// Trust & Security Report
Iris AI AS (Iris.ai)
AI Knowledge Foundation for regulated enterprises (Axion, Neuralith, RSpace)
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on iris.ai“Axion is ISO 27001-certified, GDPR-compliant, and supports on-premise or private cloud deployment with encryption, role-based access control, and full audit logging.”
Verify on iris.ai“fully in line with the provisions of the General Data Protection Regulation (GDPR) 2016/679, currently in force within the European Economic Area (EEA)”
Verify on iris.ai“Conflicting signal: third-party search aggregators describe Axion as 'SOC 2 Type II compliant', but a direct fetch of the vendor's own Axion page surfaced only ISO 27001 and GDPR, with no verbatim SOC 2 claim. No SOC 2 report or attestation is published on iris.ai. Treated as unverified rather than held.”
Verify on iris.ai“No HIPAA claim found on any iris.ai page. Vendor targets EU regulated industries (pharma, energy, public sector) rather than US healthcare PHI specifically.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
EU only: 'All data collected by IRIS.AI is stored electronically in Ireland and Germany, Europe' (AWS, EEA). OAuth2 tokens 'stored in encrypted form on our servers located in the EEA.' International transfers use EU Commission standard contractual clauses.
Axion product page states 'Data is never used to train general models and always remains with the client.' The Terms of Service confirm customer ownership: 'We claim no intellectual property rights over the material you provide to the Service... Your profile, content and materials uploaded remain yours.' Note: ToS also says 'all training datasets generated in the Service belong to Iris.ai' (i.e. Iris.ai owns derived/structured training datasets created inside the platform, while raw customer content stays the customer's). No statement found that customer business data trains shared/general models.
// Security controls
Encryption
Stated for Axion ('encryption, role-based access control, and full audit logging'); OAuth tokens stored encrypted at rest in EEA. No explicit TLS/AES key-length detail published.
iris.aiAccess control
Role-based access control (RBAC) for Axion; 'granular permissions' and 'full data separation' referenced in product/marketing material.
iris.aiAudit logging
Full audit logging stated for Axion; governance and source traceability marketed as first-class features.
iris.aiDeployment / data isolation
Self-hostable: 'SaaS, dedicated SaaS instances, private cloud, and on-premise solutions.' Suitable for air-gapped/strict environments; cited NATO and pharma clients.
iris.aiPenetration testing
unknown - no explicit pentest disclosure. Privacy policy describes 'a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures' (generic GDPR Art. 32 wording), not a named pentest or report.
iris.aiBug bounty
none found - no HackerOne or Bugcrowd program or security.txt disclosed on iris.ai.
iris.aiSubprocessors
Disclosed in privacy policy: AWS (hosting, EU), Stripe, Google Pay, Link, Google Analytics, HubSpot, Escalon Services Norway AS. Payment card data not collected/processed by Iris.ai directly.
iris.ai// Products & data scope
data: Ingests structured + unstructured enterprise documents (PDF native & scanned, Word, Excel, PowerPoint), 68+ languages, into machine-readable structured knowledge. ISO 27001-certified, GDPR-compliant, encryption + RBAC + audit logging, on-prem or private cloud. Available on AWS Marketplace.
Most strongly documented product for compliance claims. The explicit 'data never trains general models' and ISO 27001 statements live on this product's page.
data: Turns enterprise knowledge into a grounded AI engine with LLM evaluation and governance. Product page renders mostly navigation; security specifics inherited from platform-level posture rather than separately documented.
Compliance scope not independently documented on its own page; assume same EU hosting + platform controls as Axion, but not separately verified.
data: Precision retrieval over scientific literature, clinical and patent data. Multi-RAG system deployable as SaaS, dedicated SaaS, private cloud, or on-premise. Cited clients with stringent needs include NATO and pharma/engineering firms.
Strongest deployment-flexibility / data-isolation story; '9+ years handling sensitive data at scale.'
// What to watch
- Conflicting SOC 2 signal: search aggregators say 'SOC 2 Type II' for Axion, but no verbatim SOC 2 claim was confirmed on iris.ai's own pages. Recorded as unknown, not held.
- Name-collision risk: a separate, unrelated company 'Iris AI' at heyiris.ai (an AI SOC / security-operations product) appears in search and references SOC 2; do NOT attribute its claims to iris.ai. Also unrelated: Irisity, IRIS IMS, IRIS Connect, Iris ID.
- No dedicated trust center / security portal; compliance claims are scattered across product pages and the privacy policy.
- No published bug-bounty program or explicit penetration-test attestation.
- DPA not found as a standalone document, though a named DPO (Victor Botev, victor@iris.ai) and GDPR Art. 28/32 measures are described; a DPA is likely available on request for enterprise customers.
// At a glance
Pricing model
Enterprise / sales-led (request a demo); also listed on AWS Marketplace. No public self-serve pricing.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Iris AI AS (Iris.ai)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
iris.ai