// Trust & Security Report

    Iris AI AS (Iris.ai) logo

    Iris AI AS (Iris.ai)

    AI Knowledge Foundation for regulated enterprises (Axion, Neuralith, RSpace)

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    Axion is ISO 27001-certified, GDPR-compliant, and supports on-premise or private cloud deployment with encryption, role-based access control, and full audit logging.

    Verify on iris.ai
    GDPR (compliance posture, not a certification)
    HELD

    fully in line with the provisions of the General Data Protection Regulation (GDPR) 2016/679, currently in force within the European Economic Area (EEA)

    Verify on iris.ai
    SOC 2 Type II
    HELD

    Conflicting signal: third-party search aggregators describe Axion as 'SOC 2 Type II compliant', but a direct fetch of the vendor's own Axion page surfaced only ISO 27001 and GDPR, with no verbatim SOC 2 claim. No SOC 2 report or attestation is published on iris.ai. Treated as unverified rather than held.

    Verify on iris.ai
    HIPAA
    HELD

    No HIPAA claim found on any iris.ai page. Vendor targets EU regulated industries (pharma, energy, public sector) rather than US healthcare PHI specifically.

    Verify on iris.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    EU only: 'All data collected by IRIS.AI is stored electronically in Ireland and Germany, Europe' (AWS, EEA). OAuth2 tokens 'stored in encrypted form on our servers located in the EEA.' International transfers use EU Commission standard contractual clauses.

    Axion product page states 'Data is never used to train general models and always remains with the client.' The Terms of Service confirm customer ownership: 'We claim no intellectual property rights over the material you provide to the Service... Your profile, content and materials uploaded remain yours.' Note: ToS also says 'all training datasets generated in the Service belong to Iris.ai' (i.e. Iris.ai owns derived/structured training datasets created inside the platform, while raw customer content stays the customer's). No statement found that customer business data trains shared/general models.

    // Security controls

    Encryption

    Stated for Axion ('encryption, role-based access control, and full audit logging'); OAuth tokens stored encrypted at rest in EEA. No explicit TLS/AES key-length detail published.

    iris.ai

    Access control

    Role-based access control (RBAC) for Axion; 'granular permissions' and 'full data separation' referenced in product/marketing material.

    iris.ai

    Audit logging

    Full audit logging stated for Axion; governance and source traceability marketed as first-class features.

    iris.ai

    Deployment / data isolation

    Self-hostable: 'SaaS, dedicated SaaS instances, private cloud, and on-premise solutions.' Suitable for air-gapped/strict environments; cited NATO and pharma clients.

    iris.ai

    Penetration testing

    unknown - no explicit pentest disclosure. Privacy policy describes 'a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures' (generic GDPR Art. 32 wording), not a named pentest or report.

    iris.ai

    Bug bounty

    none found - no HackerOne or Bugcrowd program or security.txt disclosed on iris.ai.

    iris.ai

    Subprocessors

    Disclosed in privacy policy: AWS (hosting, EU), Stripe, Google Pay, Link, Google Analytics, HubSpot, Escalon Services Norway AS. Payment card data not collected/processed by Iris.ai directly.

    iris.ai

    // Products & data scope

    AxionAI data extraction & contextualization / knowledge-graph platform

    data: Ingests structured + unstructured enterprise documents (PDF native & scanned, Word, Excel, PowerPoint), 68+ languages, into machine-readable structured knowledge. ISO 27001-certified, GDPR-compliant, encryption + RBAC + audit logging, on-prem or private cloud. Available on AWS Marketplace.

    Most strongly documented product for compliance claims. The explicit 'data never trains general models' and ISO 27001 statements live on this product's page.

    NeuralithEnterprise knowledge -> AI engine (RAG / LLM evaluation & compliance layer)

    data: Turns enterprise knowledge into a grounded AI engine with LLM evaluation and governance. Product page renders mostly navigation; security specifics inherited from platform-level posture rather than separately documented.

    Compliance scope not independently documented on its own page; assume same EU hosting + platform controls as Axion, but not separately verified.

    RSpaceR&D research workspace / multi-RAG retrieval for science & innovation teams

    data: Precision retrieval over scientific literature, clinical and patent data. Multi-RAG system deployable as SaaS, dedicated SaaS, private cloud, or on-premise. Cited clients with stringent needs include NATO and pharma/engineering firms.

    Strongest deployment-flexibility / data-isolation story; '9+ years handling sensitive data at scale.'

    // What to watch

    • Conflicting SOC 2 signal: search aggregators say 'SOC 2 Type II' for Axion, but no verbatim SOC 2 claim was confirmed on iris.ai's own pages. Recorded as unknown, not held.
    • Name-collision risk: a separate, unrelated company 'Iris AI' at heyiris.ai (an AI SOC / security-operations product) appears in search and references SOC 2; do NOT attribute its claims to iris.ai. Also unrelated: Irisity, IRIS IMS, IRIS Connect, Iris ID.
    • No dedicated trust center / security portal; compliance claims are scattered across product pages and the privacy policy.
    • No published bug-bounty program or explicit penetration-test attestation.
    • DPA not found as a standalone document, though a named DPO (Victor Botev, victor@iris.ai) and GDPR Art. 28/32 measures are described; a DPA is likely available on request for enterprise customers.

    // At a glance

    Pricing model

    Enterprise / sales-led (request a demo); also listed on AWS Marketplace. No public self-serve pricing.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Iris AI AS (Iris.ai)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    iris.ai

    > Browse all vendor trust reports