What does KollGuard do?

KollGuard connects read-only to your GitHub repositories and databases (Postgres, Supabase), scans them for security gaps, and maps every finding to the controls auditors check. The first scan is free and takes minutes.

Which compliance frameworks does KollGuard support?

Twelve: SOC 2 and HIPAA are asserted directly from the technical checks, while ISO 27001, ISO 27701, PCI DSS, GDPR, NIST CSF, NIST 800-53 (the basis for NIST 800-171 and CMMC), HITRUST CSF, CIS Controls and the Joint Commission (JCAHO) Information Management standards are crosswalked from the same checks.

How is KollGuard different from Vanta, Drata, or Secureframe?

KollGuard actually scans your systems rather than only collecting evidence or sending questionnaires, starts free in minutes, is transparently and affordably priced, and lets vendors prove their posture without sharing source code or credentials.

Can KollGuard monitor my AI agents?

Yes. KollGuard's Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts, and LLM agents — recording every run as a tamper-evident, hash-chained heartbeat, raising health and behavior-drift alerts, and emailing a nightly digest. It maps agent activity to the same SOC 2 and HIPAA controls as the rest of your security posture, so the AI agents touching your data are continuously monitored for compliance.

Does KollGuard need access to my source code?

No. KollGuard performs read-only checks against repository and database metadata and configuration; it never copies or stores your source code, and credentials are encrypted in a vault.

How much does KollGuard cost?

The first scan is free. Paid plans are Starter at $19.89/month and Growth at $99/month, with custom Enterprise pricing. There are no quote-based contracts to get started.

What counts as PII in a Postgres column?

PII in the US sense is information that can identify a person on its own (SSN, full name + DOB, MRN, email tied to a real person) or in combination (zip + age + gender, the Sweeney study showed). HIPAA's PHI is a tighter standard: any health information tied to an identifier. Most state breach notification laws care about the broader PII category.

Should I scan production data or schema only?

Schema-only first — column names + types are almost always enough to find the real exposure. Scanning row contents requires access controls that often violate the very policies you're trying to enforce. KollGuard's scanner stays at the schema/grants level on purpose.

Will KollGuard touch my row data?

No. The Postgres scanner connects with a read-only role and queries only system catalogs (information_schema, pg_catalog) and metadata views. Row contents of your tables are never read.

Does pseudonymization satisfy HIPAA Safe Harbor?

Pseudonymization (replacing identifiers with tokens) is a mitigation, not Safe Harbor. HIPAA Safe Harbor is a specific de-identification standard (45 CFR §164.514(b)) requiring removal of 18 identifier types AND no actual knowledge that re-identification is possible. Pseudonymization is reversible and therefore typically not Safe Harbor.

Scan Postgres for PII / PHI exposure

The six-step audit

1.Inventory columns by likely PII / PHI shape
Walk every public-schema table and flag columns whose name OR type matches a PII shape: email, phone, ssn, dob, mrn, address, name, ip. Add type heuristics for PHI: diagnosis_*, encounter_*, npi, icd_*, cpt_*. Don't sample row data unless you're allowed to — name + type is enough to triage.
2.Check which of those columns are reachable by the anon role
On Supabase, PostgREST exposes the public schema to anon. A PII column reachable by the anon key is a public PII column. Verify by simulating an anonymous request, or check whether the table has RLS enabled AND a policy that restricts SELECT.
3.Mask or encrypt at rest where the audit requires it
HIPAA §164.312(a)(2)(iv) and PCI DSS 3.4 both expect at-rest encryption for sensitive columns. Postgres pgcrypto + a KMS-managed key, or column-level encryption via pg_tle, satisfy this. Document the key rotation cadence.
4.Restrict the role that backs your app server
Don't connect to Postgres as service_role from your app. Create a dedicated app role with only the grants it needs; revoke SELECT on PII columns from any role that doesn't strictly require them. Auditors will pull pg_roles + grants and check.
5.Audit every read of PII columns
pgAudit's READ class logs SELECTs on specified objects. Enable it for tables holding PII/PHI, ship the logs to a tamper-evident store, and retain 6 years for HIPAA (or your industry's minimum).
6.Disposition exceptions with a justification
Some PII columns must be readable (e.g. an email login flow). Document why — "required for authentication" — alongside the mitigating control (rate-limited, RLS-restricted to the row owner). Auditors accept dispositions when the rationale is written down; what they reject is silence.

Compliance mapping

Framework	Citation	What it expects
HIPAA Security Rule	§164.312(a)(2)(iv)	Encryption at rest for ePHI columns
HIPAA Security Rule	§164.312(b)	Audit log of every read of ePHI
PCI DSS 4	3.4	Render PAN unreadable when stored
SOC 2	CC6.1	Logical access controls (RLS + grants)
GDPR	Art. 32	Pseudonymization & encryption of personal data

Frequently asked

What counts as PII in a Postgres column?: PII in the US sense is information that can identify a person on its own (SSN, full name + DOB, MRN, email tied to a real person) or in combination (zip + age + gender, the Sweeney study showed). HIPAA's PHI is a tighter standard: any health information tied to an identifier. Most state breach notification laws care about the broader PII category.
Should I scan production data or schema only?: Schema-only first — column names + types are almost always enough to find the real exposure. Scanning row contents requires access controls that often violate the very policies you're trying to enforce. KollGuard's scanner stays at the schema/grants level on purpose.
Will KollGuard touch my row data?: No. The Postgres scanner connects with a read-only role and queries only system catalogs (information_schema, pg_catalog) and metadata views. Row contents of your tables are never read.
Does pseudonymization satisfy HIPAA Safe Harbor?: Pseudonymization (replacing identifiers with tokens) is a mitigation, not Safe Harbor. HIPAA Safe Harbor is a specific de-identification standard (45 CFR §164.514(b)) requiring removal of 18 identifier types AND no actual knowledge that re-identification is possible. Pseudonymization is reversible and therefore typically not Safe Harbor.

Scan Postgres for PII and PHI exposure

The six-step audit

1.Inventory columns by likely PII / PHI shape

2.Check which of those columns are reachable by the anon role

3.Mask or encrypt at rest where the audit requires it

4.Restrict the role that backs your app server

5.Audit every read of PII columns

6.Disposition exceptions with a justification

Compliance mapping

Frequently asked

Run the scan on your DB