Here's Exactly What We Do
(and Don't Do) with Your Data.
PolicyGuard helps you govern AI usage. That means we take data handling seriously. No vague promises. No certification theater. Just transparency about how your data is stored, processed, and protected.
We Don't Govern AI with More AI.
Most governance platforms use AI to generate policies, score compliance, and summarize audit trails. That means your sensitive organizational data gets sent to third-party AI APIs for processing. PolicyGuard takes a fundamentally different approach.
Zero Data Sent to AI Models
Your compliance data never leaves our infrastructure to be processed by OpenAI, Anthropic, Google, or any other AI provider. Not for policy generation. Not for scoring. Not for summaries. Never.
100% Deterministic Code
Every enforcement decision in PolicyGuard is made by rule-based, deterministic code that you can predict and verify. No black box scoring. No probabilistic outputs. No hallucinations.
Expert-Curated Content
Policy templates, training modules, and quiz questions are written by compliance professionals. Not generated by AI. Every word has been reviewed by a human expert before reaching your employees.
The Extension Tracks Acknowledgments, Not Conversations.
We know that deploying a browser extension to every employee raises questions. Here's exactly what the PolicyGuard extension does and does not do.
What the extension DOES:
- Detects when an employee opens a supported AI tool
- Shows a popup with your policy highlights
- Records the timestamp when an employee clicks "I Acknowledge"
- Reports acknowledgment status back to the admin dashboard
What the extension NEVER does:
- Read, capture, or store any conversation content
- Log keystrokes or monitor typing
- Take screenshots or record screen activity
- Track browsing history beyond AI tool detection
- Access any data outside the active AI tool tab
- Send any employee data to third-party services
AI Acceptable Use Policy
This acknowledgment is timestamped and logged.
PolicyGuard does not read your conversations.
How Your Data Is Stored and Protected.
End-to-End Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Database connections are encrypted. API communications are encrypted. There is no point where your data travels unprotected.
Data Isolation
Every organization's data is logically isolated using row-level security policies. Your employees can only see policies and training assigned to their department. Admins can only see data from their own organization. No cross-tenant access is possible.
Role-Based Access Control
Role-based access control separates admin and employee permissions completely. Employees see a clean, limited interface with only their assigned policies and training. Admins retain full organizational control. Department-based scoping ensures people only access what's relevant to them.
Backups and Recovery
Automated daily backups with point-in-time recovery capabilities. Your compliance data, acknowledgment logs, and training records are protected against data loss. Backup data is encrypted with the same standards as production data.
Factual Timestamps. Not AI-Generated Summaries.
Every compliance event in PolicyGuard is logged as a factual record: who did what, when they did it, and which policy it relates to. These are immutable timestamps, not AI-generated interpretations. When you export an audit report, you're exporting exactly what happened. No AI summarization, no paraphrasing, no risk of hallucinated compliance data.
What We Don't Claim.
We believe in being transparent about where we are, not where we wish we were.
No SOC 2 Certification (Yet)
We're a pre-seed startup focused on building the best compliance governance tool possible. SOC 2 certification is on our roadmap as we scale, but we won't claim it before we have it. Our infrastructure provider (Supabase) maintains SOC 2 Type II certification for the underlying database and authentication services.
No Penetration Testing Report (Yet)
We follow secure development practices and conduct internal security reviews, but we haven't engaged a third-party penetration testing firm yet. This is planned for post-funding.
No Bug Bounty Program (Yet)
We welcome responsible disclosure of security issues. If you find a vulnerability, contact us at security@getpolicyguard.com and we'll work with you to resolve it promptly.