We believe that privacy should be a fundamental right, for individuals as well as businesses. We are on a mission to invert the trust model and give data owners persistent control of their data so they can take back their privacy by determining who has access to that data, monitoring that access, and rescinding it at will.
When privacy meets law enforcement, ideals collide. In general, we want to see law enforcement able to lawfully do their job given probable cause and warrants. That said, IronCore is almost never in a position to provide meaningful data to law enforcement. See our transparency page for details on how we handle government requests for data and what data we could disclose if compelled to do so.
Today, data is an organization’s most valuable asset. We back our commitment to privacy with strong safeguards of data. Most data is encrypted such that IronCore cannot decrypt it nor provide that ability to anyone else not cryptographically authorized by the data owner. We also back our commitment contractually through our terms of service and privacy policies, which are some of the strongest anywhere.
IronCore follows a set of “Privacy by Design” principles that govern the treatment of data in the possession of IronCore. This approach applies worldwide, and is reflected across the company, from product plans to marketing plans to day-to-day operations. These principles include:
- Notice: we are transparent about our actions, what data we collect, and our intent with that data.
- Choice: we present individuals with clear and actionable choices regarding our collection and use of their data.
- Accountability: we audit data access, carefully control who can access it, and are transparent about those controls.
- Minimization: we collect only the data we need to serve our customers and prospects.
- Share Frugally: we share data with third parties only in the most limited ways and when absolutely necessary, such as to power customer support interactions via a partner.
- Right to Erasure: we always provide ways for users to opt-out of emails or to request that their data be removed from our systems.
We take compliance seriously. We encourage regular audits, maintain certifications, provide contractual protections, and share tools and information that our customers can use to strengthen their own compliance.
Laws, audits and certifications
- We offer data processing and security terms for our products to help customers meet GDPR.
- Our services are backed by robust, state-of-the-art technical and organizational safeguards, state-of-the-art encryption, and our program is reviewed annually by third-party auditors.
- Incident response
- We maintain and continue to invest in advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help you identify and respond to security or privacy events (and any personal data breaches under the GDPR) without delay and with all available information.
- User transparency
- Our customers can view their own information via the console.
- Our customers can give their customers transparency into the data protected by IronCore using the architectural patterns outlined in our developer resources.
- International transfers
- We are certified under the EU – U.S. and Swiss – U.S. Privacy Shield frameworks, which are a legal mechanism to enable the transfer of personal data from the EEA and Switzerland to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law.
- Much of the data we hold is encrypted and we do not have the keys to decrypt it. For this data, many data locality laws can be satisfied if the keys that can decrypt or control the data stay in-country.
- Privacy practices
- We have processes to build privacy into our products from the very earliest stages and apply those practices to all of the data we hold. We meet or exceed the GDPR requirements around Privacy by Design and Privacy by Default.
- Use of subprocessors
- We do engage some third-party vendors to assist in supporting our services, particularly in support of our sales, customer support, and billing needs. Each IronCore vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy to meet our needs and the needs of our customers.
- We offer a Business Associate Agreement (BAA) addressing requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA).
- SSAE16 / ISAE 3402 (SOC 2/3)
- The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and criteria for security, availability, processing integrity, and confidentiality. IronCore’s infrastructure runs on top of a cloud platform that has both SOC 2 and SOC 3 compliance.
How We Use Personal Data
In the European Union, data protection laws differentiate between “controllers” and “processors” of personal data. A controller decides how and why to process personal information. On the other hand, a processor processes personal data on behalf of a controller based on the controller’s instructions.
Controller of Personal Data
When potential customers request that we send them information, they leave their contact details (such as email address), for the express purpose of receiving our emails and other kinds of communications, for example on social media. We promptly stop sending emails when we receive an unsubscribe request. In order to make sure that we don’t accidentally send information to those who have unsubscribed, we store unsubscribed email addresses separately.
Direct customers give us contact names, company address, billing information, and other relevant personal information that is required for us to provide services to our customers. Our direct customer information is maintained indefinitely, even after a customer is no longer doing business with IronCore Labs, unless we receive a request to delete it at [email protected]. Our customers may also, at their discretion, contact us for customer or technical support. In order to provide our direct customers with excellent and ongoing support, we keep records of the queries and our responses indefinitely until we receive a request at [email protected] to delete those conversations. Some of this data may be stored on third party platforms.
Our website automatically logs activities, including IP addresses of visitors, for the past 30 days or less. All website logs older than 30 days are purged daily. We keep these logs for 30 days in order to detect, prevent, and investigate bugs, security incidents, or other problems with our products and services.
