Trust, Legal & Security Hub

Customer Subscription Terms

Explore the legal terms that govern the use of our IriusRisk product. We provide clear, easy-to-access subscription agreements tailored for customers in different regions. These agreements outline your rights and obligations when using our platform, including billing, service usage, and termination terms.

International / EU Customer Subscription

Applicable if your company is based outside of the United States, including in the European Union and other international locations.

Download

North American / US Customer Subscription Terms

Applicable if your company is based in the United States or any other part of North America.

Download

Security & Compliance

At IriusRisk, security is built into everything we do—from how we design our platform to how we operate as a company. As experts in threat modeling, we apply the same proactive, risk-based principles internally to protect our systems and data. We follow industry best practices, undergo independent audits, and commit to transparency at every level.

ISO 27001 Certification

Our ISO/IEC 27001 certification demonstrates that we maintain strong, independently audited controls to protect customer data across people, processes, and technology.

External Security Testing & Vulnerability Reporting

We welcome responsible testing from customers and the security community. Testing is allowed within your own domain and data, with DoS strictly prohibited. Notify us 30 days in advance and report findings to security@iriusrisk.com. We promptly review and address all valid reports.

Notify

Security by Design Pledge

IriusRisk is a proud signatory of the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Security by Design Pledge, reflecting our commitment to embed security throughout the software development lifecycle, minimize default risks, and lead with transparency.

Read the Pledge

IriusRisk Information Security Policy

IriusRisk is committed to protecting the confidentiality, integrity, and availability of its information assets by maintaining a robust Information Security Management System (ISMS) aligned with ISO/IEC 27001 and international best practices and guidance from organizations such as OWASP, CIS, INCIBE, and NCSC.The ISMS is supported at the highest levels of the organization and integrates information security principles into daily operations and company culture. The objectives of the ISMS are to:

- Strengthen security controls and procedures in response to evolving threats and compliance needs
- Prevent unauthorized access, alteration, or loss of critical information
- Minimize the risk of security incidents through proactive monitoring and incident response
- Ensure the continuity of business operations
- Promote a strong security culture through ongoing training and awareness initiatives

Privacy & Data Protection

We are deeply committed to handling personal data responsibly, securely, and in compliance with global data protection laws. This section provides access to our data processing agreements (DPAs), details on our subprocessors, and privacy-related documents to help you understand how we manage data throughout our operations.

International / EU Data Processing Agreement (DPA) + Standard Contractual Clauses (SCCs)

This DPA applies if your company is based outside of the United States, including in the European Union and other international jurisdictions. It outlines our roles and responsibilities as a data processor and includes Standard Contractual Clauses (SCCs) for lawful international data transfers under GDPR and other applicable laws, and describes the security measures we implement to protect personal data.

Read the DPA

North American / US Data Processing Agreement (DPA)

This DPA is applicable if your company is based in the United States or elsewhere in North America.

It defines our data protection obligations, including how we handle personal data, the roles of the parties, and the security measures we implement to protect that data.

Read the DPA

List of authorized subprocessors

We maintain a current list of third-party subprocessors that may process personal data on our behalf in connection with the delivery of our services.

The list includes their purpose and geographic location, ensuring transparency for our customers.

Subprocessors list

IriusRisk Privacy Policy

The IriusRisk Privacy Policy applies to all IriusRisk websites and explains how we collect and use personal data when you interact with our sites—for example, by requesting a demo, using the IriusRisk Community Edition, subscribing to communications, registering for events, applying for a job, or participating in hackathons. This policy does not cover personal data processed through use of the IriusRisk product.

IriusRisk website Cookie Policy

This policy explains how we use cookies and similar technologies on our public website for analytics, performance monitoring, and personalization.

Like the privacy policy, it is not relevant to customers using the IriusRisk platform, which does not rely on cookie-based tracking.

Cookie policy

Service Status & Availability

Stay informed about the performance and reliability of the IriusRisk platform. This section includes our Enterprise Support site. It provides access to helpful resources, technical assistance, and documentation all to ensure transparency and responsiveness.

