Security

Last updated: 29 May 2026

Security is the foundation of Gardia. We run entirely on Microsoft Azure in the EU, with least-privilege access, encryption everywhere, and per-tenant isolation enforced at the database row level. This page summarises our posture; detailed documentation is available under NDA.

Hosting & data residency

Production runs on Microsoft Azure in France Central, with AI inference in EU regions (Sweden Central). Customer documents and extractions do not leave the EU. No customer data is used to train third-party AI models.

Encryption

All data is encrypted in transit with TLS 1.2+ and at rest with AES-256. Secrets and credentials are held in Azure Key Vault (RBAC mode, soft-delete and purge protection enabled) — never in source code or logs.

Access control & tenant isolation

Every customer is a logically isolated tenant. Data is separated at the PostgreSQL row level (Row-Level Security), so one tenant can never read another's rows. Administrative access uses Microsoft Entra ID with MFA, and all compute runs under a single least-privilege managed identity — no shared admin keys.

Monitoring & logging

We use Azure Log Analytics and Application Insights for application monitoring and a tamper-evident audit trail. Telemetry is sanitised to avoid capturing document contents.

Backups & recovery

The database uses automated daily encrypted backups with point-in-time recovery. Blob storage uses locally-redundant storage with shared-key access disabled and public access off.

Vulnerability management

Container images are scanned for vulnerabilities, dependencies are kept current, and the platform is patched on a regular cadence. We welcome responsible disclosure (see below).

Incident response

We maintain a documented incident-response process and will notify affected customers of a confirmed personal-data breach within 72 hours, in line with GDPR Art. 33.

Compliance

Gardia is built to be GDPR-compliant and HDS-aligned (French health-data hosting principles), EU-hosted end to end. A Data Processing Agreement is available — see our DPA summary and Subprocessors list.

Report a vulnerability

Found a security issue? Email security@gardia.cloud. We acknowledge reports within 2 business days and will keep you updated through resolution. Please do not publicly disclose until we have had a chance to fix it.

Gardia is a product, brand and trademark of QuantumBox Inc. Visit quantumbox.ai for company information.