What we see, what we do not see, and what we do with the information.
This page is the substantive privacy posture for CybrIQ in education environments. It is meant to be readable by a privacy officer or by a board member, not just by a lawyer.
What CybrIQ sees on your network
Our External Scan Engine reads each managed switch via SNMP with read-only credentials. The data we capture per port:
- The MAC address of the device on the port
- The link-negotiation pattern (speed, duplex, autonegotiation timing)
- LLDP and CDP advertisements when the device emits them (vendor name, model, firmware version)
- Port statistics (utilization, error rate, link history)
- VLAN context
From this we identify the device's vendor and model. We do not capture, store, or transmit:
- Traffic content (we are not inspecting packets)
- User credentials or session tokens
- The contents of any application running on a device
- Any data from the institution's SIS, LMS, gradebook, library system, or IEP system
- Personally identifiable information about students, faculty, or staff
FERPA and student records
CybrIQ is not a FERPA "school official with legitimate educational interest" because we do not see FERPA-protected education records. The FERPA article walks through the analysis in detail. The short version: our scope ends at the network layer, beneath the systems that hold student records.
COPPA
CybrIQ is not a COPPA-covered operator because we do not collect personal information from children under 13 (or from anyone). Our identification is of devices on the network, not of the people using them.
Where data lives
The CybrIQ External Scan Engine runs on a customer-installed VM inside the institution's network. The main instance hosts the inventory database and the export pipeline. By default the main instance is CybrIQ-hosted in the cloud (US-region, SOC 2 Type II audited). Institutions with stricter data-residency requirements can deploy the main instance on-premise.
Either deployment shape, the data flow is:
- The ESE reads switch metadata from the customer network.
- The ESE sends device-identification records to the main instance over SSL.
- The main instance stores the inventory and produces exports on the customer's request.
- Exports are downloaded by the customer or pushed to the customer's existing systems (ServiceNow, SIEM, NAC, GRC).
CybrIQ does not transmit inventory data to any third party. We do not sell, share, or rent customer inventory data. The data is the customer's; we are operating it on their behalf.
Cookies and tracking on this website
This website uses minimal first-party analytics (page views, referrers, anonymized country) for the purpose of understanding which content visitors find useful. We do not run third-party advertising networks, do not deploy retargeting pixels, and do not enroll visitors in marketing automation. The cookie notification at the bottom of the page covers the technical detail.
What we do with email contents
If you email us through the working-session form or directly, we use the contents only to respond to the conversation you started. We do not enroll your email address in newsletters, marketing automation, or remarketing. We do not sell or share your email contents with any third party. If you ask us to forget your email after the conversation, we do.
Customer data subject requests
If a student, parent, or staff member at a CybrIQ-deployed institution asks the institution for their data record, the institution can review the CybrIQ inventory and confirm that we hold no personal information about that individual. The MAC address of a device the individual once used is not personal information about the individual; it is metadata about the device. We do not maintain any device-to-person mapping.
Audit and compliance posture
CybrIQ holds SOC 2 Type II, ISO 27001, ISO 27017, and ISO 27018 certifications. CybrIQ does not currently hold FedRAMP authorization. The on-premise deployment shape is the right answer for institutions that require fully air-gapped or FedRAMP-equivalent operating modes.