Home / Compliance

Compliance & Certifications

CyberVault maintains the highest standards of security compliance and regulatory adherence. Explore our certifications, audit reports, and data protection commitments.

πŸ“‹
8
Active Frameworks
πŸ…
12
Certifications Held
βœ…
156
Controls Implemented
πŸ“Š
100%
Audit Pass Rate
πŸ”’ Compliance Status

Framework Compliance Overview

Real-time status of our compliance across major industry frameworks and regulations.

πŸ›‘οΈ
Certified

SOC 2 Type II

Service Organization Control

Full compliance with SOC 2 Trust Services Criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy.

βœ“ Logical Access Controls
βœ“ Change Management
βœ“ Risk Mitigation
βœ“ System Monitoring
βœ“ Incident Response
Compliance Score 100%
View SOC 2 Report β†’ Download Certificate β†’
πŸ”
Certified

ISO/IEC 27001:2022

Information Security Management

Certified Information Security Management System (ISMS) with 93 controls mapped to Annex A requirements.

βœ“ Asset Management
βœ“ Cryptography
βœ“ Physical Security
βœ“ Human Resources Security
βœ“ Supplier Relationships
Compliance Score 100%
View Certificate β†’ ISMS Documentation β†’
πŸ‡ͺπŸ‡Ί
Certified

GDPR

General Data Protection Regulation

Full compliance with EU data protection regulations including data subject rights, breach notification, and cross-border data transfer mechanisms.

βœ“ Data Processing Agreements
βœ“ Right to Erasure
βœ“ Data Portability
βœ“ Breach Notification (72hr)
βœ“ DPO Appointment
Compliance Score 100%
View DPA β†’ Privacy Policy β†’
πŸ₯
Certified

HIPAA / HITRUST

Health Insurance Portability & Accountability

Qualified Business Associate (QBA) with full HIPAA Security Rule compliance and HITRUST CSF certification for healthcare data protection.

βœ“ BAA Available
βœ“ ePHI Encryption (AES-256)
βœ“ Access Audit Logs
βœ“ Incident Response Plan
βœ“ Business Continuity
Compliance Score 100%
View BAA β†’ HITRUST Report β†’
πŸ‡ΊπŸ‡Έ
Certified

CCPA / CPRA

California Consumer Privacy Act

Full compliance with California privacy laws including consumer rights to access, delete, and opt-out of data sales and sharing.

βœ“ Consumer Rights Portal
βœ“ Do Not Sell/Share
βœ“ Data Minimization
βœ“ Retention Policies
Compliance Score 100%
Privacy Policy β†’
πŸ›οΈ
In Progress
Compliance Score 78%

FedRAMP

Federal Risk and Authorization Management Program

Currently pursuing FedRAMP Moderate authorization. Security Assessment Contractor (SAC) engagement completed; JAB review in progress.

βœ“ FISMA Controls
βœ“ Continuous Monitoring
βœ“ Penetration Testing (Annual)
◐ ATO Package (In Review)
View Status β†’ Security Assessment β†’
πŸ“Š Frameworks Matrix

Compliance Frameworks Comparison

Detailed breakdown of our compliance status across all frameworks we support.

Framework Status Scope Last Audit Next Audit Certifier
πŸ›‘οΈ
SOC 2 Type II Security, Availability, Confidentiality
Certified Full Platform March 2025 March 2026 Deloitte
πŸ”
ISO 27001:2022 Information Security Management
Certified Full Organization January 2025 January 2028 Bureau Veritas
πŸ‡ͺπŸ‡Ί
GDPR EU Data Protection Regulation
Compliant EU Processing Ongoing Continuous Internal + External
πŸ₯
HIPAA / HITRUST Healthcare Data Protection
Certified Healthcare Services February 2025 February 2026 HITRUST
πŸ‡ΊπŸ‡Έ
CCPA / CPRA California Privacy Rights
Compliant California Residents Ongoing Continuous Internal
πŸ’°
PCI DSS 4.0 Payment Card Industry Data Security
Compliant Payment Processing April 2025 April 2026 QSA (Trustwave)
πŸ›οΈ
FedRAMP Federal Security Authorization
In Progress Government Services SAC Report: Q1 2025 JAB Review: Q3 2025 FedRAMP JAB
πŸ“‘
NIST 800-171 DFAR Cybersecurity Controls
In Progress Defense Services Assessment Pending Q4 2025 C3PAO
🌏
UK GDPR / DPA 2018 UK Data Protection
Planned UK Processing β€” Q4 2025 ICO
πŸ‡°πŸ‡·
PIPEDA Canadian Privacy Law
Planned Canadian Operations β€” Q1 2026 OPC Canada
πŸ” Data Protection

How We Protect Your Data

Our comprehensive data protection strategy ensures your information remains secure throughout its lifecycle.

