US Consumer Data Privacy Guide

Who We Are

Iris® Powered by Generali provides world-class identity theft and cybercrime protection for consumers.

We power identity and cyber protection services offered by many different partners or merchants—such as credit card, insurance, technology, and other companies—often under that organization’s branding.

As we handle individuals’ personal information, Iris believes customer security is a top priority and critical to everything we do. We follow strict security rules and data privacy controls when handling personal information.

How does Iris protect my personal information?

To use Iris’ identity or cyber protection services, users may need to enter personal information.


Iris uses rigorous security and encryption methods to protect personal information. Data is encrypted at rest (stored in a database or backups) and in transit (when being sent to an authorized monitoring partner, a client organization, or the individual user).


We do not sell or share customers’ personal information to third parties except for third-party cookies on our corporate website, or entities involved in directly servicing the customer’s identity protection plan, such as insurance carriers, credit bureaus, or authorized identity monitoring partners.

1. Customer Data Protection

When you provide personal information to be monitored via features such as Identity Monitoring, Credit Services, Email Health Check, or other functions, Iris protects it via hashing and/or encryption.

Items you enter in via Identity Monitoring are securely transformed into a unique ID before they are stored or shared with any authorized monitoring partners.

We never store confidential information in plain text (such as Social Security Number, credit card number, or bank account number). Instead, we store it encrypted, seeking to use the strongest level of encryption available depending upon the uses of that data.

For many types of sensitive data, we seek to hash the data prior to distributing it out to our monitoring or processing partners—transforming it permanently to another value, which seeks to ensure it would be unusable even if a thief obtained it.

Where hashing is not available due to certain monitoring partners’ need to check the actual value, we rely on secure encryption to transmit sensitive data to those partners.

2. Data Retention

We minimize the storage of personal information in our own systems, typically storing only the user information that is necessary to service the account.

Upon account cancellation:


An automated data deletion process immediately begins, clearing out the customer’s monitored items and related data both from third-party partner systems and from our own systems. In most cases, this customer information is deleted within a matter of days.


Account information data, including Billing Processing Records and Case Management Records, may remain in our system for up to one year. After that, it is made unreadable from production online systems and moved to offline storage.

3. Backups

We regularly back up our data.


We allow recovery from the most recent backup if there is a data corruption issue. 


We have two recovery sites that can be used in case a major event happens in the primary data center serving any given customer.

How is access to my Iris account protected?

Iris takes multiple steps to protect user accounts.

In particular, typically in our portals we employ an advanced multi-factor authentication (“MFA”) that protects accounts with real-time monitoring, biometrics, and behavioral analytics.


Rather than a traditional 2FA or MFA that requires you to put in a passcode or click a link every time you log in, our MFA runs automatically in the background at all times, analyzing hundreds of data points in real-time.


When you attempt to log in, it will only require a separate factor for authentication (such as a one-time passcode sent via email) if the system detects a sufficiently high risk threshold.


This way, we offer enhanced protection against threats without a cumbersome login process.

What does Iris do to protect its products from cyberattacks?

We design our products with security in mind from the beginning and take extensive steps to ensure the security of all sensitive data throughout its journey.

We employ network and application firewalls, strict access control rules, and hundreds of automated security checks to protect our platform from threats.

Iris engineers undergo secure coding training and follow rigorous personal information usage policies to prevent unwanted access.

How does Iris protect its data stored in the cloud?

Iris maintains a high level of compliance with cloud security standards. 


We monitor our environment using automated security checks and are compliant with Center for Internet Security (“CIS”) and Payment Card Industry (“PCI”) security standards.


We employ an Intrusion Detection System that notifies us of any problems.


Our team uses a Managed Detection and Response process if an issue does arise.


We require a VPN for all internal services and MFA for any network access.

How does Iris handle internal security?

Iris maintains a strong information security culture, as employees are a critical part of effective data security. Every employee participates in a security training program that includes awareness training, application security training, cyber threat training, and office security training.

Iris also protects its platform through an Identity and Access Management (“IAM”) system that requires MFA and a full audit log of all logins. We use enterprise device management and endpoint threat detection systems designed to prevent phishing and scam attacks on our employees.

All Iris employees are subject to background checks and screenings during the hiring process. All physical locations are protected by an access control system and can only be reached by authorized personnel.

Furthermore, the Iris Resolution Center operates on a paperless basis, reducing the risk of inappropriate sharing of information and helping to ensure a digital trail if it were to happen.

How does Iris assess third-party data monitoring partners?

Iris thoroughly vets security and data protection standards for every third-party data monitoring partner that supports our service. We also actively monitor and assess our authorized monitoring partners on their security performance.

Iris maintains and improves its security presence to provide users with a safe and secure experience. For more information about our security features and practices, please contact our Security team directly at