MD 12:2023 multi-country activities framework. Both entities operate to common procedures and consistent confidentiality discipline. Information flow between them is governed by the same access controls, encryption, and confidentiality agreements as within-entity storage; cross-border transfer safeguards apply per the privacy frameworks described in Section 3.7 and 3.8.

Standard retention is three years post-cycle for certification engagements (matching the certification cycle length and supporting cycle-end recertification continuity) and three years post-engagement for VAPT engagements. Specific retention periods may be longer where applicable law requires (e.g., tax or audit record-keeping). After retention expires, records are securely destroyed using methods appropriate to the medium — cryptographic erasure for encrypted digital storage, certified physical destruction for physical media. Destruction is recorded in Guardian’s Destruction Register for audit transparency. The specific retention period for your engagement is in your Certification Agreement.

No, not without your specific prior written consent. Guardian does not use case studies, testimonials, or references without explicit case-by-case approval; reference and testimonial use is not negotiated as part of certification engagements (per the Impartiality Statement Section 3.4 — marketing/promotional impartiality threat). The Public Directory listing at /directory is the public visibility your certificate carries; anything beyond that requires your separate consent.

Confidentiality discipline continues. Confidential information received during the engagement remains subject to the same protections after the engagement closes, after the certificate is withdrawn, and after the relationship between Guardian and the certified client otherwise ends. Surviving obligations are not time-limited and apply for the lifetime of the information’s commercial sensitivity. Personnel confidentiality agreements explicitly cover post-employment and post-engagement confidentiality.

Yes — ISO/IEC 17065 Clause 4.6 (Publicly Available Information) and Clause 7.8 (Status of Certification) require the certification body to maintain publicly available information about issued certificates and their status. The Public Directory at /directory implements these clauses. The Directory is not optional disclosure; it is part of the procedural integrity that makes accredited certification publicly verifiable. The substance and discipline of what is disclosed is what matters — that is what Sections 3.4 and 3.7 of the Public Directory page detail.

Raise it through the Complaints and Appeals procedure at /complaints-appeals. Confidentiality concerns are an explicit complaint category, with investigation conducted by personnel independent of the matter complained about and structured escalation where investigation reveals concerns warranting action. The procedure is available to applicants, certified clients, third parties (including individuals whose personal data may be involved), and members of the public. Privacy-specific concerns can also be raised directly through Guardian’s privacy contact (via /contact with privacy routing). For the strongest external recourse, concerns can be raised with UAF directly at uafaccreditation.org.

Yes. Contractor engagements with Guardian — including independent evaluators engaged for specific certification work — are subject to the same confidentiality agreements as employee relationships. The agreements cover all categories of confidential information described in Section 3.2, apply during the engagement and after it ends, and specify civil liability for breach. Contractor confidentiality discipline is part of what UAF reviews during accreditation surveillance.

Possibly, depending on your testing environment. Where evaluation activities are conducted against environments containing real customer data, that data is incidentally accessible to evaluators. Guardian’s preference is for evaluation against environments with synthetic or anonymised data wherever practicable; this is discussed during scoping. Where evaluation against real-customer-data environments is required, additional safeguards apply including specific access scoping, evaluator awareness of data handling obligations, and audit trail discipline. Personal data of your customers accessed during evaluation is treated as confidential information of yours under this Policy and as personal data subject to applicable privacy frameworks.

Per IAF MD 12:2023 (Application of ISO/IEC 17011 to Certification Bodies’ Activities in Multi-Country Activities), a Critical Location is a non-headquarter location of a certification body that performs activities affecting the integrity of accreditation — such as performing evaluation work, scoping engagements, or interfacing with applicants. Guardian Assessment UK Ltd is a Critical Location supporting UK and European operations. UAF’s accreditation of Guardian explicitly addresses the Critical Location structure; the structure is itself part of what UAF audits during surveillance. The structure does not change Guardian’s accreditation; it expands the geographic footprint over which the accreditation operates.

The Certification Agreement is provided to applicants for review during the application process — typically after the Indicative Quote and before signing. Applicants reviewing whether Guardian is the right certification body for their needs may request the standard form of the Certification Agreement during scoping conversation; we can share the standard form for review with confidentiality terms in place even before formal application. The VAPT Engagement Agreement is similarly available for review during VAPT scoping conversations.

Ready to Get Started?

Apply for Certification

Submit a formal application. Initial response within 5 working days.

Apply Now

Request a Quote

Tell us about your product. Indicative quote within 3 to 5 working days.

Get a Quote

Talk to Our Team

Specific question or regulatory driver to discuss?