Security and compliance for Guru knowledge management

Guru has been built from the ground up with security in mind. Our founding team has decades worth of experience building out cloud data integration systems for some of the largest enterprises in the world with industry leading security measures.

Security trusted by:

Security Features

Data encryption in transit and at rest
SAML-based SSO
SCIM provisioning
Granular app management
IP Whitelisting

International security compliance certifications and regulations

SOC 2 Type 2

Guru uses an independent third party to conduct a SOC 2, Type II audit on its knowledge management system. This audit covers the SOC 2 Common Criteria and the Confidentiality and Privacy trust services criteria. We’re happy to share this report with clients or prospects with a signed non-disclosure agreement on file.

PCI Compliant

Guru does not process PCI data, but uses a third party for payment purposes. Accordingly, Guru conducts an annual Self Assessment Questionnaire (A-EP) and scans its public-facing connections monthly for security vulnerabilities.

GDPR Ready

Guru takes the data handling of our EU customers seriously. Before the GDPR became enforceable in May 2018, we'd already added multiple processes to our security control framework and required our subprocessors to commit to security minimums through Data Processing Agreements. We're ready to meet data subject requests wherever and whenever they happen and we abide by the European Commission’s standard contractual clauses.

lock emoji
EU - U.S. Privacy Shield

Guru complies with the EU-U.S. & Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Dept of Commerce regarding the collection, use, and retention of personal information transferred from the EU and Switzerland to the U.S. Guru has certified to the U.S. Dept of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in our privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. (To learn more about the Privacy Shield program, and to view our certification, please visit

Also, in compliance with the Privacy Shield Principles, Guru commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Guru at, and refer unresolved complaints to the International Centre for Dispute Resolution, located in New York, USA. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit the ICDR for more information or to file a complaint. The services of the ICDR are provided at no cost to you.

Guru is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and under certain conditions, individuals may invoke binding arbitration against Guru in cases of onward transfers that do not comply with Privacy Shield. Guru remains liable under Privacy Shield if it processes personal information in a manner inconsistent with the Principles of Onward Transfer (unless we can demonstrate the event giving rise to the damage was not caused by Guru).

Security FAQs

Do you have security policies and procedures?

We have a control framework based on the Center for Internet Security Controls, covering a wide compliance spectrum and ensuring we’re focused on the right things.  We have nine separate policies that govern the following:

  • Security and Privacy Roles
  • Risk Management
  • Asset Management and Protection
  • Data Classification/Handling/Transmission
  • Data Recovery and Business Continuity
  • User Access Management
  • People and Training
  • Product Development and Change Management
  • Supplier Relationships
How do you administer your security program?

The program is run by a dedicated risk and compliance manager who works in tandem with executive leadership and subject matter experts to codify procedures and ensure execution.

How do I know your security program is working?

Guru hires an independent audit firm to conduct an annual SOC 2, Type II audit, which includes not only the Common Criteria, but the Confidentiality and Privacy trust services criteria too.

Do you conduct a risk assessment at least annually?

Yes. We look at changes in the product line, the regulatory environment and the cyber threat. We assign risk scores and ensure executive leadership is routinely engaged in risk mitigation.  These steps are verified in the annual SOC 2 audit.

Where does my data live?

Guru’s infrastructure is hosted exclusively by Amazon Web Services (AWS), and all data in transit and data at rest is encrypted using the most up-to-date protocols (specifically TLS V1.2 and AES-256).

How does my data flow through your system?

Guru ingests and uses customer data in slightly different ways depending on how the service is configured, but here’s a very high level explanation of how the system works

  • Registering for the service requires a user’s first name, last name and corporate e-mail address
  • Knowledge Base - Users author original content within the application hosted by Guru
  • Extension - The Guru browser extension is used to display Guru content on websites that you use
  • Slack bot - Users interact with the slack bot through explicit actions and direct messages.
  • AI Suggest - If AI Suggest is enabled by the Guru administrator, the Guru Extension will be configured to inspect specific web applications and utilize content on the web pages to make suggestions. The content of the specific web page is passed to Guru's AI models in AWS for storage and prediction analysis.
How do you ensure no other client sees my data?

Customer data is stored in multi-tenant datastores and assigned a unique tenant token, which prevents one customer from accessing another customer's data.

How do you ensure no unauthorized Guru employees see my data?

Production access is limited to a small group, and is granted through explicit signed permission from the CTO.  An account review is done quarterly and documented accordingly.

Do third parties have access to my data?

In addition to AWS, Guru uses some third parties to perform certain components of its operations.  Only vendors who have successfully demonstrated sufficient security capabilities and commitments are authorized to support the Guru system.  

How do you assess third parties before and during their service?

Any vendor with the potential to access sensitive client data is required to provide an external audit or, at a minimum, submit to a risk interview and demonstrate best security practices. These artifacts are refreshed annually to ensure no lapse in oversight.  Moreover, each vendor is required to sign a Data Processing Agreement and contractually commit to data security practices.

Do you scan your network and your application for vulnerabilities?

Our public facing network is scanned monthly for certificate currency, open ports and protocols and security headers. Our application containers are scanned through AWS prior to deployment to discover and address vulnerabilities.

Is your application penetration tested?

Yes. The application is routinely pen tested by an outside agency no less than twice per year to reveal common OWASP vulnerabilities. An executive summary is available upon request.

Describe your data backup and recovery system.

We copy our database daily and save it to a disaster recovery site in an entirely separate region. We run a daily integrity check on that backup to make sure it’s usable if needed. The recovery point objective is 1 hour, with a recovery time objective of 24 hours.

Do you have an incident response program?

Guru maintains a comprehensive incident classification and response procedure, rehearsing  potential incidents twice annually through a formal tabletop exercise.  Participants capture lessons learned and constantly strive to make the program better.  Though highly unlikely, any data breach would be communicated to a client’s Guru administrator within 24 hours of confirmation.

Do you perform security reviews during development?

Security is baked into the coding process, and a number of checks are performed to validate new code prior to deployment. Also, Guru’s developers undergo specialized security training to address common vulnerabilities such as Cross Site Scripting and SQL injection.

Are you ready to support privacy laws like CCPA and GDPR?

Guru fully respects both established and emerging privacy regulations and has created the necessary processes to support the rights of data subjects. Guru offers a Data Protection Agreement and contractually agrees to support any and all emerging privacy regulations as they apply to the service.  Third parties are also required to document their security commitments consistent with laws and regulations.

Is Guru HIPAA compliant?

Guru takes your medical privacy and security needs seriously, and while we are prepared to enter into a Business Associate Agreement for HIPAA compliance, we would first ask you to consider the likelihood that the Guru platform will ever consume, process, or store electronic protected health information. If you believe there's a reasonable chance that such personal data will find its way into the system, we are willing to provide a boilerplate BAA as Guru's signed assurance we will abide by the applicable HHS mandates for safeguarding your data.

Check out our privacy documentation

Request a copy of our SOC 2 Report or feel free to contact us @

Say hello to Wes

He's our Risk and Compliance Manager. He worries about security so that you don't have to. Learn more about Wes's role in security at Guru on our blog.
A doodle of various shapes representing bits of knowledgeA doodle of pointing arrows

Ready to get Guru?

It's free and easy to get started. Start your trial today to ensure your company’s knowledge is easy to find, use, and share.
Get started free
Request a demo