Security and Data Privacy in Ciroos

At Ciroos, the security and data privacy of our systems, customers, and partners are top priorities. Below is a summary of key security and data privacy capabilities within Ciroos.

‍

Complete tenant isolation

‍

Each organization is considered as a unique tenant and there is hard separation between organization boundaries, i.e. data is always kept secure within the confines of an organization. Furthermore, multiple “projects” can be defined within an organization to narrow the scope of control given to an individual user. Privileges can also be specific to activities that may be performed (see RBAC section below for more details).

‍

SOC2 certified

Ciroos is SOC 2 Type 2 certified and has been successfully audited by an independent, accredited third party. This certification provides evidence-based assurance that Ciroos maintains effective controls for security, availability, and confidentiality over an extended period, not merely at a single point in time. It reduces vendor-risk for enterprise customers, accelerates security review cycles, and signals a mature, trust-driven operational posture grounded in continuous compliance. Ciroos can provide a full copy of the SOC2 report to interested customers under NDA.

‍

Penetration testing

‍

Ciroos regularly conducts penetration testing by an independent third party and promptly addresses any findings that emerge from such findings. We commission these independent penetration tests at least twice a year.

‍

Enterprise Single Sign-On (SSO)

‍

Ciroos supports enterprise-class SSO and is compatible with any identity provider that supports either SAML or OIDC protocols (e.g., Google OAuth, Microsoft Entra ID, Okta, Ping Identity etc.). We currently support integrations with 25+ identity providers.

‍

No training on customer data

‍

We never train on customer data. Ciroos may use anonymized customer data and customer-provided feedback to fine-tune the accuracy of the AI system, but only for that specific customer’s environment. We do not commingle, share, or use customer data across organizations under any circumstances.

‍

Role based Access Control (RBAC)

‍

Ciroos provides advanced role-based access controls aligned with enterprise security expectations. Users may be granted roles that apply organization-wide or are scoped to a specific “project.” Each user is assigned exactly one role per project, with available roles including Administrator, Practitioner, and Observer. Different privileges are associated with each role within the same organization. These roles enable customers to calibrate collaboration and access boundaries while upholding the security posture required in an enterprise environment.

‍

Least privilege access to environments

‍

Ciroos requires only read-only access to customer environments—including observability tools and cloud or hybrid platforms—to deliver value. While agents are deployed in Kubernetes clusters, they are used solely to collect telemetry, eBPF signals, and to execute non-mutating kubectl commands on behalf of the Kubernetes AI agents. These agents do not make any state changes. If access to a collaboration channel (e.g., Microsoft Teams or Slack or Cisco WebEx) is granted, Ciroos will post investigation updates and respond to user queries within that channel.

‍

Customers typically enable write access to ticketing systems (e.g., ServiceNow) a few weeks after onboarding. When this access is provided, Ciroos can update ticket information directly within ServiceNow.

‍

Responsible Disclosure Policy

‍

At Ciroos, the security of our systems, customers, and partners is a top priority. We recognize the important role that security researchers and the community play in helping us maintain a secure environment.

‍

If you believe you have discovered a security vulnerability in a Ciroos product, service, or system, we encourage you to report it to us responsibly.

‍

How to Report

‍

Please send your findings to security@ciroos.ai. To help us investigate effectively, please include:

A detailed description of the vulnerability
Steps to reproduce the issue
Any relevant tools, scripts, or proof-of-concept code (if available)

‍

Guidelines for Researchers

‍

We ask that you follow these principles when investigating and reporting:

‍

Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.
Do not disrupt services for customers or exfiltrate sensitive data.
Respect privacy and confidentiality of any data encountered.
Allow us reasonable time to investigate and remediate before disclosing publicly.

‍

Our Commitment

‍

If you report a valid security issue to us:

We will acknowledge receipt of your report.
We will provide regular updates as we investigate.
We will notify you when the issue is remediated.
We will not pursue legal action if you follow this policy in good faith.

‍

Recognition

‍

While we do not currently operate a paid bug bounty program, we deeply appreciate contributions that help us strengthen security. With your permission, we may recognize you on our website or in release notes for valid reports.

‍

Thank You

‍

Your efforts to help keep Ciroos and our community secure are invaluable. Together, we can maintain a trusted environment for our user community.

‍