Trust & Security
CyberCaution™ is built to operate in your environment — not ours. You control your data, your infrastructure, and how the system is deployed. No forced cloud. No hidden data flows. No dependency on external processing.
This is not a SaaS platform by default. It is a deployable risk intelligence system.
How we build your risk picture: Security Posture & Cascade Model — exposure snapshot, sector and vendor view, explainable scoring.
Data handling & privacy
No central data collection
CyberCaution™ does not require central data collection to function. Assessments, risk data, and operational workflows can run locally.
You decide where data is processed, stored, and retained. The system is designed to operate without exporting sensitive data externally.
Why this matters
- • No vendor lock-in through data dependency
- • Reduced regulatory exposure from third-party processing
- • Full auditability of how data is used
Minimal data collection
Only the data necessary for assessment is collected. No unnecessary payloads or extraneous information is gathered.
No resale or monetization
Customer data is never resold or monetized. Your information is used exclusively to generate your assessment outputs.
Separation of customer environments
Customer environments are logically separated to ensure data isolation and prevent cross-contamination between assessments.
Assessment outputs (optional)
When you opt in, data is used only to generate the assessment outputs you need. No secondary uses or hidden processing. By default, no data is collected for this purpose.
Delivery and deployment options
Three deployment models
RansomScore Report
Standalone tools you can run immediately
Risk Intelligence Workspace
Structured environment for ongoing risk management
Client-hosted deployment
Full system deployed in your infrastructure
You choose where your data resides. Available options (as set out in our Privacy Policy and Terms of Service):
- Local-Only Mode: All data stored exclusively in your browser (IndexedDB, localStorage) or desktop app.
- Self-Managed Cloud: Deploy to your own cloud infrastructure with full control (AWS, Azure, GCP).
- ERMITS-Managed Cloud: Optional encrypted cloud synchronization with zero-knowledge architecture.
- Hybrid Deployment: Local processing with selective encrypted cloud backup.
- On-Premises: Enterprise customers can deploy on their own infrastructure.
For cloud-managed options, data residency is determined by your selected deployment region and applicable compliance requirements.
Deployment in your environment
Risk Review, Defense Workflow, and Website review are offered only under privacy-preserving conditions:
- Local-first by default: Assessment and workflow data stay on your device or in your environment unless you explicitly opt in to sync or cloud.
- Same-origin or client-hosted: When website reviews and the workspace are used together with shared data, they are designed to run on a single origin (e.g. your domain or our single-domain deployment) so data does not need to cross origins to our servers.
- Optional cloud/sync only when you choose: Any sync to a backend or cloud is opt-in. If you use your own backend (self-managed or on-premises), your data never passes through our systems.
We do not use our servers to access your assessment or workflow data by default. Features are delivered under these conditions so you control data and privacy.
For detailed information about data handling and privacy practices, please review:
Security-by-design practices
Security is built in, not bolted on
CyberCaution™ follows security-by-design principles, ensuring that security considerations are integrated into the deployable system's architecture from the ground up.
Least privilege
Access controls follow the principle of least privilege, ensuring users and systems only have the minimum permissions necessary to perform their functions.
Isolation between tenants
Logical and physical isolation between customer environments prevents data leakage and ensures assessment integrity.
Secure defaults
The system is configured with secure defaults, reducing the risk of misconfiguration and ensuring a strong security posture out of the box.
Controlled access paths
All access paths are controlled and monitored, with authentication and authorization mechanisms in place to protect sensitive operations.
Auditability of outputs
Assessment outputs are designed to be auditable, with clear traceability between inputs, evaluation logic, and final recommendations. This enables security leaders to defend their risk decisions with confidence.
Framework alignment & established guidance
Framework alignment & established guidance
CyberCaution™'s methodology is informed by and consistent with established cybersecurity frameworks and industry best practices, with a focus on ransomware-specific risk evaluation. Our outputs support cyber risk readiness and ransomware preparedness and can be used to inform governance, risk, and compliance (GRC) efforts—as summarized in the mappings below.
CyberCaution™ does not claim certification, control ownership, or compliance on behalf of customers.
NIST Cybersecurity Framework (CSF v2 concepts)
| CSF function | CyberCaution™ contribution |
|---|---|
| Identify | Exposure visibility, dependency awareness, and risk categorization inputs |
| Prepare | Readiness assessment, preparedness indicators, and gap signals |
| Detect | Early risk and exposure signals (readiness-focused) |
| Respond | Response preparedness inputs and prioritization support |
| Recover | Informational input only |
ISO/IEC 27001 & ISO/IEC 27005
| Risk management activity | CyberCaution™ role |
|---|---|
| Risk identification | Identification of exposure conditions and ransomware-relevant dependencies |
| Risk analysis | Readiness scoring and impact-oriented indicators |
| Risk evaluation | Decision-support outputs for prioritization |
| Risk treatment | Informational input only |
| Monitoring & review | Continuous readiness visibility |
Ransomware readiness (NIST IR 8374 · CISA guidance)
| Readiness area | Coverage |
|---|---|
| Exposure awareness | ✔ Supported |
| Preparedness gap identification | ✔ Supported |
| Response planning inputs | ✔ Supported |
| Incident response execution | ✖ Not provided |
| Recovery operations | ✖ Not provided |
Explicit exclusions are intentional and reflect product scope.
Outputs & evidence you can defend
Trust is earned through outputs you can defend
CyberCaution™ generates assessment outputs designed to support defensible risk decisions. These deliverables enable security leaders, executives, boards, and insurers to understand ransomware readiness with clarity and confidence.
Executive summaries
Clear, concise summaries that communicate ransomware readiness status to executive leadership and boards, enabling informed risk decisions.
Prioritized remediation roadmaps
Actionable roadmaps that prioritize remediation efforts based on risk reduction logic, helping security teams focus on what matters most.
Exposure signals
Clear identification of conditions that signal ransomware exposure, enabling security teams to understand where failures would amplify impact.
Exportable formats
Assessment outputs are available in exportable formats, enabling integration with existing risk management and reporting workflows.
These outputs are designed to support CISOs, boards, and insurers in making defensible risk decisions about ransomware readiness, with clear traceability from assessment inputs to final recommendations.
Make ransomware readiness decisions you can explain
Before you're forced to make them under pressure.
Start Risk Readiness Assessment