Legal

Security & Compliance

Last updated: February 12, 2026

Security Overview

At CyberCore, security is not just a feature — it is the foundation of everything we build. As an autonomous RMM platform entrusted with protecting dental practice infrastructure, we hold ourselves to the highest security standards. Our platform is architected with a defense-in-depth approach, ensuring multiple layers of protection at every level.

We understand that dental practices handle sensitive patient information subject to HIPAA regulations. While our platform operates at the infrastructure level and does not access patient records or PHI, we design and operate every component as though it does — applying healthcare-grade security controls throughout our stack.

Infrastructure Security

Cloud Infrastructure

  • Hosted on SOC 2-certified cloud providers
  • Geographically distributed with redundancy
  • Automated scaling and failover
  • Virtual private cloud (VPC) isolation

Network Security

  • Web Application Firewall (WAF)
  • DDoS mitigation and rate limiting
  • Network segmentation and micro-segmentation
  • Intrusion detection and prevention (IDS/IPS)

Data Encryption

In Transit

  • TLS 1.2+ for all connections
  • TLS 1.3 preferred where supported
  • Certificate pinning for agent communications
  • Forward secrecy (ECDHE) on all endpoints
  • HSTS headers enforced

At Rest

  • AES-256 encryption for all stored data
  • Hardware Security Module (HSM) for key management
  • Automated key rotation
  • Encrypted database backups
  • Secure key storage and access controls

Access Control

  • Role-Based Access Control (RBAC): Granular permission model ensuring users only access resources necessary for their role.
  • Multi-Factor Authentication (MFA): Required for all dashboard access and administrative operations.
  • Single Sign-On (SSO): Support for SAML 2.0 and OAuth 2.0 identity providers.
  • Principle of Least Privilege: All internal and external access follows least-privilege principles with regular access reviews.
  • Session Management: Automatic session timeout, secure token handling, and concurrent session controls.
  • API Security: Token-based authentication, rate limiting, and scoped API keys for integrations.

5-Gate Safety System for Autonomous Remediation

CyberCore's autonomous remediation engine uses a proprietary 5-gate safety system to ensure that every automated action is safe, appropriate, and reversible. No autonomous action is taken without passing through all five gates:

1

Detection & Classification

The issue is detected through monitoring telemetry and classified by severity, type, and potential impact. False positive filtering ensures only genuine issues proceed.

2

Risk Assessment

The proposed remediation is evaluated against the current system state, active workloads, and potential side effects. High-risk actions are escalated for human review.

3

Safety Validation

The action is validated against safety rules, policy constraints, and business-hour restrictions. Pre-flight checks confirm the action won't disrupt patient-facing systems during operating hours.

4

Execution with Rollback

A system snapshot is captured before execution. The remediation is applied with real-time monitoring. If any unexpected behavior is detected, an automatic rollback is triggered immediately.

5

Verification & Journaling

Post-action verification confirms the issue is resolved and the system is healthy. Every action, decision, and outcome is recorded in the immutable Decision Journal audit trail.

Audit Trail & Decision Journal

Every action taken by the CyberCore platform — whether autonomous or user-initiated — is recorded in our immutable Decision Journal. This provides a complete, tamper-evident audit trail that supports compliance requirements and enables full transparency.

Each journal entry includes:

  • Timestamp: Precise time of the event (UTC).
  • Actor: Whether the action was taken by an autonomous agent, a system process, or a human user.
  • Context: The system state, detected issue, and triggering conditions.
  • Decision Reasoning: The logic and risk assessment behind the chosen action.
  • Action Taken: The specific remediation or configuration change applied.
  • Outcome: Whether the action succeeded, failed, or was rolled back.
  • Verification: Post-action health check results.

Decision Journal entries are retained for a minimum of 6 years in compliance with HIPAA record retention requirements and are accessible through the dashboard at any time.

HIPAA Compliance

CyberCore is built to meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. Our compliance program includes:

  • Business Associate Agreements: We execute BAAs with all customers who are covered entities. Our Data Processing Agreement includes BAA provisions.
  • Administrative Safeguards: Workforce training, security management processes, access management, and contingency planning.
  • Physical Safeguards: Facility access controls, workstation security, and device and media controls at our data centers.
  • Technical Safeguards: Access controls, audit controls, integrity controls, and transmission security as required by the HIPAA Security Rule.
  • Breach Notification: Procedures to detect, report, and respond to breaches in compliance with the HIPAA Breach Notification Rule.
  • Risk Assessments: Regular security risk assessments to identify and mitigate potential vulnerabilities.

Incident Response

CyberCore maintains a comprehensive Incident Response Plan that is tested and updated regularly. Our response process follows industry best practices:

Preparation

Dedicated incident response team, runbooks for common scenarios, regular tabletop exercises, and communication templates.

Detection & Analysis

24/7 monitoring, automated alerting, threat intelligence integration, and rapid triage and classification.

Containment & Eradication

Immediate isolation of affected systems, root cause analysis, threat removal, and evidence preservation.

Recovery & Lessons Learned

System restoration, enhanced monitoring, post-incident review, and process improvements documented and implemented.

Customer notifications are issued within 48 hours of a confirmed security incident, exceeding HIPAA's 60-day notification requirement.

Vulnerability Management

  • Continuous Scanning: Automated vulnerability scanning of infrastructure, applications, and dependencies on a continuous basis.
  • Penetration Testing: Annual third-party penetration testing by independent security firms, with additional testing after major releases.
  • Patch Management: Critical patches applied within 24 hours; high-severity patches within 7 days; routine patches within 30 days.
  • Dependency Management: Automated monitoring of third-party libraries and dependencies for known vulnerabilities.
  • Bug Bounty: Responsible disclosure program for security researchers to report potential vulnerabilities.

Employee Security

  • Background Checks: Comprehensive background checks for all employees with access to customer data or production systems.
  • Security Training: Mandatory security awareness training upon hire and annually thereafter, including HIPAA-specific training.
  • Confidentiality Agreements: All employees sign non-disclosure and confidentiality agreements as a condition of employment.
  • Access Reviews: Quarterly reviews of employee access privileges with immediate revocation upon role change or departure.
  • Secure Development: Developers follow secure coding practices with mandatory code reviews, static analysis, and security testing.

Third-Party Security

We carefully evaluate and monitor all third-party vendors and service providers:

  • Vendor Assessment: Security questionnaires, compliance certifications, and risk assessments before onboarding any vendor.
  • Contractual Controls: Data processing agreements, confidentiality provisions, and security requirements in all vendor contracts.
  • Ongoing Monitoring: Annual reassessment of vendor security posture, compliance status, and risk profile.
  • Data Minimization: Third parties receive only the minimum data necessary to perform their services.
  • Sub-processor Transparency: Customers are notified of any changes to our sub-processor list with 30 days' advance notice.

Compliance Certifications & Standards

HIPAA

Compliant

Full compliance with HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. BAAs available for all customers.

SOC 2 Type II

In Progress

Actively pursuing certification. See our SOC 2 page for details and timeline.

Encryption Standards

Implemented

AES-256 at rest, TLS 1.2+ in transit. HSM-managed keys with automated rotation.

NIST Framework

Aligned

Security controls aligned with the NIST Cybersecurity Framework (CSF) for risk management.

Questions?

For questions about our security practices, to request our security documentation, or to report a security concern, please contact us: