Transparency

Transparency is a core value and one that we believe is inseparable from trust and security, two things essential to our business. We aim to be transparent about what we do, why we do it, and how, whenever we can. Below we discuss our positions on open source, open access to information about our systems, and government requests.

Open source

We support a number of open source projects and have open sourced a number of projects ourselves. We are strong believers in open source in general, and even stronger believers in open source security products. Sunlight helps to uncover bugs and alleviate suspicion, and it leads to a stronger community. See our open source code by browsing the IronCore Public Repos on Github.

Open access to architecture and design

A disappointing number of commercial security products obfuscate what they actually do to the point where customers are forced to speculate about the details. We believe that to truly differentiate as a security company and a developer platform, we must provide abundant and accurate information about what we do and how we do it. To that end, we publish details of our architecture and our algorithms with nothing held back, and we commit to making these details freely available. Visit our documentation site for more information. In some cases, we publish this information in academic journals and conference proceedings, but we take care to retain our right to provide these papers for free to interested parties.

Cryptography Audits

Our commitment to transparency and trust includes periodic reviews of our cryptography algorithms and implementation from respected third parties.

Our most recent audit from the NCC Group is discussed in NCC Group Audit of Open Source Proxy Re-Encryption Library.

Requests for your data

From time to time, IronCore may receive requests for user data from law enforcement, civil litigants, and other external parties. IronCore will always attempt to redirect these requests to customers and to notify users about data requests for their information by law enforcement, unless we are specifically prohibited from doing so by statute or court order, or unless we lack valid contact information for the user. Because most of the data we handle is protected by end-to-end encryption, IronCore is unable to provide user data to third parties in nearly all circumstances.

Customer notice policy

We always attempt to redirect the third party to obtain the requested data directly from our customer. We will promptly notify our customers of any third-party request, providing a copy of the request, unless we are legally prohibited from doing so.

For valid requests that we are not able to redirect to our customer, we disclose information only when we are legally compelled to do so, and we always ensure that we provide only the data specified in the legal order.

Data we hold

IronCore maintains a minimal set of data on customers to allow us to contact and bill them. IronCore also has contact information for prospects who have voluntarily provided this data via sign-up forms, at trade shows, or through other means. The categories of basic account information that may be available for law enforcement requests include: email address, name, phone number, screen name, instant messenger ID and/or billing contact information (in connection with paid accounts). Additional information regarding IP addresses, transactional records, customer support interactions, and other interactions between IronCore and the customer may also be available.

Aside from basic account information, IronCore holds very little data of use to law enforcement.

Data that we handle for our customers, and indirectly for their customers, is protected by end-to-end encryption. Whether the data is stored in our service or elsewhere, IronCore does not have the keys required to decrypt the data.

IronCore does track metadata associated with the data contents, however. We maintain a complete audit trail of information about who accesses data, when, and from where (which device was used and the geographic region from which it connected, if known). This information is tracked in tamper-evident audit logs so that data owners can monitor how their data is used and by whom. All of this metadata is associated with IDs provided by the customer to identify the encrypted data items and the users. These IDs provided by the customer should not contain any identifying information such as the user's name or email address. However, this data may have some meaning to law enforcement, even in the absence of encrypted data content, if law enforcement has procured information related to the IDs from other sources.

Warrant canary

Up to this point in time, IronCore Labs has never been compelled to turn over user information to any third party. IronCore will update or remove this statement immediately with any changes.

Government request process

Our customers and end users expect us to protect their personal information, sensitive data, and user privacy. Consequently, to obtain customer information from IronCore, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.

Before IronCore will even consider a request, it must be specified with particularity. Accounts must be identified by name, email address, and/or an IronCore ID number or public key, as well as a relevant time period. These limitations safeguard the privacy of our customers and ensure the information requested pertains only to the parties named in the subpoena or other valid legal request documents.

Foreign request process

IronCore Labs, Inc. is a US-based company that provides a global service. We respond to valid legal process issued by a U.S. governmental entity or court and properly served in the US. Parties to civil litigation or governmental entities outside the U.S. should appropriately domesticate requests through a U.S. court by working through the appropriate process for international cooperation, such as letters rogatory or a Mutual Legal Assistance Treaty.

General surveillance requests

We will never voluntarily comply with any surveillance request or program. To the extent that we are compelled to comply with such a request, we will fight to redirect the request, to challenge the request, and, should all that fail, to make the request public as part of our transparency reporting.