CybrIQ
● For security leaders at SMB.
Leaders site Company Procurement
Company · Procurement

The contract-side answers, in the shape procurement teams actually request them.

The Director's procurement conversation usually has three sub-conversations underneath it: MNDA and MSA terms, billing and renewal mechanics, and data-residency and compliance commitments. This page covers all three at standard-procurement altitude. Most SMBs sign on our paper because the terms below clear the typical mid-market procurement bar; minor revisions are negotiable on request.

Demo + fit conversation MNDA signed both sides 30-day pilot no fee Vendor-risk review in parallel MSA + order form Signed production deploy no paperwork ~24-48 hr data collected SIG / CAIQ / SBOM legal review deploy + onboard Typical SMB cycle: 4 to 10 weeks from initial demo to signed agreement, depending on legal queue.

The standard path. Vendor-risk review can run in parallel with the pilot; legal review starts when the team is ready.

MNDA terms.

Mutual NDA.

Mutual non-disclosure agreement, mid-market in shape. We can sign on your form or ours; specifics are worked through during the demo and with our legal team before kickoff.

What's covered.

Customer-environment information, pricing, deployment specifics, evaluation findings. Reciprocally: our roadmap, architecture details we share during the demo, and any unpublished benchmarking data. Standard "confidential information" definition with the typical carve-outs (publicly known, independently developed, lawfully obtained from a third party).

MSA shape.

High-level shape only. Specific terms are negotiated per engagement with our legal and finance teams and finalized in the signed agreement.

Contract length.

Annual is the typical initial term. Multi-year terms are available where the customer's budget cycle calls for it. Renewal mechanics are documented in the MSA.

Liability and indemnity.

Liability and indemnity provisions follow standard mid-market security-vendor shape, scaled to the engagement size. We do not carry general-business indemnity. Specifics are in the MSA.

SLA.

Platform availability and support-response SLAs are documented in the MSA appendix. The detection-cadence target is the polling cadence (30 seconds default, tunable).

Data residency commitments.

Data-residency selection (US, EU, Canadian, or fully on-premise) is contractual, not best-effort. The selection is honored for the contract term; migration between regions during the term is a separately scoped engagement.

Termination and data export.

Customer-data export is available on request after termination, in the format you've been receiving during the term. Cloud-side data deletion is certified in writing. The on-premise ESE is your software to decommission on your own schedule.

Billing.

Billing cadence.

Annual upfront is the typical cadence. Alternate cadences can be discussed where the customer's procurement process calls for them.

Pricing model.

RoomIQ: per-room recurring SKU. SpacesIQ: deployment-scale recurring, sized by environment shape (switch count, device count, active framework count). Both annual. Quotes are tailored to the environment; we publish ranges, not list prices.

Renewal pricing.

Renewal pricing is tied to environment scope and is documented in the MSA. Scope changes (additional sites, products, or frameworks) are quoted at renewal.

Payment methods.

ACH and wire transfer for direct invoices. PO accepted where customer procurement requires it.

What we provide for vendor-risk review.

The standard documentation package for procurement-security review is available after MNDA signature. The package covers what most mid-market SMB infosec teams request; if your form needs something not in the package, the demo closes with the additional documentation.

  • Architecture and data-flow documentation covering what crosses the boundary and what stays in the customer environment
  • SBOM for the ESE and the cloud control plane (under NDA)
  • Supply-chain disclosure documenting third-party services the platform depends on
  • Vulnerability disclosure policy (public, link in trust center)
  • Insurance certificates (cyber, E&O, general liability) on request
  • Standard vendor-risk questionnaire response (SIG Lite, SIG Core, CAIQ, or your custom form)
  • Security posture statement covering controls aligned with the SOC 2 Trust Services Criteria (formal SOC 2 Type II report on roadmap)
For the SIG Lite / SIG Core conversation

If your procurement-security review uses a SIG questionnaire, we maintain a current SIG Lite response and complete SIG Core on request. Most SMBs running a mid-market vendor-risk process accept the SIG Lite response without additional follow-up. Larger SMBs and regulated industries (healthcare, financial services) usually request SIG Core; turnaround is 5 to 10 business days from MNDA signature.

Want to see the platform first?

A live demo of the platform and a conversation about whether CybrIQ fits your organization. Legal and finance specifics get worked out between teams after the demo if you decide to move forward.

Book a demo