Take a look

Legal notice

Find our general legal disclosure, including company identification, website usage, and regulatory notices here.

Legal notice

Contact & FAQs

Have questions about legal, privacy, or security topics? Find quick answers in our FAQs or contact the appropriate team directly.

For security-related inquiries

security@iriusrisk.com

For privacy & data protection

dpo@iriusrisk.com

For legal or contractual matters

legal@iriusrisk.com

Frequently Asked Questions

Have questions about legal, privacy, or security topics? Find quick answers in our FAQs or contact the appropriate team directly.

1. What terms govern my use of the IriusRisk platform?

keyboard_arrow_down

Your use of IriusRisk Cloud Services is governed by our Customer Subscription Terms and the applicable Order Form. We provide separate terms for customers based in North America/US and those in the EU or other international regions.

2. Does IriusRisk offer a Data Processing Agreement (DPA), and where can I find it?

keyboard_arrow_down

Yes, IriusRisk offers tailored Data Processing Agreements for North America/US and International/EU customers. These agreements include the Standard Contractual Clauses (SCCs) for lawful international data transfers and can be accessed directly in the Privacy & Data Protection section of this hub.

3. How does IriusRisk secure my data?

keyboard_arrow_down

IriusRisk implements robust technical and organizational security measures including encryption in transit and at rest, access controls, regular penetration testing, and incident response procedures. Our ISO 27001 certification validates our commitment to best-in-class security standards. Learn more in our Security & Compliance section.

4. Can I test the security of the IriusRisk platform?

keyboard_arrow_down

We support responsible disclosure and security testing within the scope of your own environment. Denial-of-service (DoS) and other intrusive testing is strictly prohibited. Please notify us 30 days in advance and report any findings to security@iriusrisk.com .

5. Who are your subprocessors, and how are they selected?

keyboard_arrow_down

We maintain a list of authorized subprocessors, each vetted for security and compliance. We only use subprocessors that meet our standards and provide notice of any changes. This list is available in our Subprocessor List under the Privacy and Data Protection section.

6. What data should I avoid uploading to IriusRisk?

keyboard_arrow_down

Customers must not upload sensitive or regulated data such as health information (e.g. PHI), financial data requiring special treatment, IDs, or special category data under GDPR. Likewise, third-party data protected by intellectual property, trade secrets, or confidentiality rights must not be submitted unless the customer has obtained all necessary permissions. The IriusRisk Cloud Services are not designed or certified to process such data, and customers are responsible for ensuring compliance with applicable laws and obligations.

7. Where can I view the platform’s service status?

keyboard_arrow_down

You can view system performance and uptime statistics in our Service Status & Availability section. For additional info, please visit our Support Portal.

8. What support options does IriusRisk offer?

keyboard_arrow_down

IriusRisk provides Standard, Gold, and Platinum support plans with varying levels of availability, response time, and dedicated support channels. For additional info, please visit our Support Portal.

9. Who owns the data I upload to IriusRisk?

keyboard_arrow_down

You do. The customer retains full ownership of any data uploaded to the platform. IriusRisk only uses this data to deliver and support the service in accordance with the Customer Subscription Terms.

10. Can I request the deletion or return of my data?

keyboard_arrow_down

Yes. Upon termination or at any time upon request, we will delete or return your personal data in accordance with our DPA—unless we are legally required to retain it.

Welcome to the IriusRisk Trust, Legal & Security Hub

Customer Subscription Terms

Security & Compliance

Privacy & Data Protection

Service Status & Availability

Legal notice

Contact & FAQs

Frequently Asked Questions

1. What terms govern my use of the IriusRisk platform?

2. Does IriusRisk offer a Data Processing Agreement (DPA), and where can I find it?

3. How does IriusRisk secure my data?

4. Can I test the security of the IriusRisk platform?

5. Who are your subprocessors, and how are they selected?

6. What data should I avoid uploading to IriusRisk?

7. Where can I view the platform’s service status?

8. What support options does IriusRisk offer?

9. Who owns the data I upload to IriusRisk?

10. Can I request the deletion or return of my data?