Ironact

Security

Security and trust.

Our products handle customer and brand data, so protecting it is part of the product. This page explains how we approach security today and where we are honest about the work still ahead.

Our approach

Protect the data customers trust us with.

Ironact builds AI marketing products that connect to real brand and campaign data. We treat that data as something we are borrowing, not something we own. Our goal is simple: collect the minimum we need, keep it secure, be transparent about how it moves, and give customers a clear way to reach us with questions or concerns.

What this page is

This is a plain description of our current practices, not a marketing badge. Where we have a control in place, we say so. Where something is on our roadmap rather than in place today, we say that too. If you need more detail than what is here, you can request an enterprise security review at contact@ironact.net.

Data handling

What we collect

We collect only what a product needs to do its job: account details, the brand and campaign data you connect, and product usage telemetry. We do not sell customer data, and we do not use your brand data to train models for other customers.

Encryption

Data is encrypted in transit with TLS and encrypted at rest by our cloud providers. Secrets and access tokens are stored in managed secret stores, never in plaintext in our source code.

Access controls

Production access is limited to the engineers who need it, protected by strong authentication and scoped to the task at hand. We follow the principle of least privilege and review access as roles change.

Isolation

Customer data is logically separated per account, and internal environments are kept apart from production. We aim to minimize how long we retain data beyond what a product requires.

Infrastructure

Built on reputable cloud providers.

We run on established cloud platforms rather than self-managed hardware, so we inherit their physical security, network isolation, and redundancy. Services are separated across networks so that a public-facing surface cannot reach internal systems directly. Data is backed up so it can be recovered, and we monitor our systems for availability and unusual activity.

Subprocessors

To operate our products we rely on a small set of trusted third-party providers, in categories such as cloud hosting and storage, product analytics, and transactional email. We choose vendors with their own recognized security programs and share only the data each one needs to perform its function.

A current list of our subprocessors is available on request at contact@ironact.net.

Compliance posture

Honest about where we are.

We design our data practices to align with the principles of the EU GDPR and Korea PIPA: lawful and transparent processing, data minimization, purpose limitation, and honoring data subject rights. As a company operating from San Francisco and Seoul, we take both frameworks seriously.

We do not currently hold SOC 2, ISO 27001, or ISMS certification, and we will not claim otherwise. Formal certification is on our roadmap as we grow. In the meantime, enterprise customers can request a security review, and we are happy to complete questionnaires, at contact@ironact.net.

Vulnerability reporting

If you believe you have found a security vulnerability in any Ironact product, we want to hear from you. Please report it to us at contact@ironact.net with enough detail to reproduce the issue.

We support responsible disclosure. Please give us a reasonable window to investigate and remediate before making anything public, and avoid accessing or modifying other people's data while testing. We will acknowledge reports and keep you updated as we work through them.

Questions about security?

Reach our team for security reviews, subprocessor lists, or anything else about how we handle your data.

Contact us