What we will commit to in writing.
The trust center for a healthcare-facing vendor should be specific about what is true today, not aspirational about what is planned. This page is the former.
Data handling.
PHI does not flow through CybrIQ. We do not look at packet contents. Our data comes from your network switches via read-only SNMP. Customer-specific telemetry is encrypted in transit and at rest. Telemetry residency is your choice: U.S., EU, Canada, or on-prem.
Business Associate Agreement.
A BAA is available on request. It is offered for procurement symmetry rather than because our processing posture requires it. Customers who decline the BAA receive the same product behavior.
Access controls.
Customer-facing accounts use enforced multi-factor authentication. Internal access to customer telemetry is restricted by role and audited. Privileged operations are logged.
Subprocessors.
A current subprocessor list is maintained and provided on request as part of the procurement package. Subprocessor changes that affect customer telemetry are notified in advance.
Certifications — honest accounting.
CybrIQ does not currently hold a SOC 2 Type II report. We do not claim one. Our switch-side processing posture (no PHI, no packet observation) reduces the surface area a SOC 2 would speak to, and we would rather be accurate than aspirational. HITRUST certification applies to customer environments, not to inventory tools; our output feeds HITRUST evidence rather than being itself HITRUST-certified.
Incident response.
A defined runbook, with notification commitments documented in the master services agreement. The narrow processing posture reduces the breach scenarios that would affect customer data; the runbook still exists for the scenarios that remain.