CyberHeera

Trust

A single page for the things buyers, security reviewers, and auditors need to know about how we run the platform. Last updated: 2026-04-26.

Data residency

Customer data is stored in our production environment hosted on a third-party cloud infrastructure provider in the United States. Backups live in the same region. We do not knowingly transfer customer data outside the United States without notice to the account owner. If you have a regulatory requirement that mandates a specific region, talk to us in contact before signing.

Encryption

  • In transit: TLS 1.2 or higher for every external connection. HSTS enforced on cyberheera.com and app.cyberheera.com.
  • At rest: AES-256 for the production database, object storage, and backups. Per-tenant encryption keys are roadmapped and not yet shipped.
  • Authentication: short-lived JWT access tokens with refresh-token rotation; SAML 2.0 and OIDC for single sign-on; SCIM 2.0 for identity provisioning. Passwords stored as Argon2id hashes for accounts that do not use SSO.

Access controls

  • Role-based access control with least-privilege defaults. Tenant administrators can scope roles per module.
  • Audit log entries for every action that modifies or exposes data, written to a tenant-scoped audit table that the customer can read and export.
  • A two-step consent gate sits in front of every destructive or high-blast-radius action. Each consent is single-use and expires after 90 seconds. The platform refuses to act on a stale or replayed consent.
  • Production access for CyberHeera personnel is limited to the on-call engineer and one backup. All production access is logged.

Incident response

We will notify affected customers of a confirmed personal-data breach within 72 hours of discovery, in line with the GDPR notification window, and within the timeframes required by any other applicable law. Notifications go to the account owner email and, where the order form provides one, the security contact.

Found something we should know about? Email security@cyberheera.com. We acknowledge security reports within one business day.

Sub-processors

We use a small set of third-party processors:

  • Cloud infrastructure provider (US region) for compute, storage, and backups.
  • Resend for transactional email delivery (account verification, password reset, contact-form forwarding).
  • Stripe for payment processing where applicable to your subscription.
  • Identity providers you choose to integrate (Microsoft Entra ID, Okta, Google Workspace, etc.) for SSO and SCIM. These see only the identity data your tenant configures them to.

The full sub-processor list, with the categories of data each one sees, is also documented in our Privacy Policy. Changes are communicated to account owners in advance.

Compliance roadmap

We do not yet hold any third-party compliance attestation. We are designing for the audits below. We will post status updates here as we progress and will not claim any of these until the report is in our hands.

  • SOC 2 Type I: planned. Pre-audit readiness work in progress.
  • SOC 2 Type II: planned, after Type I.
  • ISO/IEC 27001: planned.
  • HIPAA: not pursuing yet. We will reassess when a customer use case requires it; until then, do not store regulated PHI in the platform.
  • FedRAMP: not pursuing yet.

Privacy

See our Privacy Policy for the full breakdown of what data we collect, why, retention windows, sub-processors, and your rights as a data subject under the GDPR and CCPA.

Contact

Security questions or vulnerability reports: security@cyberheera.com. Privacy questions or data subject requests: privacy@cyberheera.com.