Document ID: LEG-2026-004 · Effective: January 2026
Prepared by: Office of the General Counsel · Compliance Officer: compliance@cyfr.technology
CYFR maintains a comprehensive compliance program designed to meet the requirements of enterprise customers across regulated industries. The following certifications and frameworks are integral to our information security management system.
CYFR undergoes an annual SOC 2 Type II examination conducted by an independent AICPA-licensed CPA firm. Our examination covers the Security and Availability Trust Services Criteria over a twelve-month audit period. The examination evaluates the design and operating effectiveness of controls relevant to: logical and physical access controls; system operations and monitoring; change management; risk assessment and mitigation; and incident response. The most recent SOC 2 Type II report, covering the period January 1, 2025 through December 31, 2025, was issued with an unqualified opinion. Reports are available to prospective and current customers under a non-disclosure agreement. To request a copy, contact compliance@cyfr.technology.
CYFR's Information Security Management System (ISMS) is certified against ISO/IEC 27001:2022, the international standard for information security management. The ISMS covers the development, operation, and support of the CYFR Platform, including: information security policies; organization of information security; human resource security; asset management; access control; cryptography; physical and environmental security; operations security; communications security; system acquisition, development, and maintenance; supplier relationships; information security incident management; information security aspects of business continuity management; and compliance. Certification is maintained through annual surveillance audits and a triennial recertification audit conducted by an ANSI National Accreditation Board (ANAB) accredited certification body.
CYFR's Platform architecture is designed to support customers subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). CYFR will enter into a Business Associate Agreement (BAA) with covered entities and business associates. The Zero-Knowledge Architecture provides a structural advantage for HIPAA compliance: because CYFR cannot access Customer Data in unencrypted form, the scope of protected health information (PHI) accessible to CYFR is minimized by default. CYFR recommends that healthcare customers configure their deployment to ensure that encryption keys are managed within the covered entity's environment.
CYFR complies with Regulation (EU) 2016/679 (General Data Protection Regulation) with respect to Account Information of Users located in the European Economic Area. CYFR's Data Processing Agreement (DPA) incorporates the European Commission's Standard Contractual Clauses (2021/914/EU) for the transfer of personal data to third countries. The DPA is available for execution by customers upon request. CYFR has appointed a Data Protection Officer reachable at dpo@cyfr.technology. CYFR's processing of Account Information is limited to what is necessary to provide the Platform, consistent with the data minimization principles described in our Privacy Policy.
CYFR complies with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CPRA"). CYFR does not sell or share personal information as those terms are defined under CPRA. CYFR's collection and processing of Account Information falls within the "business purpose" exemptions under CPRA.
CYFR is pursuing Federal Risk and Authorization Management Program (FedRAMP) authorization at the Moderate impact level. The authorization process is ongoing. Government customers requiring FedRAMP-authorized infrastructure should contact CYFR's federal sales team at federal@cyfr.technology for current status and timeline.
CYFR does not store, process, or transmit payment card data within its infrastructure. All payment card processing is handled exclusively by PCI DSS Level 1 compliant third-party payment processors. CYFR's annual PCI DSS Self-Assessment Questionnaire (SAQ-A) is available to customers under NDA.
CYFR commissions independent third-party penetration testing on a quarterly basis. Tests cover: external and internal network infrastructure; web application (OWASP Top 10 and beyond); API endpoints; client-side encryption libraries; and social engineering (annual). Summary reports are available to enterprise customers under NDA. CYFR's bug bounty program accepts responsible disclosures at security@cyfr.technology.
CYFR maintains a current list of subprocessors that may process Account Information in connection with the provision of the Platform. The list includes: infrastructure hosting providers; payment processors; and electronic mail delivery services. Customers may subscribe to subprocessor change notifications by contacting compliance@cyfr.technology. CYFR provides not fewer than thirty (30) days' notice prior to engaging any new subprocessor.
Document Control
LEG-2026-004 · Approved by: General Counsel & Chief Information Security Officer
For audit reports, certifications, or compliance inquiries: compliance@cyfr.technology