Transparency is a core value and one that we believe is inseparable from trust and security, two things essential to our business. We aim to be transparent about what we do, why we do it, and how, whenever we can. Below we discuss our positions on open source, open access to information about our systems, and government requests.

Customer Notice Policy

We always attempt to redirect the third party to obtain the requested data directly from our customer. We will promptly notify our customers of any third-party request, providing a copy of the request, unless we are legally prohibited from doing so.

For valid requests that we are not able to redirect to our customer, we disclose information only when we are legally compelled to do so, and we always ensure that we provide only the data specified in the legal order.

Data We Hold

IronCore maintains a minimal set of data on customers to allow us to contact and bill them. IronCore also has contact information for prospects who have voluntarily provided this data via sign-up forms, at trade shows, or through other means. The categories of basic account information that may be available for law enforcement requests include: email address, name, phone number, screen name, instant messenger ID and/or billing contact information (in connection with paid accounts). Additional information regarding IP addresses, transactional records, customer support interactions, and other interactions between IronCore and the customer may also be available.

Aside from basic account information, IronCore holds very little data of use to law enforcement.

Data that we handle for our customers, and indirectly for their customers, is protected by end-to-end encryption. Whether the data is stored in our service or elsewhere, IronCore does not have the keys required to decrypt the data.

IronCore does track metadata associated with the data contents, however. We maintain a complete audit trail of information about who accesses data, when, and from where (which device was used and the geographic region from which it connected, if known). This information is tracked in tamper-evident audit logs so that data owners can monitor how their data is used and by whom. All of this metadata is associated with IDs provided by the customer to identify the encrypted data items and the users. These IDs provided by the customer should not contain any identifying information, such as the user’s name or email address. However, this data may have some meaning to law enforcement, even in the absence of encrypted data content, if law enforcement has procured information related to the IDs from other sources.

Warrant Canary

Up to this point in time, IronCore Labs has never been compelled to turn over user information to any third party. IronCore will update or remove this statement immediately with any changes. For additional detail, see the Transparency Reports below.

Government Request Process

Our customers and end users expect us to protect their personal information, sensitive data, and user privacy. Consequently, to obtain customer information from IronCore, law enforcement officials must provide legal process appropriate for the type of information sought, such as a subpoena, court order, or a warrant.

Before IronCore will even consider a request, it must be specified with particularity. Accounts must be identified by name, email address, and/or an IronCore ID number or public key, as well as a relevant time period. These limitations safeguard the privacy of our customers and ensure the information requested pertains only to the parties named in the subpoena or other valid legal request documents.

Foreign Request Process

IronCore Labs, Inc. is a US-based company that provides a global service. We respond to valid legal process issued by a U.S. governmental entity or court and properly served in the US.  Parties to civil litigation or governmental entities outside the U.S. should appropriately domesticate requests through a U.S. court by working through the appropriate process for international cooperation, such as letters rogatory or a Mutual Legal Assistance Treaty.

General Surveillance Requests

We will never voluntarily comply with any surveillance request or program. To the extent that we are compelled to comply with such a request, we will fight to redirect the request, to challenge the request, and, should all that fail, to make the request public as part of our transparency reporting.

Transparency Reports

As part of our commitment to the privacy of your data, we issue semi-annual reports to provide visibility into government requests received for customer information by municipal, state, provincial, and federal governments globally.

In that spirit, our transparency reports document the total volume of government requests for information received by IronCore, how we responded to the requests, and how often we notified users of the requests. In some cases, we may be compelled to state ranges and not specific numbers.

1st Half 2018 IronCore Transparency Report

2nd Half 2017 IronCore Transparency Report

1st Half 2017 IronCore Transparency Report

2nd Half 2016 IronCore Transparency Report

1st Half 2016 IronCore Transparency Report

2nd Half 2015 IronCore Transparency Report