AI-Powered RFP Software for Faster Sales | Iris AI logo

Vendor Risk & Due Diligence (Banks + Fintech)

This page is a procurement- and vendor-risk–focused FAQ for banks and fintechs evaluating Iris. It summarizes the evidence we can provide and outlines common control areas, with sensitive implementation details shared under MNDA (mutual NDA).

Controls summary

Iris is built to support enterprise risk requirements, including:

  • Security policies and governance (details under NDA)

  • Encryption in transit and at rest (implementation details under NDA)

  • Role-based access control (RBAC) and SSO options

  • Audit logging and monitoring to support investigations

  • Documented incident response and DR/BCP programs (details under NDA)

Compliance & third-party assurance

  • SOC 2: Iris maintains a SOC 2 report. SOC 2 report available under NDA.

  • Penetration testing: A penetration test report is available post‑MNDA.

  • Ongoing due diligence: Iris can support periodic reassessments, including updated evidence and control narratives under NDA.

Evidence package (what we can provide)

Subject to an executed MNDA, Iris can provide an evidence package that typically includes:

  • SOC 2 report (under NDA)

  • Penetration test report (post‑MNDA)

  • Security overview and control narratives

  • High-level architecture and data flow overview

  • Policies and procedures as appropriate (e.g., incident response, access control, BCP/DR)

  • Responses to common bank/fintech questionnaires

Data handling

  • No training on customer data: Iris does not use customer data to train models.

  • Data minimization: Iris processes customer inputs/configuration to deliver the service.

  • Tenant separation: Iris is designed to maintain separation between customers through logical isolation and access controls. Architecture specifics can be reviewed under NDA.

  • Data flow transparency: Data flows and system boundaries can be reviewed as part of the trust packet.

Access control (RBAC/SSO)

  • RBAC: Role-based access to administrative functions.

  • SSO: SSO support for enterprise deployments (details and supported options documented under NDA).

  • Privileged access: Controls for administrative access, including approval workflows and monitoring, are documented under NDA.

Audit logs & auditability

  • Audit logs: Iris maintains audit logs for relevant administrative and user actions.

  • Evidence support: Iris can provide audit log descriptions, sample exports, and control mappings where applicable (under NDA).

  • Customer audits: Iris can support reasonable customer audit requests via evidence review and Q\&A, consistent with contract terms.

Data retention & deletion

  • Retention: Retention practices and any configuration options are documented. Details available under NDA.

  • Deletion: Iris supports deletion requests and/or deletion per contractual terms. Backup handling and timelines are documented under NDA.

Subprocessors

  • Iris relies on subprocessors (e.g., infrastructure and support tooling) to operate the service.

  • A current subprocessor list is available under NDA unless otherwise provided publicly for a specific engagement.

Incident response & notifications

  • Iris maintains an incident response program covering detection, triage, containment, remediation, and communications.

  • Incident response documentation and customer notification procedures are available under NDA.

  • Customer coordination and reporting follow contractual requirements.

DR/BCP

  • Iris maintains a DR/BCP program, including documentation and testing.

  • RTO/RPO and recovery testing details are available under NDA (we do not publish recovery objectives publicly).

SLA & support

  • Uptime commitment/target: 99.99%.

  • Support model: Custom CSM support and a dedicated Slack channel (where applicable), Pylon-based support workflows, and enablement via Iris Academy.

  • Onboarding: Iris supports structured onboarding with security and technical stakeholders; onboarding runbooks and responsibilities can be shared during implementation.

Onboarding & contracting checklist (bank/fintech)

Typical items we can support during onboarding and contracting:

  • Executed MNDA to exchange security artifacts (SOC 2, pen test report)

  • Completion of vendor-risk questionnaires

  • Review of data flows, access model (RBAC/SSO), and audit logging

  • Confirmation of retention/deletion requirements (documented under NDA)

  • Agreement on support channels, escalation paths, and SLA terms

  • Subprocessor review and notification terms

  • Security addendum / DPA review as applicable

How to request the trust packet

Ask your Iris sales or customer-success representative to initiate the trust packet request. After an executed MNDA, we can share the SOC 2 report and penetration test report and schedule a Q\&A session to address bank/fintech vendor-risk requirements.

FAQs

Do you have a SOC 2 report, and can we get it? Yes—SOC 2 report available under NDA.

Can we obtain a penetration test report? Yes—available post‑MNDA.

Do you train on our data? No. Customer data is not used to train models.

Can you meet specific retention or deletion requirements? Requirements can be evaluated during onboarding. Retention/deletion implementation details are documented in the security package under NDA.

What are your RTO/RPO and incident notification timelines? These are documented in the security package and shared under NDA.

What support is included? Support is available via a custom CSM and (where applicable) a dedicated Slack channel, with Pylon support workflows and Iris Academy resources.