Encryption
TLS 1.3 in transit; AES-256 at rest. Customer-held key option via cloud-provider KMS for production tenants on enterprise tier.
▸IronSOC/Trust
Trust
Compliance, sub-processors, and how we handle your data.
This page reflects the current posture, not future promises. Status uses honest language: 'planned', 'mobilizing', 'in audit', 'Type I', 'Type II', 'continuous'. Reports and detailed artifacts are available under NDA before contracting.
Planned
Not started. On roadmap.
Mobilizing
Auditor selected, kickoff scheduled.
In audit
Fieldwork active.
Type I
SOC 2 Type I report dated and available under NDA.
Type II
SOC 2 Type II observation window complete; report available under NDA.
Continuous
Standing posture, not point-in-time.
Compliance posture
Frameworks, scope, and current status.
FrameworkStatusScopeEvidence
SOC 2 Type IIMobilizingSecurity, Availability, Confidentiality trust services criteriaAuditor selection in progress. Type I targeted before Type II observation window.
ISO/IEC 27001:2022PlannedInformation security management system covering all production systemsStatement of Applicability scoped. Certifying body selection follows SOC 2 Type I.
ISO/IEC 42001 (AI management)PlannedAI management system covering internal SOC AI surface and customer-facing detection AITracked alongside ISO 27001 to share controls and audit work.
FedRAMPPlannedModerate baseline targetArchitecture is FedRAMP-aware. Sponsor and 3PAO engagement gated on first government-aligned customer.
GDPR / UK GDPRContinuousData Processing Addendum, sub-processor list, EU SCCsDPA available on request. Controllership posture documented per service.
HIPAAPlannedBusiness Associate Agreement available for in-scope customersBAA template under legal review. Will be available before first healthcare customer goes live.
PCI DSSContinuousIronSOC does not process or store cardholder dataScope-limited statement available; we sit outside the customer cardholder data environment.
CSA STAR Level 1PlannedSelf-assessment via Consensus Assessments Initiative Questionnaire (CAIQ)Targeted alongside SOC 2 Type I publication.
Data handling
How customer telemetry is stored, accessed, and erased.
These are platform behaviors, not aspirations. Specifics are expanded in the DPA and the security questionnaire pack.
Tenant isolation
Per-tenant logical isolation in the detection store. Cross-tenant retrieval is blocked at the query layer; the boundary is part of the eval set.
Data residency
US (default), EU, and UK regions on the roadmap. Region selection is per-tenant at provisioning. Residency commitments are written into the order form, not a checkbox.
Retention
Detection telemetry retained per contracted window. Customer can shorten retention or trigger erasure within published SLAs. Evidence packs in incident cases follow case-retention policy, not telemetry retention.
Access
SSO via OIDC / SAML, mandatory MFA for all IronSOC personnel. Just-in-time elevation with full audit. No standing production access.
Audit trail
Every analyst action, AI action, and policy change is logged immutably and exposed to the customer's tenant. The customer can replay any case end-to-end.
Sub-processors
Categories now. Vendor names under DPA.
The full sub-processor list with named vendors is delivered with the DPA. The categories below reflect what runs in production today and what is added before first paying customer.
Cloud infrastructure
Production compute, storage, and managed services
Hyperscaler in the customer's selected region. Provider name disclosed in the sub-processor list under DPA.
Observability and logging
Internal application telemetry and platform logs
Vendor disclosed in the sub-processor list under DPA. Customer telemetry is not commingled into observability.
Identity provider
Workforce SSO and provisioning
Vendor disclosed in the sub-processor list under DPA.
Transactional email
Notifications and IR communications
Vendor disclosed in the sub-processor list under DPA.
Vulnerability scanning
Scanning IronSOC's own production surface
External attack surface and dependency scanning by independent provider.
Customer support
Support ticketing and case management
Will be added in advance of first paying customer. Listed under DPA with notification rights.
Customer rights
What you get in writing.
Trust is contractual, not aesthetic. Every commitment below is available as document text — not as a marketing claim.
Data Processing Addendum
Standard DPA with EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Available on request before contracting.
Audit rights
Customers receive the most recent SOC 2 / ISO 27001 reports under NDA. Direct audit available for enterprise tier under contract.
Sub-processor change notice
Material changes to the sub-processor list are notified at least 30 days in advance with right to object.
Breach notification
Notification within 72 hours of confirmed breach affecting customer data, in line with GDPR Article 33 and customer-specific contract obligations.
Update cadence and how to verify.
This page is updated within five business days of a status change. We keep a dated changelog visible to customers in their tenant. If a status here looks stale, it probably is — email us and we will either update it or explain the delay.