We believe security tools must be trustworthy themselves. Here is exactly how we handle your data, secure our infrastructure, and design our agent.
PortGuard collects the minimum data needed to enforce USB policies. We have no visibility into file contents, user activity, or anything beyond device presence.
All data moving between your endpoints and PortGuard infrastructure is encrypted. All stored data is encrypted at the storage layer.
Every call to api.portguard.tech is served over HTTPS enforced at the CloudFront layer. TLS 1.0 and 1.1 are explicitly disabled. Certificates are auto-rotated via AWS Certificate Manager.
Real-time policy push uses AWS IoT Core's MQTT broker, which requires TLS for all connections. The agent authenticates with a unique per-device X.509 certificate provisioned at enrollment.
All data stored in PortGuard's DynamoDB tables is encrypted at rest using AWS-managed AES-256 keys. Encryption is applied transparently at the storage layer before data is written to disk.
app.portguard.tech enforces HTTPS with HSTS headers. Session tokens are short-lived JWTs transmitted only over TLS and never stored in localStorage — only in memory.
PortGuard runs entirely on AWS infrastructure in us-east-1 with no persistent servers to patch, no long-lived credentials, and no single points of failure.
Our API runs on AWS Lambda. There are no long-running servers to compromise or patch. Each invocation is isolated, short-lived, and runs with least-privilege IAM roles.
Policy enforcement uses AWS IoT Core's fully managed MQTT broker. Device certificates are provisioned per-enrollment and can be revoked instantly via the console or API.
All application data lives in a single DynamoDB table with on-demand capacity. AWS manages replication, durability, and availability across multiple AZs automatically.
Both portguard.tech and app.portguard.tech are served via CloudFront. Origin access control ensures S3 buckets are never publicly accessible — only via CloudFront.
We run no EC2 instances for the application layer. There are no virtual machines to patch, no SSH keys to rotate, and no server OS attack surface.
PortGuard production runs in a dedicated AWS account (345644954781). Development and production environments share no credentials, no IAM roles, and no data.
The PortGuard Windows agent is deliberately minimal. It does one job — USB device monitoring and policy enforcement — and nothing else is possible by design.
The agent never launches cmd.exe, PowerShell, or any shell process. It has no code path that can execute arbitrary commands on the system.
The agent subscribes to Windows USB device arrival and removal events only. It reads no files, watches no network interfaces, and accesses no user data.
The agent is a compiled Go binary with no runtime dependencies. It does not call or require PowerShell, .NET, or any scripting runtime.
All agent releases are code-signed. Windows SmartScreen and enterprise AV solutions can verify the publisher before execution.
The agent runs as a Windows service with only the permissions needed to observe USB events and write to its own log file. No admin rights required post-install.
The agent initiates outbound MQTT (port 8883) and HTTPS (port 443) connections only. It opens no inbound ports and listens on no local sockets.
Our compliance roadmap is transparent. Here is where we stand today and what is coming next.
PortGuard collects no personal data from end users. Device IDs and machine names are pseudonymous technical identifiers. Data processing agreements available on request.
We are implementing the controls and documentation required for SOC 2 Type II certification. Audit is planned for Q4 2026. Contact us for our current controls documentation.
PortGuard inherits AWS physical and infrastructure security controls. AWS is SOC 2, ISO 27001, PCI-DSS, and HIPAA BAA certified. Our business runs on that foundation.
All PortGuard data is stored and processed in AWS us-east-1 (Northern Virginia). Enterprise customers requiring EU data residency should contact us to discuss options.
We take security vulnerabilities seriously and are grateful to researchers who disclose them responsibly. If you have discovered a security issue in PortGuard, please report it to us before public disclosure.
Contact our security team at security@portguard.tech. Please include a description of the vulnerability, steps to reproduce, and the potential impact. We will acknowledge your report within 24 hours and provide a timeline for resolution.
We do not currently operate a bug bounty program, but we recognize researchers publicly in our changelog and security advisories for confirmed vulnerabilities.
Security contact: security@portguard.tech
PGP key: Available on request
Response SLA: 24 hours for acknowledgment, 72 hours for initial assessment
Scope: portguard.tech, app.portguard.tech, api.portguard.tech, the PortGuard Windows agent