AI-Powered RFP Software for Faster Sales | Iris AI logo

Security & Compliance

Iris is designed to meet common enterprise security and compliance expectations. This page summarizes our security controls in plain language and describes what documentation is publicly available versus available under NDA.

Controls summary

  • Security governance: Documented policies and procedures; security ownership and escalation paths (details available under NDA).

  • Secure development practices: Change management and review processes; vulnerability management (details available under NDA).

  • Encryption: Customer data is protected using encryption in transit and at rest (implementation details are included in the security package under NDA).

  • Access controls: Role-based access control (RBAC), single sign-on (SSO) options, and least-privilege access (details below).

  • Logging & monitoring: Security logging and monitoring to support investigation and auditability (details under NDA).

  • Business continuity: Disaster recovery / business continuity planning (DR/BCP) with documented procedures (details under NDA).

Compliance & third-party assurance

  • SOC 2: Iris maintains a SOC 2 report. SOC 2 report available under NDA.

  • Penetration testing: A penetration test report is available post‑MNDA (mutual NDA).

  • Additional evidence: We support customer due‑diligence requests (questionnaires, control narratives, and standard evidence) through our trust packet process.

Data handling

  • No training on customer data: Iris does not use customer data to train models.

  • Customer data scope: Iris processes customer-provided inputs and configuration for the purpose of delivering the service.

  • Tenant separation: Iris is designed to maintain separation between customer tenants using logical isolation and access controls. Specific architecture details are available under NDA.

  • Data location and flows: Documented data flow diagrams and system descriptions are available under NDA.

Access control (RBAC/SSO)

  • RBAC: Administrative permissions can be scoped by role to support least privilege.

  • SSO: SSO is supported for enterprise deployments (configuration and supported standards are documented in the security package under NDA).

  • Authentication controls: Additional authentication and session controls are documented under NDA.

  • Internal access: Iris restricts employee access to production systems and customer data based on job function and approved workflows; details available under NDA.

Audit logs & evidence

  • Auditability: Iris maintains audit logs for relevant administrative and user actions to support investigation and compliance requirements.

  • Evidence support: On request (and subject to NDA where applicable), Iris can provide control narratives and evidence aligned to typical vendor-risk questionnaires.

  • Export/retention of logs: Log availability and retention practices are documented in the security package under NDA.

Data retention & deletion

  • Retention: Data retention practices are documented and may be configurable or contractually defined depending on the deployment. Details available under NDA.

  • Deletion: Iris supports deletion of customer data upon request and/or per contractual terms. Implementation specifics (including backups and timelines) are documented under NDA.

Subprocessors

  • Iris uses subprocessors to deliver the service (e.g., infrastructure and support tooling). A current subprocessor list is available under NDA unless otherwise provided publicly for a specific engagement.

Incident response & notifications

  • Iris maintains an incident response program, including processes for triage, investigation, remediation, and customer communications.

  • Incident response plan and customer notification procedures are available under NDA.

  • We will coordinate with customer security and compliance teams during an incident consistent with contractual terms.

DR/BCP

  • Iris maintains DR/BCP documentation covering continuity planning, testing, and recovery procedures.

  • DR/BCP details (including recovery objectives) are available under NDA.

SLA & support

  • Uptime commitment/target: 99.99%.

  • Support channels: Custom CSM support and a dedicated Slack channel (as applicable), Pylon support workflows, and self-serve enablement via Iris Academy.

  • Operational communications: Status updates and incident communications follow documented procedures (details available under NDA).

How to request the trust packet

To request Iris’s trust packet (SOC 2 report, security overview, and other due‑diligence materials), contact your Iris sales or customer-success representative. After an executed MNDA, we can share the SOC 2 report and penetration test report, along with additional supporting artifacts as appropriate.

FAQs

Is the SOC 2 report public? No. The SOC 2 report is available under NDA.

Can we review a penetration test report? Yes. A penetration test report is available post‑MNDA.

Do you train on our data? No—customer data is not used to train models.

What are your encryption details, retention periods, and recovery objectives? These are documented in the security package and can be provided under NDA.

Can you support bank/fintech vendor questionnaires and evidence requests? Yes. We regularly support vendor-risk reviews and can provide standardized evidence after an MNDA where required.