πŸ”’

Encryption at Rest & In Transit

All data is encrypted using AES-256 encryption at rest and TLS 1.3 for data in transit. Customer-managed encryption keys (CMEK) are available for enterprise clients.

πŸ”‘

Key Management

Encryption keys are managed through AWS KMS, Azure Key Vault, or HashiCorp Vault with automatic rotation every 90 days. No shared keys between tenants.

πŸ‘€

Access Control & RBAC

Role-based access control with principle of least privilege. Multi-factor authentication required for all administrative access. Just-in-time access for privileged operations.

🌐

Data Residency

Data processing and storage available in US, EU, and APAC regions. Cross-border data transfers use Standard Contractual Clauses (SCCs) and Binding Corporate Rules.

πŸ—‘οΈ

Data Retention & Deletion

Configurable data retention policies aligned with regulatory requirements. Secure deletion using NIST 800-88 guidelines. Automated data lifecycle management.

πŸ“‹

Audit Logging

Comprehensive audit trails for all data access and modifications. Logs are immutable, tamper-evident, and retained for a minimum of 7 years.

πŸ“Š Data Processing Flow

1. Data Collection

Data is collected through encrypted channels (TLS 1.3) with explicit consent tracking and purpose limitation enforcement.

2. Data Classification

Automatic classification using DLP scanning β€” Public, Internal, Confidential, Restricted. Handling rules applied based on sensitivity level.

3. Encryption & Storage

Data encrypted at rest (AES-256) and stored in geo-redundant, isolated tenant environments. No data mixing between customers.

4. Processing & Analysis

Processing occurs in isolated, air-gapped environments. PII/PHI processing uses differential privacy and synthetic data where possible.

5. Data Retention

Automated retention policies based on data classification and regulatory requirements. Anonymization applied after retention period expires.

6. Secure Deletion

Cryptographic erasure using key destruction. NIST 800-88 compliant sanitization. Deletion certificates provided upon request.

πŸ“„ Reports & Documents

Audit Reports & Certificates

Access our latest audit reports, certificates, and compliance documentation. Request confidential reports through our secure portal.

πŸ“•

SOC 2 Type II Report

Deloitte β€’ March 2025

Full SOC 2 Type II audit report covering the period January 2024 – December 2024. Unqualified opinion with no exceptions noted.

v2025.01 β€’ 142 pages Request Access β†’
πŸ“—

ISO 27001 Certificate

Bureau Veritas β€’ January 2025

ISO/IEC 27001:2022 certification certificate for CyberVault's Information Security Management System. Valid until January 2028.

Cert #BV-2025-4829 Download β†’
πŸ“˜

HITRUST CSF Report

HITRUST β€’ February 2025

HITRUST Common Security Framework certification covering all HIPAA-relevant controls. Score: 96.8% across 116 controls assessed.

v2025.02 β€’ Level 1+2 Request Access β†’
πŸ“™

PCI DSS Attestation

Trustwave QSA β€’ April 2025

PCI DSS 4.0 compliance attestation covering all payment processing systems. Level 1 merchant compliance achieved.

v2025.04 β€’ SAQ D Request Access β†’
πŸ“•

Penetration Test Report

CyberVault Red Team β€’ Q1 2025

Internal penetration test results covering application security, infrastructure, and social engineering. All critical findings remediated.

v2025.Q1 β€’ Summary View Summary β†’
πŸ“™

Vulnerability Assessment

Tenable.sc β€’ Monthly

Continuous vulnerability scanning results across all production environments. Current risk score: Low (2.3/10 CVSS).

v2025.06 β€’ Latest View Report β†’
πŸ“‹ Policies

Security & Privacy Policies

Review our comprehensive security and privacy policies governing data handling, access, and processing.

πŸ”’

Privacy Policy

+
CyberVault is committed to protecting your personal information. This Privacy Policy explains how we collect, use, process, and protect your data in compliance with GDPR, CCPA, and applicable privacy laws.

Data We Collect: We collect personal data only when necessary for service delivery, including account information, usage data, and technical identifiers. We do not sell or share personal data with third parties for marketing purposes.

Your Rights: You have the right to access, rectify, erase, restrict processing, data portability, and object to processing. Submit requests via our Privacy Portal or contact dpo@cybervault.com.

Last Updated: June 1, 2025 | Version: 4.2
πŸ›‘οΈ

Information Security Policy

+
This policy establishes CyberVault's information security framework, aligned with ISO 27001:2022 and NIST CSF. It defines security objectives, roles, and responsibilities for protecting information assets.

