For Client Businesses and Organizations

Iris Platform Security and Privacy Principles

Security is of paramount importance at Iris and we hold it as a core cultural tenet. We treat comprehensive security not as a point-in-time activity, but as an end-to-end continuous process.

We are Secure by Design

Security is built into all layers of the Iris identity and cyber protection platform using modern standards.

Product Development

Security is incorporated into the design of our products at every stage of the development process, from initial planning to final testing and deployment. This includes building systems and processes that regularly evaluate application development and performance (code reviews, static and dynamic code scanning) and also evaluating potential threats (threat modeling), employing third-party evaluations of our systems (application and network penetration testing) at regular intervals, and ensuring that our engineers regularly receive training on application security (secure coding techniques).

Cloud Infrastructure

Furthermore, our platform is built on a secure and modern global infrastructure, leveraging a leading cloud computing provider, and is designed to withstand outages in multiple fault domains (high availability). We heavily rely on several cloud-native technologies to deliver our services, which means we don't need any hardware or equipment outside of our cloud provider's data centers, allowing us to focus on securing our platform and customer data.

We are Private by Design

As a global identity and cyber protection provider, privacy is at the core of what we do – which is why we strive to meet industry standards and use current best practices.

Account Data Restriction

Iris does not share data that customers have provided for account or identity protection purposes with outside parties, except for entities specifically involved in servicing our customer’s plans and for third-party cookie usage on our corporate website. And for those partners that Iris does utilize to support our product and services, we actively seek to limit the scope of the information they receive and require them to maintain strict data handling and security standards at all times.

Company Access Restrictions

We severely limit access to core Iris systems. This includes segregating large segments of our employee population from accessing core systems. Employees specifically tasked with working on core systems are required to operate on separate networks, hardware, and tools from employees that are not. Iris does not utilize third parties to manage any part of those core systems (including any hardware accessing those systems) but rather employs an internal security architecture and operations groups charged with always enforcing the appropriate security posture. Access to production systems is granted on a least-privilege principle.

Regulation Compliance

Iris adheres to some of the strictest privacy protection regulations, such as EU GDPR, CCPA, and comparable standards, for all its product lines – no matter where an end user resides.


Iris implements strict data protection protocols. All data is encrypted using effective cryptography practices and protocols. We utilize encryption at various points designed to protect customer data and Iris’ sensitive information, including encryption at rest, encryption for system backups, and end-to-end encryption of personal information within our systems. Additionally, we implement pseudo-anonymization techniques for monitored PII to further secure sensitive information and reduce the risk of unauthorized access.

We Trust Our Standards, but Verify Regularly

All Iris plans, policies, procedures, and security controls are audited several times a year by internal security, compliance and audit organizations, and independent third-party auditors – all tasked with assessing their effectiveness and validity.

Plans in Place

We have developed formal plans and procedures, including robust business continuity planning, business and risk analysis, and disaster recovery programs. We have these plans assessed annually by global, industry-leading audit firms.

Recognized Standards

Iris upholds the highest standards of security and privacy through regular third-party audits for compliance with SOC 2, PCI Level 1, and CSA CCM, demonstrating our commitment to protecting sensitive information.

Go Deeper – Iris Trust Center

We have several levels of security documentation available upon request for organizations considering providing identity and cyber protection services through Iris.

We would love to understand how the modern, secure Iris platform can help your organization expand your offerings, differentiate from your competitors, and bring a new level of value to your customer or member base.

To access our more detailed security documentation, please visit our Trust Center today.