What we'll commit to in writing — and a short list of things we won't.
Most vendor trust pages read like a marketing checklist of capabilities the vendor is "exploring" or "on the roadmap for." That isn't useful to the privacy officer reviewing a procurement file. This page is what's true today, what we'll sign a contract about, and what we explicitly do not claim. If a question your procurement team is going to ask isn't covered here, it belongs on the demo call rather than in a sales conversation.
Data handling.
PHI does not flow through CybrIQ. We do not look at packet contents. Our data comes from your network switches with read-only access. Customer-specific telemetry is encrypted in transit and at rest. Telemetry residency is your choice: U.S., EU, Canada, or on-prem.
Business Associate Agreement.
A BAA is available on request. It is offered for procurement symmetry rather than because our processing posture requires it. Customers who decline the BAA receive the same product behavior.
Access controls.
Customer-facing accounts use enforced multi-factor authentication. Internal access to customer telemetry is restricted by role and audited. Privileged operations are logged.
Subprocessors.
A current subprocessor list is maintained and provided on request as part of the procurement package. Subprocessor changes that affect customer telemetry are notified in advance.
Certifications — honest accounting.
CybrIQ does not currently hold a SOC 2 Type II report. We do not claim one. Our switch-side processing posture (no PHI, no packet observation) reduces the surface area a SOC 2 would speak to, and we would rather be accurate than aspirational. HITRUST certification applies to customer environments, not to inventory tools; our output feeds HITRUST evidence rather than being itself HITRUST-certified.
Incident response.
A defined runbook, with notification commitments documented in the master services agreement. The narrow processing posture reduces the breach scenarios that would affect customer data; the runbook still exists for the scenarios that remain.