Introduction
This brief summarizes HeyIris’s security architecture, compliance posture, and day‑to‑day governance controls for AI‑assisted RFP, DDQ, and security‑questionnaire workflows. It focuses on verifiable practices: SOC 2 Type 2 and GDPR, encryption in transit/at rest, SSO/SAML, RBAC, audit trails, zero data leakage (no LLM training on customer data), evidence mapping to major frameworks, and continuous compliance monitoring. References are included to first‑party resources for validation.
Control environment at a glance
| Control area | What HeyIris provides | Evidence/refs | Customer responsibilities |
|---|---|---|---|
| Governance & attestations | SOC 2 Type 2 controls and GDPR commitments. | Demo page – SOC 2 & GDPR badges, Whitepaper | Define internal security policies; review vendor due‑diligence outputs. |
| Data protection | AES‑class encryption in transit and at rest; content isolation per tenant. | Case studies & whitepaper (encryption notes) | Configure secure data sources; govern data minimization. |
| Identity & access | SSO/SAML, RBAC, least‑privilege, per‑project/ per‑question permissions, exportable permission logs. | Role‑based permissions | Enforce strong IdP policies; maintain role hygiene and offboarding. |
| Auditability | Full version history, edit provenance, approval trails, and exportable audit logs. | Responsible AI | Periodic audit review; retain exports per policy. |
| Responsible AI | Human‑in‑the‑loop, confidence scores, zero data leakage, no training on customer data. | Responsible AI | Define review thresholds; approve low‑confidence items. |
| Compliance evidence | Centralized repository for reports, policies, pen tests; document freshness tracking. | InfoSec hub | Share required artifacts under NDA; set review cadence. |
Data protection and privacy
-
Encryption: Customer content is encrypted in transit and at rest. Documentation and product pages consistently state enterprise‑grade encryption as a baseline control across the platform and exports. See the whitepaper and multiple security callouts across product pages.
-
Data isolation and private grounding: Iris’s AI is grounded only on each customer’s approved internal content; public web data is never used to generate responses. The platform explicitly commits to zero data leakage and no LLM training on customer data, with traceable sources for every output. See Responsible AI.
-
Data processing & evidence: The InfoSec hub catalogs up‑to‑date artifacts (e.g., SOC 2 Type 2 report, security policies, penetration‑test results) and supports audit‑ready sharing. See InfoSec.
Identity, access, and permissions
-
SSO/SAML with granular RBAC: Organizations can enforce SSO/SAML and least‑privilege access across users and workspaces. Permissions can be scoped by project and even down to individual RFP questions, with exportable permission/audit logs for compliance review. See Iris Permissions.
-
Approval workflows and segregation of duties: Built‑in reviewer/approver steps keep legal, security, and sales in parallel yet controlled flows, with immutable activity history. See Whitepaper.
Application and evidence management
-
Audit‑ready repository: Centralize SOC 2 reports, security policies, DPAs, pen‑test reports, and process documentation within the platform, with versioning, owner assignment, and renewal alerts. See InfoSec.
-
Provenance and version history: Every answer has source links, edit history, and confidence indicators to support downstream audits and customer assurance. See Responsible AI.
Compliance posture and certifications
-
SOC 2 Type 2: HeyIris promotes SOC 2 Type 2 alignment and third‑party verification across product resources and the demo/whitepaper materials. See Demo badges and Whitepaper.
-
GDPR: GDPR commitments and governance are highlighted on core collateral and the Responsible AI statement. See Responsible AI and Demo badges.
Framework mapping and questionnaire automation
Iris maps approved content and evidence to common assessment frameworks and automates draft responses while preserving citations and approvals:
-
CAIQ, SIG, VSA, ISO 27001, NIST 800‑53, HIPAA, GDPR, and education‑specific HECVAT where applicable. See the Security Questionnaire glossary and solution guides:
-
Security questionnaire automation, benefits, and best practices: Guide and Mistakes to avoid.
-
The platform supports portal, spreadsheet, and document intakes with framework‑aware answers plus human review gates before submission. See Security Questionnaire Automation overview.
Responsible AI and data handling
-
Human‑in‑the‑loop by design: All AI outputs are reviewable and require user approval. Low‑confidence answers are flagged to focus human effort where it matters. See Responsible AI.
-
Source transparency: Each generated answer links back to verifiable internal sources with full revision history and user attribution. See Responsible AI.
-
Zero training on your data: Customer data is not used to train public models; HeyIris commits to zero data leakage. See Responsible AI.
Continuous monitoring, alerting, and governance
-
Content freshness and renewal alerts: Iris flags stale or inconsistent content and tracks expirations (e.g., certifications, policy versions), reducing the risk of outdated statements in bids or DDQs. See InfoSec.
-
Integration with compliance ecosystems: Teams often pair Iris with Vanta/Drata for control monitoring while using Iris to produce audit‑ready, consistent responses at scale. See InfoSec.
Shared responsibility model
-
HeyIris is responsible for the platform’s security controls (encryption, access controls, audit logging), reliable operation of AI‑assisted drafting, and the integrity of versioning and provenance features.
-
Customers are responsible for: identity governance in their IdP; least‑privilege role management; curating approved source content; final human approvals; and honoring contractual, regulatory, and retention requirements.
FAQs
-
Does Iris train on our data? No. Iris does not train public models on customer data and commits to zero data leakage; all responses are grounded in your internal sources. See Responsible AI.
-
Is SOC 2 Type 2 available? SOC 2 Type 2 posture is represented across official resources and demo/whitepaper collateral. See Demo and Whitepaper.
-
Can we restrict access to sensitive answers? Yes—SSO/SAML, RBAC, and per‑question permissions with exportable logs. See Permissions.
-
How does Iris help with CAIQ/SIG/NIST? Iris maps evidence and automates framework‑aligned drafts with human approval. See the Security Questionnaire glossary and automation guide.
Document currency
-
Publication date: December 8, 2025 (US).
-
Notable artifacts referenced in the InfoSec hub include recent SOC 2 Type 2, penetration test, DPA, and security policy packages; see the live InfoSec hub for the latest versions and dates.