Security and Compliance
Reference frameworks
Section titled “Reference frameworks”The platform follows the controls defined by the ISO 27001 and SOC 2 frameworks as a reference for its security practices. Guardline does not hold certification under these frameworks but adopts their controls as the basis for implementing internal policies and processes.
Data isolation
Section titled “Data isolation”The Guardline Suite operates on a single-tenant model. Each institution receives dedicated database and cache instances. There is no sharing of storage or processing infrastructure across tenants.
For institutions with data residency requirements, the platform can be deployed in a specific geographic region or in the institution's internal environment (on-premise).
Data protection
Section titled “Data protection”- LGPD: personal data processing follows the principles and obligations of the Lei Geral de Proteção de Dados Pessoais (Brazilian General Data Protection Law).
- Immutable audit trail: every operation performed on the platform is recorded in an immutable log, available to the institution for audit and regulatory compliance purposes.
- Role-based access control: access to features and data is segmented by user role, module and operation. The institution configures the roles to match its organizational structure.
- Session and password policies: the institution can configure session expiration policies, password complexity requirements and lockout after invalid attempts.
Authentication
Section titled “Authentication”The platform supports local authentication and Single Sign-On (SSO) via two protocols:
- SAML: integration with corporate identity providers that use the SAML 2.0 standard.
- OpenID Connect: integration with identity providers compatible with OpenID Connect.
The institution may choose to use SSO exclusively or in combination with local authentication, according to its access policy.
Regulatory compliance
Section titled “Regulatory compliance”The platform implements controls and features designed for compliance with the following regulations:
- BACEN/BCRA Circular 3.978: AML (Anti-Money Laundering) / CFT procedures, customer identification and due diligence (KYC (Know Your Customer)), transaction monitoring and reporting to COAF/UIF.
- COAF/UIF resolutions: reporting deadlines and formats, information retention as required by the regulator.
- LGPD: processing, storage and protection of personal data under Brazilian law.
- FATF recommendations: adoption of practices aligned with international standards for anti-money laundering and counter-terrorist financing.
The decision engine is configurable per jurisdiction, allowing the institution to adapt rules and flows to the regulatory requirements of each country or operation.