Security, Privacy & Compliance

CyberWarrior handles client data under a strict purpose limitation: we access and process your business data only to deliver the services you have engaged us for. We do not use client data to train AI models, benchmark against other clients, share with third parties, or for any purpose beyond the active service relationship.

In practice, the data CyberWarrior accesses depends on which service you engage. For AI Ops clients, this typically includes CRM records, customer contact lists, email account access, social media credentials, and brand assets. For MSP clients, this includes device configurations, network data, and security telemetry. For training clients, this includes participant names, roles, and completion records.

Controls in place include: access limited to the specific systems required for delivery, credential management with revocation at end of service, data sharing agreements signed as part of partnership setup (particularly for workforce board partners handling participant PII), and a documented offboarding process that includes data return and deletion confirmation within five business days of service end.

For clients in regulated industries, we can provide our data handling policy in writing before signing. If your compliance process requires a data processing agreement (DPA) or specific security documentation, contact us at the discovery stage and we will provide what is needed. We do not have a one-size-fits-all security document, but we will produce the documentation appropriate for your industry and use case.

CyberWarrior does not currently hold a SOC 2 Type I or Type II certification. We want to be direct about this rather than obscure it with language about being "SOC 2 aligned" or "working toward certification."

SOC 2 certification involves a formal third-party audit of an organization's security, availability, processing integrity, confidentiality, and privacy controls. It is a significant undertaking that makes most sense for organizations serving enterprise clients with formal procurement requirements.

If your organization requires SOC 2 as a vendor prerequisite, the honest answer is: CyberWarrior may not be the right fit for that procurement pathway today. We would rather tell you this clearly than have you discover it mid-procurement.

What we can provide: a description of the security controls and practices we have in place, references to relevant third-party recognitions (CISA recognition, for instance, reflects an evaluation of our cybersecurity program quality), and a direct conversation about whether our existing controls are sufficient for your specific use case.

If SOC 2 is a requirement for future CyberWarrior client relationships, that feedback is valuable. Contact us at info@cyberwarrior.com and we will have an honest conversation about timelines and alternatives.

HIPAA compliance is use-case specific. Whether CyberWarrior can serve a healthcare client under HIPAA depends on what protected health information (PHI), if any, our services would access or process.

For managed services that do not touch PHI: many AI Ops and MSP use cases can be structured so that CyberWarrior does not access PHI at all. For example, a healthcare practice that engages CyberWarrior for marketing (social media, email campaigns to general prospects) or IT monitoring (device security, helpdesk for staff) may not need HIPAA-specific controls if PHI is isolated from those workflows.

For managed services that would access PHI: if your AI Ops or MSP engagement requires CyberWarrior to process, store, or transmit PHI (for example, a Back-Office Ops function handling patient intake documents), then CyberWarrior would function as a Business Associate under HIPAA and a BAA would be required. We can execute a BAA and will review the specific PHI data flows involved before signing.

For training clients: CyberWarrior's training programs do not involve access to your organization's PHI. Training is a service delivered to your employees, not a service that processes your patient data.

The right starting point is a direct conversation about your specific use case before you engage. Contact us with a description of what data CyberWarrior would access and we will give you a clear answer about what compliance structure is appropriate.

NIST (National Institute of Standards and Technology) publishes voluntary cybersecurity frameworks that are widely referenced in both government and private sector security programs. The most commonly referenced for SMBs is the NIST Cybersecurity Framework (CSF), which organizes security practices into five functions: Identify, Protect, Detect, Respond, and Recover.

CyberWarrior's MSP service incorporates controls that align to NIST CSF guidance. Our 24/7 managed detection and response, endpoint protection, patch management, and incident response capabilities map to the Detect and Respond functions. Our security awareness training maps to Protect. Our vulnerability assessments and asset management practices map to Identify.

Our cybersecurity training programs reference NIST frameworks in curriculum design. Participants learn how to apply NIST-based thinking to their organizations' security posture, which is particularly relevant for clients who operate under government contracts or who interact with federal agencies.

What we do not claim: a formal third-party NIST assessment or any kind of NIST certification. NIST does not issue certifications to vendors. Organizations that claim "NIST certified" are misusing the terminology. We describe our practices as NIST-informed, meaning our controls and training curriculum reference NIST guidance, and we apply that guidance in our work.

If your organization uses a specific NIST framework (CSF, SP 800-171, etc.) as a vendor evaluation standard, contact us with the specific controls list and we will assess our alignment against it.

