🛡 Security & Trust

We Take Security Seriously

CyberICS Solutions is built by security practitioners, for security practitioners. Here is an unvarnished look at how we protect your data, your clients, and your exercises.

Last updated: March 2026  ·  Questions? security@cybericsolutions.com

🔒
Encryption Encrypted at Rest & In Transit
Infrastructure SOC 2 Certified Infrastructure
💳
Payments PCI DSS Level 1 Payments
🏆
Platform SOC 2 Type II In Progress
📊
Headers CSP + HSTS Enforced
👤
Access Control Row-Level Security (RLS)
Data Protection

Encryption & Data Security

All sensitive data is encrypted in transit and at rest using industry-standard cryptographic algorithms.

🔒
Credential Encryption Implemented
All third-party integration credentials stored by the platform are encrypted using industry-standard symmetric encryption with unique initialization vectors before being persisted. Raw credentials are never stored in plaintext.
🔗
Transport Security Implemented
All traffic is served exclusively over HTTPS/TLS 1.3. HSTS (HTTP Strict Transport Security) headers are enforced on all responses, preventing downgrade attacks and ensuring browsers never connect over plain HTTP.
💾
Data at Rest Implemented
All database storage uses enterprise-grade encryption at rest. Backups are encrypted. No customer exercise data, session history, or credentials are stored in browser local storage beyond session tokens.
📊
Subresource Integrity (SRI) Implemented
All third-party scripts loaded from external CDNs include cryptographic integrity hashes. The browser verifies the hash before executing any external script, preventing supply chain injection attacks.
🌐
API Key Security Implemented
Platform API keys are stored as one-way cryptographic hashes — we never store the raw key. Only the key prefix is stored for display. API keys are single-use display on creation; if lost, they must be regenerated.
📋
Offline Pack Encryption Implemented
Exported offline exercise packs are encrypted with AES-256-GCM military-grade encryption before download. The decryption key is tied to the user's authenticated session. Packs cannot be opened by unauthorized parties even if intercepted.
Application Security

Security Controls & Hardening

Defense-in-depth controls applied across every layer of the application stack.

Control Implementation Status
Content Security Policy (CSP) Strict CSP headers applied to all responses, restricting script/style/connect sources to known allowlisted origins. Live
XSS Sanitization All user-supplied content is escaped and sanitized before rendering. Input validation and output encoding is enforced across all user-facing rendering paths. Live
CORS Allowlist All Edge Functions enforce an explicit CORS allowlist. Requests from origins not in the allowlist receive a blocked CORS response regardless of JWT validity. Live
Rate Limiting AI functions enforce per-user call limits (coach: 10/session, AI analysis: 5/hr). Webhook delivery is throttled. Prevents abuse and runaway API costs. Live
Payment Webhook Verification Billing webhook events are cryptographically signed and verified before any subscription change is processed. Replayed or tampered events are rejected. Live
Idle Session Timeout Authenticated sessions automatically expire after a configurable inactivity period. Back-button bfcache exploit mitigated via page visibility event listener. Live
Row-Level Security (RLS) Every database table enforces row-level isolation policies. Users can only read or write their own records. Cross-tenant data access is prevented at the database layer. Live
DNS TXT Domain Verification SSO domain registration requires cryptographic proof-of-ownership via DNS before any identity provider is activated. Prevents unauthorized domain registration and spoofing. Live
noindex on Sensitive Pages Platform pages (portal, exercise runner, admin tools) carry noindex meta tags to prevent search engine indexing of authenticated-only surfaces. Live
Penetration Testing Annual third-party penetration test against web application and API surface. First test scheduled Q2 2026. Results summary will be published on this page. Q2 2026
Bug Bounty Program Formal bug bounty program with defined scope and reward tiers. Launch planned alongside SOC 2 Type II completion. Planned
Infrastructure

Infrastructure Security Partners

CyberICS's infrastructure stack is built entirely on SOC 2 and PCI DSS certified providers. We inherit their security controls and undergo their audit programs. Full sub-processor identities are available in our Enterprise Security Package.

Global Edge Hosting Provider
SOC 2 Type II Certified
Global edge hosting with automatic TLS certificate management. All traffic is encrypted in transit.
🐘
Managed Database & Auth Provider
SOC 2 Type II Certified
Managed database, authentication, and serverless compute. Data encrypted at rest and in transit. Row-level security enforced.
💳
Payment Processor
PCI DSS Level 1 Certified
Payment processing. CyberICS never handles or stores raw card numbers. All payment data is tokenized by our payment processor.
🤖
AI Inference Provider
SOC 2 Type II Certified
AI processing for analysis and content generation. No customer PII is transmitted to AI inference endpoints — only anonymized exercise content.
💌
Email Delivery Provider
SOC 2 Type II Certified
Transactional email delivery. Email addresses are used solely for platform notifications and are never shared with or sold to third parties.
🌐
DNS Security Provider
SOC 2 Type II Certified
DNS security services for domain verification and protection.
Identity & Access

Authentication & Access Control

Every access path to customer data is gated by authenticated, role-scoped controls.

🔑
JWT AuthenticationLive
All API calls require a valid, short-lived session token. Tokens are automatically refreshed on activity. Expired or tampered tokens are rejected server-side before any data access occurs.
🏢
Enterprise SSO (SAML 2.0 / OIDC)Live
Team and Enterprise customers can enforce SSO via SAML 2.0 or OIDC. Domain registration requires DNS TXT proof-of-ownership. OIDC client secrets are encrypted at rest.
👥
Tier-Scoped Access GatesLive
Feature access is enforced server-side in every Edge Function — not just client-side. A Free-tier user cannot access Pro features by manipulating client state; the server independently verifies authorization on every request.
👤
Multi-Factor AuthenticationAvailable
TOTP-based multi-factor authentication is available to all users. Platform-level MFA enforcement for Team/Enterprise accounts is on the near-term roadmap. Enterprise customers can enforce MFA via their SSO Identity Provider today.
Compliance & Certifications

SOC 2 Type II Roadmap

We are committed to achieving SOC 2 Type II certification and will publish the report summary when complete.

🏆

SOC 2 Type II — In Progress

We are currently engaged with a compliance automation platform to implement the required controls for SOC 2 Type II certification. The audit covers Security, Availability, and Confidentiality trust service criteria. Target completion: Q3–Q4 2026.

During the period before certification is complete, we are happy to provide a security questionnaire response and discuss our controls posture directly. Contact security@cybericsolutions.com.

📝
Security (CC)In Progress
Common Criteria covering logical access, change management, risk assessment, incident response, and monitoring. Core controls already implemented.
Availability (A)In Progress
System performance monitoring, uptime SLA commitments for Enterprise tier, and incident notification procedures. Our infrastructure providers maintain 99.9%+ uptime SLAs, with automatic failover and redundancy built in.
👁
Confidentiality (C)In Progress
Data classification, access controls, and encryption controls covering confidential customer exercise data, credentials, and MSSP client information.
Privacy

Data Privacy & Retention

We collect only what is necessary to operate the platform. We do not sell, broker, or share customer data with third parties for advertising purposes.

🏭
What We Collect
  • Account email address and display name
  • Exercise session history and After Action Reports
  • Encrypted third-party integration credentials (if configured)
  • Billing information (managed entirely by our payment processor — we never see card numbers)
  • Platform usage logs for security monitoring
🚫
What We Never Do
  • Sell or share your data with advertisers
  • Train AI models on your exercise content or responses
  • Store raw payment card numbers
  • Access your credentials (stored encrypted)
  • Share data across MSSP client organizations
📅
Retention & Deletion
Account data is retained for the duration of your subscription plus a 30-day grace period. Upon account deletion request, all personal data and exercise history are permanently deleted within 30 days. Contact privacy@cybericsolutions.com to request deletion.
Vulnerability Disclosure

Responsible Disclosure Policy

We welcome responsible security research on our platform. If you discover a vulnerability, please report it to us privately before public disclosure.

🔍 How to Report a Vulnerability

Send a detailed report to security@cybericsolutions.com with:

1. Description — A clear description of the vulnerability type (e.g., XSS, IDOR, SSRF, auth bypass)
2. Steps to reproduce — Detailed reproduction steps and any proof-of-concept
3. Impact — Your assessment of what data or functionality is at risk
4. Your contact — So we can keep you informed and credit you if desired

We will acknowledge receipt within 2 business days and aim to remediate critical findings within 14 days. We request that you do not publicly disclose findings until we have had the opportunity to remediate.

Safe Harbor: We will not pursue legal action against researchers who follow this policy and act in good faith. We consider this policy a legal authorization for security research within its defined scope.

Out of scope: Social engineering attacks against CyberICS staff, denial-of-service testing, physical security testing, or attacks against customer accounts without their explicit written consent.

Enterprise Security

Need Full Technical Detail?

We provide a comprehensive security documentation package to qualified enterprise prospects and their security teams.

📋
Security Questionnaire
Completed responses to standard vendor security questionnaires (VSQ, SIG, CAIQ).
🏗️
Architecture Overview
Full technical architecture diagram, data flow, and infrastructure topology under NDA.
🔬
Sub-Processor Detail
Complete sub-processor list with compliance certifications, data residency, and DPA status.
🛡️
Pen Test Results
Third-party penetration test executive summary and remediation log (available Q3 2026).
Request the Enterprise Security Package
Shared under mutual NDA with Team and Enterprise prospects. Typical turnaround: 1 business day.
🔒 Request Security Package
Contact

Security Contact

For security reports, questionnaires, or enterprise security reviews.

🛡 Talk to Our Security Team

Security vulnerabilities, compliance questionnaires, pen test report requests, or enterprise procurement security reviews — we respond within 2 business days.

For general inquiries: info@cybericsolutions.com  ·  Privacy requests: privacy@cybericsolutions.com