Key Principles: Confidentiality, Integrity, and Availability (CIA triad). Zero Trust Architecture. Defense in Depth. Continuous Monitoring.

Security Controls: Access control, encryption, network security, endpoint protection, vulnerability management, incident response, and business continuity.

Last Updated: March 15, 2025 | Version: 7.1
πŸ“‘

Data Processing Agreement (DPA)

+
This Data Processing Agreement governs the processing of personal data by CyberVault on behalf of its customers, in compliance with GDPR Articles 28 and 29.

Scope: This DPA applies to all personal data processed by CyberVault services. Data Controller: Customer. Data Processor: CyberVault.

Key Obligations: Processing only on documented instructions, security measures, sub-processor management, data subject rights support, breach notification within 24 hours, data return/deletion upon termination.

Last Updated: May 1, 2025 | Version: 3.0
πŸ₯

Business Associate Agreement (BAA)

+
This Business Associate Agreement complies with HIPAA requirements for entities that handle Protected Health Information (PHI).

Coverage: Use and disclosure of PHI only as permitted by HIPAA and the contract. Safeguards to prevent unauthorized use or disclosure. Reporting of security incidents within 24 hours. Subcontractor management. Return or destruction of PHI upon termination.

Compliance: CyberVault maintains HITRUST CSF certification and undergoes annual HIPAA compliance audits.

Last Updated: February 28, 2025 | Version: 5.3
⚠️

Incident Response Policy

+
This policy defines CyberVault's incident response procedures for detecting, responding to, and recovering from security incidents.

Response Tiers:
β€’ Critical: Response within 15 minutes, containment within 1 hour
β€’ High: Response within 30 minutes, containment within 4 hours
β€’ Medium: Response within 2 hours, containment within 24 hours
β€’ Low: Response within 24 hours, containment within 72 hours

Notification: Customers notified within 1 hour of confirmed Critical incidents. Regulatory notifications per applicable timelines (GDPR: 72hrs, HIPAA: 60 days).

Last Updated: April 10, 2025 | Version: 8.0
πŸ”„

Business Continuity & Disaster Recovery

+
This policy ensures CyberVault can maintain service availability and recover from disruptions through comprehensive business continuity planning.

Key Metrics:
β€’ RTO (Recovery Time Objective): 4 hours for critical systems
β€’ RPO (Recovery Point Objective): 15 minutes for critical data
β€’ Availability: 99.99% uptime SLA

Infrastructure: Multi-region active-active deployment across AWS US-EAST-1, US-WEST-2, and EU-WEST-1. Automated failover with DNS-based routing. Regular disaster recovery drills (quarterly).

Last Updated: January 20, 2025 | Version: 6.2
πŸ… Certifications

Team Certifications & Qualifications

Our security team holds industry-leading certifications ensuring the highest level of expertise.

πŸ›‘οΈ

CISSP

(ISC)Β²
Held by 45+ team members
Active
πŸ’»

CEH

EC-Council
Held by 32+ team members
Active
πŸ”΄

OSCP

Offensive Security
Held by 28+ team members
Active
☁️

AWS Security Specialty

Amazon Web Services
Held by 22+ team members
Active
πŸ”΅

Azure Security Engineer

Microsoft
Held by 18+ team members
Active
πŸ›οΈ

FedRAMP ATO

FedRAMP JAB
Expected Q3 2025
Pending
πŸ“… Milestones

Compliance Journey

Our ongoing commitment to achieving and maintaining the highest security standards.

January 2025

ISO 27001:2022 Recertification

Successfully completed surveillance audit with zero non-conformities. Certificate renewed through January 2028.

March 2025

SOC 2 Type II Audit Complete

Deloitte completed SOC 2 Type II audit with unqualified opinion. All 5 Trust Services Criteria met with no exceptions.

April 2025

PCI DSS 4.0 Compliance

Achieved PCI DSS 4.0 compliance with Trustwave QSA. All payment processing systems validated.

Q3 2025 (Expected)

FedRAMP JAB Authorization

Targeting FedRAMP Moderate authorization through JAB process. SAC report submitted, JAB review in progress.

Q4 2025 (Planned)

UK GDPR & NIST 800-171

Planning UK GDPR compliance for UK operations and NIST 800-171 for defense contractor requirements.

Q1 2026 (Planned)

PIPEDA Certification

Targeting PIPEDA compliance for Canadian operations to support growing North American client base.

Need Compliance Documentation?

Request access to our confidential audit reports, security assessments, and compliance certificates through our secure portal.

Request Security Report β†’ πŸ“§ Contact Compliance Team