Yes. Asking to review a vendor's security documentation before signing is a reasonable and standard practice, and CyberWarrior will not make you wait until after contracting to access it.

What we can typically provide on request before signing:

• A description of the security controls and practices in place for service delivery, including access control, credential management, data handling, and incident response.
• Our data handling policy for the specific service you are evaluating, including what data we access, how it is stored, how it is transmitted, and what happens to it at end of service.
• Our standard data processing agreement (DPA) or data sharing agreement template, which can be reviewed and negotiated before execution.
• References to relevant third-party recognitions, including CISA recognition of our cybersecurity training programs.
• Information about the security tools and platforms we use in service delivery, which is relevant for clients who need to evaluate our toolchain for compliance purposes.

What we cannot provide: SOC 2 audit reports (we do not currently hold SOC 2 certification). For requirements that specifically mandate SOC 2, see the SOC 2 FAQ above.

To request security documentation, contact info@cyberwarrior.com with a description of what you need and for which service you are evaluating. We will respond within two business days with the appropriate materials.

The answer to "where is client data stored" depends on which service you are asking about and how we have structured the engagement.

• For AI Ops clients: The primary location of your business data (CRM records, customer contacts, content assets) remains in your own platforms: your CRM, your email marketing platform, your cloud storage, your social media accounts. CyberWarrior integrates with these platforms to deliver services but does not duplicate your data into a proprietary CyberWarrior storage environment. AI-generated outputs (content, reports, sequences) are delivered to your platforms and stored there.
• For MSP clients: Security telemetry, device monitoring data, and helpdesk ticket data are processed through the monitoring and ITSM platforms CyberWarrior uses for service delivery. These platforms are enterprise-grade tools with their own security certifications. Specific platform names and their data residency locations are available on request.
• For training clients: Participant enrollment data, attendance records, and completion certificates are maintained by CyberWarrior for the purpose of supporting WTFP reimbursement, WIOA documentation, and credential verification. This data is held for a reasonable retention period after program completion and then deleted per our data retention policy.
• For all services: Data processed by AI tools as part of service delivery passes through the AI platforms we use. We do not use client data to train underlying AI models. Specific AI platforms and their data handling policies are available on request.

If you have specific data residency requirements (for example, a requirement that no data be stored outside the United States), contact us before engaging and we will assess whether our current toolchain meets that requirement.

Data handling at cancellation is one of the most important things to understand before signing with any managed services vendor. Here is exactly what CyberWarrior does.

Within five business days of your service end date:

• Data exports: We provide exports in standard formats for any data we have maintained on your behalf within our own systems (performance reports, enriched CRM records, content archives). You receive everything.
• Deletion confirmation: We confirm in writing that your data has been deleted from our internal systems and from the AI tools used to deliver your service. This is a written confirmation, not a verbal assurance.
• Access revocation: We revoke all credentials and access to your platforms (CRM, email, social media, cloud storage) that we were granted during onboarding. We confirm this revocation in writing.
• Asset return or destruction: Any brand guidelines, customer lists, document templates, or other proprietary assets you provided during onboarding are returned to you or destroyed, with written confirmation of which action was taken.

What we retain after cancellation: Our own internal service delivery records (what work was done, when, and at what cost), billing records, and communications with you that are part of our normal business record. These are our records, not your data.

If you want a specific data offboarding commitment in your service agreement before signing, we will include it. This is a standard request and we accommodate it without resistance.

Yes. CyberWarrior carries cyber liability insurance. This is standard coverage for a company delivering managed IT, cybersecurity, and AI operations services, and we maintain it as a baseline protection for both our business and our clients.

Cyber liability insurance covers events such as data breaches involving data we handle on behalf of clients, security incidents arising from our service delivery, and errors and omissions in the delivery of technology services.

For clients or procurement teams that have formal insurance verification requirements: we can provide a certificate of insurance (COI) upon request. The COI includes coverage amounts, policy period, and carrier information. Some client contracts require CyberWarrior to be named as an additional insured on specific policies or to maintain minimum coverage thresholds. These requests are accommodated on a case-by-case basis.

To request insurance documentation, contact info@cyberwarrior.com with your specific requirements. This is a standard procurement request and we respond within two business days.

For workforce board partners and government-adjacent clients: insurance documentation is typically included in our standard vendor compliance package along with our EIN, minority-owned certification, and WIOA or WTFP approval documentation.