vCIOToolbox

Security

Secure Transmissions and Sessions

Connection to the vCIOToolbox application is via SSL/TLS cryptographic protocols, using global step-up certificates. This ensures that users have a secure session from their desktop to our data center. Individual user sessions are identified and re-verified with each transaction, using a unique token created at login

 

Secure Data Centers

vCIOToolbox has partnered with INAP for carrier-neutral SOC 2 Type II hosting facilities. Our primary and secondary data centers are located in Atlanta and Seattle (U.S.) and AWS (regional datacenters), with options in Amsterdam, AMS-IX (EU), and Sydney, Digital Ocean (AU). Security Highlights include:

  • Security & Access: Key card with biometric access, video with 90-day retention, 24/7/365 onsite support
  • Network: Carrier connectivity to multiple providers
  • Power: 14.8 MW of power in N+1 configuration
  • Compliance:

    (U.S.)PCI DSS, HIPAA, SOC2 Type II
    (EU) ISO 27001 and ISO 22301

 

Disaster Recovery

vCIOToolbox conducts near real-time replication of its primary and backup systems in each data center. We test to confirm we are meeting our projected RTO and RPO parameters and that all data is encrypted during transit.

 

 

Two-Factor Authentication

Two-Factor Authentication requires that all login attempts have both login credentials and a second authentication factor. We leverage two-factor verification powered by Twilio Verify.  Two-factor can be set up as a policy and controlled by system administrators. Any access attempts that do not have valid credentials from each source will be denied access to vCIOToolbox.

 

Privacy

vCIOToolbox is committed to protecting your privacy and the personal information that you provide to us. Please read the Privacy Policy below to understand how we collect, use, and treat your personal information. If after reviewing this Privacy Policy you have questions regarding our treatment of your personal information, please contact us.  You can view the full policy here.

 

 

Code and Database

vCIOToolbox tests all code for security vulnerabilities prior to release, and we regularly employ a 3rd party to scan our network and systems for vulnerabilities.

Systems are designed and configured to support multi-tenant access with secure logical separations of customer data restricting access to only authorized information. Session timeout policies are employed for all users.

 

Artificial Intellegence (AI)

vCIOToolbox and Cybrance use AI models from OpenAI for cybersecurity compliance recommendations, we adhere to OpenAI’s specific data handling policies. According to OpenAI’s API data usage policies (https://openai.com/enterprise-privacy), data sent through their API is not used for training by default unless explicitly opted in, we have not opted in for any data sent to be used.

OpenAI retains API requests for 30 days maximum for abuse monitoring, after which they are deleted. In our implementation, we only send anonymized security control identifiers (like CIS Controls, NIST, ISO reference numbers) and receive generic framework-based recommendations based on a negative answer. We use the ‘disallowed_in_training’ API header flag to ensure our prompts are excluded from any future model training. No customer data, system configurations, or network information is ever transmitted to the AI service.

The queries contain only publicly available framework control references, and all responses are generic best-practice recommendations based on a negative response. Our zero-retention, zero-customer-data approach, combined with OpenAI’s enterprise-grade privacy controls and SOC 2 Type 2 compliance, ensures complete isolation of your sensitive information from the AI system. Each interaction is treated as a standalone query, with no context or history maintained between requests