Security at guardID

At guardID, we take your privacy and security seriously; not as optional features, but as foundational principles baked into everything we do. Our mission is to protect your identity, shrink your digital exposure, and safeguard your data against unauthorised access, tracking, and misuse; with industry-leading controls that go beyond standard privacy tools.

Phishing-Resistant Multi-Factor Authentication (MFA). Every guardID system is protected by advanced phishing-resistant MFA; the strongest form of MFA available today. This goes beyond legacy MFA (like SMS codes or push notifications) by requiring authentication methods that are resistant to credential theft, man-in-the-middle and session hijacking attacks, such as cryptographic device-bound factors (e.g., passkeys, FIDO2 security keys, platform authenticators). This significantly raises the bar against modern phishing threats.

We enforces HTTPS-only access across its entire domain, ensuring that all connections between users and the platform are encrypted and authenticated. By refusing insecure HTTP traffic, we eliminate the risk of data being exposed through passive monitoring or active interception. This guarantees that sensitive information cannot be read or altered by third parties while in transit whenever you use our service.

To further strengthen transport security, we prioritise the use of the latest Transport Layer Security standard, TLS 1.3, while enforcing a minimum of TLS 1.2. TLS 1.3 provides improved cryptographic protections, faster and more secure handshakes, and stronger resistance to modern attack techniques. By disabling outdated and vulnerable protocol versions, we prevent downgrade attacks and ensures all users benefit from current, secure encryption practices.

We also deploys HTTP Strict Transport Security (HSTS), which instructs web browsers to always connect to the platform using HTTPS. This protection remains in effect even if a user attempts to access the site through an insecure link, preventing attackers from redirecting traffic to unencrypted connections. By enabling HSTS preload, guardID’s HTTPS-only policy is built directly into major browsers, eliminating the risk of first-visit attacks such as SSL stripping, before you ever visit our website.

Domain Name System Security Extensions (DNSSEC) are enabled to protect the integrity of guardID’s domain resolution. DNSSEC ensures that DNS responses are cryptographically signed and verified, preventing attackers from poisoning DNS caches or redirecting users to malicious infrastructure. This guarantees that users are always connected to authentic guardID services rather than fraudulent look-alike sites.

Email security is treated as a critical component of GuardID’s overall security posture. We implement Sender Policy Framework (SPF) to ensure that only authorised mail servers are permitted to send emails on behalf of the domain. This significantly reduces the ability of attackers to spoof our email addresses for phishing or impersonation campaigns.

In addition, we use DomainKeys Identified Mail (DKIM) to cryptographically sign outgoing email messages. DKIM allows receiving mail servers to verify that emails genuinely originated from us and that their contents have not been altered during transmission. This protects users from tampered messages and strengthens trust in official communications.

Domain-based Message Authentication, Reporting and Conformance (DMARC) builds on SPF and DKIM by defining how unauthenticated or suspicious emails should be handled by recipient mail systems. By enforcing DMARC policies, we ensure that spoofed or fraudulent emails claiming to come from its domain are rejected or quarantined, dramatically reducing phishing risk.

To protect the confidentiality of email in transit, we enable Mail Transfer Agent Strict Transport Security (MTA-STS). This ensures any mail server that supports MTA-STS delivering messages to guardID to use encrypted TLS connections and prevents downgrade attacks that attempt to force insecure delivery. As a result, email communications are protected against interception and manipulation while moving between servers. Additionally any email server we send emails that support MTA-STS will be send fully encrypted.

These network, domain, and communication-level protections operate alongside our phishing-resistant multi-factor authentication and data-minimisation practices. Together, they form a layered security model that protects users before, during, and after they interact with the platform; reducing exposure, preventing impersonation, and ensuring trust at every point of contact.

In short, we don’t skip out on the small details which, when combined help to make you and all our other members more secure, can other organisations that you deal with say the same?