Security Policy

Last updated: March 2026

1. Our Security Commitment

CyberneticsPlus Services Private Limited is a cybersecurity company. We hold ourselves to the same rigorous standards we recommend to our clients. Protecting the confidentiality, integrity, and availability of our own systems — and any client data entrusted to us — is a core operating principle, not an afterthought.

This Security Policy describes the controls, practices, and commitments that govern how CyberneticsPlus secures its infrastructure, handles sensitive information, and responds to security incidents.

2. Responsible Disclosure & Bug Bounty

We welcome responsible security researchers who identify vulnerabilities in our systems or services. If you believe you have discovered a security issue affecting CyberneticsPlus infrastructure or products, please report it to us promptly and in good faith.

How to report: Send a detailed report to security@cyberneticsplus.com. Please include:

  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce the issue (proof-of-concept code or screenshots where applicable).
  • The affected URL, endpoint, or component.
  • Your contact information for follow-up.

Our commitments to researchers:

  • We will acknowledge receipt of your report within 5 business days.
  • We will investigate and provide a status update within 15 business days.
  • We will not pursue legal action against researchers who act in good faith and comply with this policy.
  • We observe a 90-day disclosure window: we ask that researchers refrain from public disclosure for 90 days from our acknowledgement to allow us to remediate. If remediation requires more time, we will communicate this and negotiate a reasonable extension.

Out-of-scope activities include: denial-of-service attacks, social engineering against our staff, physical attacks, and testing systems belonging to our clients without their explicit consent.

3. Encryption

CyberneticsPlus implements strong encryption standards throughout its infrastructure:

  • Data in transit: All communications between clients and our web properties are encrypted using TLS 1.3. We enforce HTTPS across all domains and apply HTTP Strict Transport Security (HSTS) headers. TLS 1.0 and 1.1 are disabled.
  • Data at rest: Sensitive data stored on our servers is encrypted using AES-256. This includes any client engagement data, contact form submissions, and internal credentials stored in our secret management systems.
  • Key management: Encryption keys are managed using dedicated key management infrastructure with strict access controls and rotation policies.

4. Access Controls

We apply the principle of least privilege across all systems and team member accounts:

  • Multi-Factor Authentication (MFA): MFA is mandatory for all team members on every system, platform, and service used by CyberneticsPlus — including email, cloud consoles, code repositories, and client portals. There are no exceptions.
  • Least privilege: Access rights are granted on a need-to-know, need-to-access basis. Team members receive only the minimum permissions required to perform their role. Privileged access to production systems requires additional justification and approval.
  • Quarterly access reviews: We conduct access reviews every quarter to revoke permissions for team members who no longer require them, including for departing staff and contractors. Access is revoked within 24 hours of an employee's departure.
  • Privileged access management: Administrative credentials are stored in a dedicated secrets vault with full audit logging. Direct root or administrator access to production systems is prohibited outside of documented change procedures.

5. Incident Response

CyberneticsPlus maintains a documented Incident Response Plan (IRP) that is reviewed and tested annually. In the event of a confirmed security incident:

  • Detection and triage: Security events are monitored continuously via our internal SOC tooling. Alerts are triaged and escalated based on severity.
  • Containment: Affected systems are isolated promptly to prevent further damage or data exposure.
  • Client notification: If a security incident affects or may affect client data, CyberneticsPlus will notify affected clients within 24 hours of confirming the breach. Notifications will include the nature of the incident, data affected, steps taken, and recommended actions for clients.
  • Regulatory notification: Where applicable, we will notify relevant supervisory authorities within the timeframes required by law (e.g., within 72 hours under GDPR).
  • Post-incident review: Every significant incident is followed by a formal post-mortem to identify root causes and implement improvements.

6. Third-Party Security

CyberneticsPlus carefully evaluates the security posture of all third-party vendors and service providers before onboarding them. Our vendor assessment process requires:

  • Review of the vendor's security certifications. We prefer vendors certified against or aligned with ISO/IEC 27001 or SOC 2 Type II.
  • Completion of a vendor security questionnaire covering data handling, access controls, and incident response.
  • Review of the vendor's data processing agreement (DPA) where personal data is involved.
  • Annual re-assessment of critical vendors.

We maintain a vendor register listing all third-party providers with access to our systems or client data. Any vendor that fails to meet our security bar is not onboarded.

7. Penetration Testing

We conduct an annual third-party penetration test of our own infrastructure, web properties, and internal systems. These tests are performed by qualified external security firms independent of CyberneticsPlus to ensure objectivity.

Test findings are triaged by severity, assigned to owners, and remediated within defined SLAs: critical findings within 24 hours, high findings within 7 days, medium findings within 30 days. Remediation is verified and retested before findings are closed.

We also conduct ongoing internal vulnerability scans and use automated security tooling in our CI/CD pipelines (SAST, DAST, dependency scanning) to catch issues before they reach production.

8. Data Handling

We treat client data with strict confidentiality and minimal retention:

  • No persistent storage of client data: Client systems, credentials, network diagrams, and sensitive artefacts collected during an engagement are not stored beyond the engagement period. All engagement data is securely deleted within 30 days of the final deliverable being accepted by the client, unless a longer retention period is explicitly agreed.
  • Secure deletion: Deletion of sensitive data follows NIST SP 800-88 guidelines for media sanitisation. Cryptographic erasure is applied where applicable.
  • Data minimisation: We collect only the data necessary to deliver the contracted service. We do not request or retain data beyond what is operationally required.
  • No data brokering: Client data is never shared with, sold to, or accessed by any third party without the client's explicit written consent.

9. Contact for Security Issues

For responsible disclosure reports, security questions, or to request our latest security documentation, please contact our dedicated security team:

Security Team — CyberneticsPlus Services Private Limited
Email: security@cyberneticsplus.com
PGP key available upon request.

For general enquiries, please contact info@cyberneticsplus.com or visit our contact page.