CybrIQ
● For security leaders at SMB.
Leaders site Company Trust center
Company · Trust center

What CybrIQ commits to on security, supply chain, and data handling. The version your procurement and infosec teams can pull into the vendor-risk review.

Buying continuous-evidence tooling means letting a vendor look at the network. That's a non-trivial trust decision. This page is the standing trust statement: what we collect, where it lives, who can reach it, how we secure it, what we disclose, and what we deliberately won't do. Procurement teams can pull anything on this page into the standard vendor-risk file; if your form needs something not covered below, the demo closes with the additional documentation.

Data and residency.

What CybrIQ collects.

Device-fingerprint metadata (the signature derived from switch-supplied signals about each device), the inventory of devices observed, drift events (changes to that inventory), and the framework-mapping metadata used to format evidence packs. We do not collect packet payloads, application-layer data, file contents, or user activity.

Where the data lives.

Customer data residency is configurable. Default deployments run in your environment via the ESE (which is on-premise software you operate). Telemetry and operational metadata can be hosted in US, EU, or Canadian regions, or kept fully on-premise if your policy requires it. We don't egress customer device-fingerprint data outside the region you select.

FULLY ON-PREMISE ESE Your environment ESE on your hardware, control plane on-prem too No customer data leaves US REGION United States cloud-provider managed in-region EU REGION European Union GDPR-compatible in-region cloud CANADIAN REGION Canada PIPEDA-compatible in-region cloud Selected at signing. Honored contractually for the term. Migration between regions is a separately scoped engagement.

Data retention and deletion.

Active customer data retained for the contract term plus 30 days for export grace. Deletion certified in writing within 60 days of termination. Backups retained for 90 days post-termination on a documented destruction schedule. The on-premise ESE is your software; you decommission it on your own schedule.

What we do not collect.

No packet captures. No DPI of application traffic. No employee activity. No user identity beyond what's needed for our own platform authentication. No customer-environment configuration data beyond what's required to identify devices on switches.

Security posture of the platform.

SOC 2 Trust Services Criteria alignment.

The platform is engineered against the SOC 2 Trust Services Criteria. Formal SOC 2 Type II certification is on the roadmap; we share a written security-posture statement covering the relevant controls under NDA in the meantime.

Security testing.

Security testing is performed against the platform on a documented cadence by qualified personnel. Findings are tracked and remediated; remediation evidence is available under NDA on request. Third-party penetration-test reports will be added to the documentation package as that program matures.

Vulnerability disclosure.

Public vulnerability disclosure policy at cybriq.io/security/disclosure.html. Responsible-disclosure process documented; 90-day disclosure timeline; researcher recognition for verified findings. Bug-bounty program scope and rewards published on the disclosure page.

Software supply chain.

SBOM available on request for both the ESE and the cloud control plane. Dependencies tracked and updated on a documented cadence. Third-party libraries are scanned in CI for known vulnerabilities, with severity-driven response timelines. No dependencies on services hosted in jurisdictions inconsistent with the customer's data-residency selection.

Encryption.

In transit: TLS 1.3 for all customer-side and control-plane communication; mTLS for inter-service traffic. At rest: AES-256 for all customer data in storage. Key management: cloud-provider-managed KMS in the residency region you select.

Boundary statements.

Three things CybrIQ commits in writing to never do, because they're outside our scope and outside the trust position we want to hold. (1) We do not push configuration changes to your switches in the default deployment. Optional SNMP-driven enforcement is available and ships disabled; if you turn it on, it's gated per-event-type by your security team. (2) We do not collect packet payloads or application-layer data. (3) We do not share customer environment data with any third party except as required to operate the platform (cloud-provider infrastructure in the residency region you select) or as required by law with prior customer notice where legally permitted.

Certifications, alignments, and screening.

Patented Device DNA™.

The device-identity mechanism CybrIQ uses is covered by an issued patent. The patent number and full claim language are available under NDA for customers and partners evaluating the technical defensibility of the approach.

NDAA 889 alignment.

The platform itself does not embed any covered telecommunications equipment from the NDAA Section 889 banned-vendor list. Procurement supply-chain documentation is available on request. The platform's own NDAA-screening function (used to detect banned-vendor hardware on customer networks) is updated twice weekly with human review.

Reference-database curation.

The 750M+ device-fingerprint reference database is curated by a human review process, refreshed twice weekly. Curation methodology is documented; we publish the cadence and the QA pipeline that gates entries into the production database.

Need additional documentation for procurement review?

A live demo of the platform and a conversation about whether CybrIQ fits your environment. Vendor-risk documentation is a follow-up exchange between your procurement-security team and ours.

Book a demo