Security Statement
Last updated: December 28, 2025
This Security Statement describes IronFlock’s security approach at a high level.
Informational only. This document is provided for transparency and does not create contractual commitments. Contractual security and data protection obligations (including breach notification) are governed by the applicable customer agreement and the Data Processing Addendum (DPA).
IronFlock is built on Google Cloud Platform (GCP). We use a combination of cloud-provider controls and our own technical and organizational measures to help protect customer data. For more information about GCP security, see: https://cloud.google.com/security/
A. User and Tenant Security
Authentication
Customer data in the Service is logically segregated by tenant/account access rules. Users authenticate to access the Service. Session mechanisms are designed not to include plaintext passwords.
Passwords
Passwords are salted and hashed. Baseline password requirements apply. Depending on the plan/configuration, additional authentication mechanisms (for example, SSO) may be available.
Data protection and encryption
We use TLS to protect data in transit. We apply encryption and secret-handling controls where appropriate, including for sensitive authentication material.
Privacy and GDPR roles
For platform customer data, IronFlock acts as a processor and processes personal data on behalf of customers under a DPA. Our public Privacy Notice primarily covers contexts where IronFlock acts as a controller (for example, website and billing contacts).
Data residency
Unless otherwise agreed in writing, we aim to host primary customer data within Germany/EU.
B. Availability and Resilience
Monitoring and incident response
We monitor service availability and performance and respond to incidents using operational escalation procedures.
Redundancy and backups
We design systems to tolerate common infrastructure failures through redundancy and recovery mechanisms. We maintain backups and resilience controls designed to help protect against data loss. Exact replication/backup configurations may change over time.
Physical security
Physical security and datacenter controls are provided by our cloud infrastructure providers.
C. Network and Infrastructure Security
Testing and change management
System changes are verified in isolated environments and subject to functional and security testing prior to production deployment.
Network controls
Network controls restrict access to services and management interfaces. Public endpoints are intended to be limited to necessary ports/protocols.
Access control
Role-based access is enforced for systems management by authorized personnel and is designed around least privilege.
Encryption in transit
Communications with the IronFlock website and application endpoints are protected using TLS. We configure endpoints to support modern cryptography and review transport security settings on an ongoing basis.
D. Vulnerability Management
Patching
We apply security patches and updates on a risk-based basis, prioritizing timely remediation of critical vulnerabilities.
E. Organizational and Administrative Security
Personnel and access
We maintain policies and controls intended to limit access to customer environments and data to authorized personnel on a need-to-know basis (for example, for support and security operations). Where access is required, we aim to minimize access to what is necessary to resolve the issue.
Training
We provide security and technology use training for employees.
Service providers
We screen service providers and bind them under contract to appropriate confidentiality and security obligations.
F. Software Development Practices
Secure development
Engineers follow secure coding guidelines and use review/testing practices intended to reduce security risk.
Deployment
We deploy updates regularly, including security fixes when needed.
G. Payments (if applicable)
If we offer paid services, payment details are transmitted securely. Where a third-party payment provider is used, that provider is responsible for PCI DSS compliance for card data they process. We do not aim to store full payment card details on our servers.
H. Security Incidents
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure.
If we become aware of a security incident involving Customer Personal Data, we will notify affected customers without undue delay consistent with our contractual obligations (including the DPA) and applicable law.
I. Customer Responsibilities
Keeping data secure also depends on customers and users maintaining good security hygiene, including using strong authentication credentials, controlling access, and maintaining appropriate security on systems that interact with the Service.
Contact Us
If you have a question, concern, or a comment about this Security Statement, please contact us at contact@ironflock.com.