We collect analytics information on how people use our website in order to better understand our customers. To do that, we use a very few third party services with which we share some marketing data, including Google Analytics and Hubspot.
Google Analytics: to learn more about the Privacy Shield policy of Google Analytics, please refer to Google Analytics and the EU-US Privacy Shield https://support.google.com/analytics/answer/7105316?hl=en
If you wish to opt out of Google Analytics, Google has created the Google Analytics Opt-out Browser Add-On for many major browsers https://tools.google.com/dlpage/gaoptout?hl=en
Hubspot: to learn more about the Privacy Shield policy of Hubspot, please refer to Hubspot’s International Transfer of Information https://legal.hubspot.com/privacy-policy#_Toc513893751
As IronCore Labs grows, we periodically place job postings for positions in the company. We receive resumés and job applications from people interested in joining us. Those resumés and applications are kept for up to a year after a position is filled so that we can, at our option, contact qualified applicants for new positions. We will, if requested at [email protected], delete a resumé and application from an applicant who no longer wishes to be contacted.
Our Human Resources department maintains personal information on all IronCore Labs employees. Because of US tax laws, we must retain this information. At the time that this Policy was first published, all employees of IronCore Labs are residents of the United States. We do not use information collected for employment purposes for any non-employment-related reasons.
IronCore Labs End-to-End Encryption Services
At IronCore Labs, our core business is end-to-end data control, privacy, and security of our customers’ data. When our customers use our service, they are acting as the Controller of any personal data that they choose to transmit using IronCore Labs’ end-to-end encryption services. IronCore Labs does not have the ability to decrypt customers’ data sent using our encryption.
Audit trail logs of customer users and files are stored for a length of time which is under customer control, either 30 days, one year, or unlimited, depending on customer tier.
Privacy policies can be tedious to read, but we're determined to fix that. We are using bullet points and regular language to be absolutely clear about how we value your privacy.
IronCore will use customer data only to provide the services agreed upon, and for purposes compatible with providing those services. We do not use customer data or derive information from it for advertising. Furthermore, we will not disclose customer data to a government agency unless required by law. If law enforcement demands customer data, we will attempt to redirect the agency to request that data directly from the customer. More details on how we respond to government requests can be found in our transparency section.
On our website:
- We collect data that you give us when you complete web forms on our website and we use that data for the reasons you gave it to us, like when you fill out a form to “Talk to Sales,” we use that data so you can talk to the sales team.
- We generally share the data we collect from you with those outside of IronCore if they are a service provider for IronCore (and have to follow our instructions) or if we’re legally required to share it with someone outside of IronCore.
- Your data is transferred to the U.S.
Through our services:
- We collect data from you when you set up an account with IronCore, like your name, email address, and billing information. We use that data to do things like communicate with you about your account and bill you for using our products and services. If you don’t want to get marketing emails from us, you can opt-out by following the instructions in those emails or contacting customer service.
- When you use our products and services, we collect data relating to and about your use, like the API calls you make, how many API calls you make, how many users need access, how many files you are protecting, and so forth. We also store audit trails for all operations using the automatically generated identifiers or provided identifiers and metadata, if you’ve elected to provide those. We use this data to provide you with these details, to bill you for use of our products and services, to watch out for fraud, and to improve our products and services.
- We share data we collect from you with IronCore’s third party service providers as necessary for those service providers to perform their services for us. For example, with third-party billing systems, sales tracking systems, and customer support systems. We will also share your data stored on our systems with third parties, if we’re legally required to do so.
- We use third party payment services to collect and process users’ payment card transactions and do not store credit card information.
- Your data is transferred to the U.S. For encrypted data, it is encrypted on the client before being submitted and can only be decrypted by authorized users. If the only authorized users are in country X, then the data can only be read in plain text in that country, assuming the users with access are there when accessing the data.
Through our emails:
- From time to time we may email you if you elected to receive a newsletter or if we need to communicate with you about your account.
- Our emails may contain web beacons that give us information about whether or not users open these emails and whether or not they follow links in these emails.
- You can opt out of emails at any time.
About IP addresses:
When you visit the IronCore website, developer portal, or use our products and services, like our APIs, we collect your IP addresses to track and analyze information about the devices that are connecting to our systems and about where those devices are located. For example, we use IP addresses to track the geographic region of visitors and to detect possible fraud.
In the case of stored audit logs, we only record geographic source at the regional level, often at the Country or State level, and many of our systems store only the first three parts of the IP address to avoid any personally identifiable information from our audit logs.
Data transparency or erasure requests:
If you want to ask how to delete or access your data, email privacy at ironcorelabs.com.