Our commitment

At CyberNut, protecting the data entrusted to us by schools is a core part of how we build and operate our services. Our security and privacy program is designed around recognized best practices, including the NIST Cybersecurity Framework, and is supported by technical, operational, and contractual safeguards.

‍

What data we process

We process the information needed to deliver, support, secure, and administer our services. Depending on how CyberNut is used, this may include account information such as names and email addresses, school-provided information required to deliver the service, usage information, and limited threat-reporting data. For customers who use the CyberNut Gmail add-on, this may also include email metadata, subject lines, message content, dates, and attachments when needed for core threat detection and reporting functions.

‍

How we use data

We use data to operate the CyberNut platform, deliver phishing simulations and training, support reported-threat workflows, notify users and administrators about flagged activity, maintain service security and performance, respond to customer requests, and meet legal and contractual obligations. Where we send marketing communications, recipients can opt out. CyberNut also states that Google Workspace data is not used for advertising or profiling.

‍

How we protect data

CyberNut's public materials describe a security program that includes encryption in transit and at rest, role-based and least-privilege access controls, multifactor authentication, secure cloud infrastructure, monitoring, backup and recovery practices, and a formal incident-response process. CyberNut also describes employee training and ongoing risk-management practices as part of its broader security program.

‍

How access is controlled

Access to customer and personal data is limited to authorized personnel who need that access to perform their responsibilities. Those individuals are subject to confidentiality obligations, and CyberNut's DPA states that personal data is processed on documented customer instructions unless otherwise required by law.

‍

How we share data

CyberNut states that it does not sell or rent personal information. When authorized service providers support delivery of the service, they are expected to protect data using appropriate safeguards. Information may also be disclosed or transferred when required by law or in connection with a merger, acquisition, or similar corporate transaction.

‍

Retention and deletion

We retain personal data only as long as needed to provide our services, meet legal and compliance obligations, and honor customer agreements. Customers may request deletion, and anonymized data that can no longer be linked to an identifiable person may be retained longer where permitted by law.

‍

Student and child privacy

Because CyberNut serves schools, its services may be used by students, including children under 13. CyberNut states that schools are responsible for obtaining any necessary consent for student users, and CyberNut has received COPPA, FERPA, and multiple other student privacy related certifications.

‍

Your rights and questions

Customers and eligible users may request access to or deletion of personal information, subject to applicable law and identity verification. Questions about privacy or data protection can be directed to hello@cybernut.com.

‍