The reverse questionnaire we expect you to run on us.
How we protect customer data, run engagements, store findings, and stand behind our own security posture. The same diligence you do on a SOC 2-bound vendor — answered up front.
How we operate before a single test packet is sent.
-
NDA before scoping
A mutual NDA is signed before the scoping call when any customer information leaves your environment. The scoping call itself does not require live system access.
-
Engagement letter before testing
No testing happens before a signed engagement letter is in place. The letter defines what is in and out of scope, who is authorized to test, and the rules of engagement.
-
Authorization in writing
Penetration testing under signed agreement only. We require named authorized contacts before any testing activity reaches your systems.
-
Tester credentials
Every engagement is led by a tester with one or more of OSCP, OSWE, GPEN, GWAPT credentials. Credentials are verifiable on request via the issuing body.
-
Senior throughout
A senior runs the engagement end-to-end. Findings are reviewed by a second senior before delivery. No offshored junior staffing.
What happens to your data during and after an engagement.
-
Customer data minimization
We collect only what is necessary to perform the engagement — scope, contacts, environment topology, and (when authenticated testing is in scope) test-user credentials. No production data is extracted unless it is the subject of a specific finding, and never beyond what is required to demonstrate the finding.
-
Engagement artifacts
Test artifacts (notes, evidence, screenshots, recordings) are stored on encrypted, access-controlled storage during the engagement and destroyed within 90 days of report acceptance, unless customer retention policy requires longer.
-
Customer credentials
Test credentials provided for authenticated engagements are stored in an enterprise password manager, accessed only by the engagement team, and rotated or invalidated immediately at engagement close.
-
Findings disclosure
Findings are delivered exclusively to your designated contacts. Findings are not shared with any third party — including auditors — unless you explicitly authorize the sharing in writing.
-
Public disclosure
We do not publish anonymized engagement excerpts, blog posts, conference talks, or case studies referencing your engagement without written customer authorization.
The vendors who can touch engagement data.
A minimal subprocessor list — we do not use third-party CRMs, analytics platforms, or AI-tool providers for any engagement workflow that touches customer data.
| Subprocessor | Use | Region |
|---|---|---|
| Google Workspace | Email, calendar, document collaboration for engagement coordination. | US (multi-region) |
| Cloudflare Pages | Public website hosting (cyberguards.ai). | Global edge |
| 1Password (Enterprise) | Encrypted storage of customer test credentials during active engagements. | US / CA |
| GitHub | Source control for testing tools and engagement-specific scripts. | US |
We hold ourselves to the same expectations we test against.
-
SOC 2 Type II (own)
Status. In progress — target completion within current fiscal year. Annual third-party penetration test of our infrastructure is a control we hold ourselves to.
Evidence. Letter from auditor available under NDA once Type II is issued.
-
Penetration test (own infrastructure)
Status. Annual cadence. Performed by an independent third party — never by ourselves.
Evidence. Attestation letter available under NDA.
-
Background checks (testers)
Status. Pre-employment background checks on all tester staff. Re-run annually.
Evidence. Confirmation letter available under NDA.
Found something on our infrastructure?
If you have identified a security issue in cyberguards.ai or any related CyberGuards-owned surface, please email
[email protected] with details. We acknowledge inbound reports within five business days and work in good faith with researchers acting in good faith.
For our full security and disclosure policy, see /security.
Need a signed customer questionnaire response?
We answer security questionnaires (SIG, CAIQ, custom) under mutual NDA within five business days of receipt.