TRUST CENTER

Trust and transparency

Learn more about security and privacy at CyberCoach.

You don't even have to trust us.

It is possible to use CyberCoach without sharing any identifiable personal data outside your organization, though this will affect some aspects of the service (e.g. reporting can only cover users that have opened the application). Every feature in CyberCoach is designed to minimize access to personal and confidential information. 

Security Overview

We are in the business of trust, and our success depends on our ability to maintain the confidentiality, integrity, and availability of information. To support this, we have established an Information Security Management System (ISMS) with the primary objectives of ensuring regulatory and contractual compliance and reducing business risk.

Our security policies are based on the ISO/IEC 27001 standard, approved and reviewed on a regular basis annually by senior management. We have documented processes and routines to assess and manage information security risks in software development and in collaboration with third parties and subcontractors. At least once a year, we conduct an internal security audit, which checks for compliance with industry standard practices.

Customer data in CyberCoach is minimized and protected by industry and Microsoft cloud infrastructure best practices. Data is only processed on certified Microsoft resources.

Business Continuity

We have documented and implemented business continuity and disaster recovery plans and procedures related to the CyberCoach service. The plan is tested at least once a year.

Information Security Awareness, Education & Training

We maintain a comprehensive, role-based security training program for all employees to ensure that everyone has appropriate knowledge of information security and privacy policies and procedures (including breach detection, management and handling of confidential information).

HR Security

To ensure the integrity and security of our operations, all our new employees undergo a background check and sign a non-disclosure agreement upon joining. These measures are part of our annually reviewed HR security policy.

Third Parties

Current list of third parties is found in our General Terms. 

For now, our only subprocessors are :

We do not use third parties for developing or maintaining the CyberCoach service.

Incident Response

We maintain a documented Incident Response Plan that serves as our predefined procedure for handling potential security incidents. This plan is systematically reviewed, tested, and approved by appropriate stakeholders  on an annual basis to ensure readiness and effectiveness in responding to security incidents.

Access Management

We apply the following principles in access management:

  • Access is always granted on a least privilege basis
  • Access is managed according to defined roles and responsibilities
  • Access to systems requires strong authentication
  • Each system is assessed for criticality and risks.

Services related to the development and operation of our CyberCoach service are also subject to the following rules:

  • All user IDs are personal, only for designated users.
  • Access to resources requires multi-factor authentication
  • Suspicious login attempts are monitored by automated alerts
  • Updates to the CyberCoach Service follow a strict change management process
  • No subcontractors or consultants are used for the development or maintenance of the CyberCoach product
  • Log information is stored for 12 months (unless agreed separately)

Asset Management

We are committed to maintaining appropriate asset management practices that span both our virtual and physical assets. Our asset management policy is designed to systematically identify and catalog organizational assets while defining appropriate protection responsibilities and is updated annually.

Infrastructure

CyberCoach infrastructure is hosted by Azure in West Europe. Additional information on Azure infrastructure security can be found at https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure.

We employ infrastructure-as-code (IaC) techniques to securely deploy and manage resources within our operational environment. This enables rapid provisioning and scaling while ensuring that all deployments meet our stringent security standards.

Our production and development environments are maintained as distinct entities to safeguard operational integrity and data confidentiality. In these separate environments, customer data is strictly prohibited from use in non-production settings, thus ensuring that developmental and testing activities do not compromise data security.

CyberCoach Artificial Intelligence (AI) features

Where is our AI hosted?

Azure West Europe region for our in-house logic, Azure Switzerland North for the Azure Embeddings model

Is the AI used in the service developed in-house, from external provider, combination of both, or other?

MS Azure API to access the embeddings model. The rest is in-house.

Is the AI trained or fine-tuned with any data (files, prompts, feedback, usage data) provided by us or generated in connection with our use of service? 

No.

Where and how long is the input and output data stored? Describe retention policies for the input and output data.

The input and output data are not stored.

Complete your Awareness Program Today