Most data breaches aren't dramatic. A pipeline quietly copies a sensitive field into a place it was never meant to go, and nobody notices until it matters. Guardian exists to make that class of mistake impossible by default.
Policy that travels with the data
Guardian attaches policy to signals themselves, not to the systems that happen
to hold them. A field tagged carries its handling rules wherever it
flows — across services, regions and storage tiers.
- Classification happens at ingestion, automatically.
- Enforcement happens at every hop, not just at the edge.
- Violations are blocked and reported in the same breath.
Defining a rule
Rules are plain, reviewable declarations:
import { policy } from '@axebee/guardian'
export const piiResidency = policy({
match: { tags: ['pii'] },
allow: { regions: ['eu-west-1', 'eu-central-1'] },
onViolation: 'block',
})
Because rules are code, they live in review, in version control, and in your CI pipeline — not in a console nobody audits.
What gets enforced
| Stage | Without Guardian | With Guardian |
|---|---|---|
| Ingestion | Manual tagging | Automatic classification |
| Transit | Best-effort | Policy enforced per hop |
| Egress | Discovered after the fact | Blocked in real time |
Guardian ships with the Unified Signals Platform. Existing customers can enable it per pipeline today.