// Trust & Security Report
Ironclad, Inc.
AI Contract Lifecycle Management (CLM) platform; sub-products include Ironclad CLM, Ironclad AI (Jurist AI assistant), Ironclad Signature (eSignature), and Ironclad ClickWrap (API-driven clickwrap agreements)
Certifications held
10
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on ironcladapp.com“Routine audits to receive a certified 3rd party SOC 1 & SOC 2 Type II report, certifying against multiple Trust Categories which include security, availability, confidentiality, and privacy. Trust portal lists SOC 2 as a held report; SOC 2 report date (per the SafeBase trust portal) is reported as 2024-11-15.”
Verify on ironcladapp.com“Routine audits to receive a certified 3rd party SOC 1 & SOC 2 Type II report. Trust portal lists SOC 1 and SOC 1 Type 2 as held reports; SOC 1 report date (per the SafeBase trust portal) is reported as 2024-11-15.”
Verify on ironcladapp.com“ISO 27001/17/18 compliant. Trust portal lists ISO/IEC 27001 as a held certification. Vanta case study: 'successfully achieved their ISO 27001 certification' in their first year with Vanta (achieved ~2022).”
Verify on ironcladapp.com“ISO 27001/17/18 compliant. Trust portal explicitly lists ISO/IEC 27017:2015. Vanta case study: 'by spring 2023, they expanded their certifications to include ISO 27017, 27018, and 27701.'”
Verify on ironcladapp.com“ISO 27001/17/18 compliant. Trust portal explicitly lists ISO/IEC 27018:2019. Vanta case study: 'by spring 2023, they expanded their certifications to include ISO 27017, 27018, and 27701.'”
Verify on security.ironcladapp.com“Trust portal explicitly lists ISO/IEC 27701 as a held certification. Ironclad support documentation states: 'Ironclad's Signature product is in scope for Ironclad's ISO 27001, 27701, 27017, and 27018 certifications.' Note: scope may be specific to Ironclad Signature sub-product.”
Verify on ironcladapp.com“Ironclad's GDPR compliance program includes Standard Contractual Clauses in conjunction with its Data Processing Addendum. For transfers of customer personal data out of the EEA, the 2021 Standard Contractual Clauses apply. Trust portal lists GDPR as a held compliance item.”
Verify on ironcladapp.com“We also comply with US HIPAA to keep PII and PHI data safe. IT product page: 'SOC2 Type II, ISO 27001, GDPR, and HIPAA certifications.' Trust portal lists HIPAA. HIPAA BAA availability for enterprise customers should be confirmed via DPA.”
Verify on ironcladapp.com“Our security team participates in monthly and annual security calls with the CSA...Trusted Provider status at Star Level One. Publishes public Consensus Assessments Initiative Questionnaire (CAIQ). Trust portal lists both CSA STAR and CSA Trusted Cloud Provider.”
Verify on security.ironcladapp.com“Trust portal lists CCPA as a held compliance item. Privacy policy (legal.ironcladapp.com/privacy-policy) includes a CA Privacy Notice and Do Not Sell My Information option. Privacy policy explicitly references CCPA.”
> Show 4 unconfirmed / not-held certifications
source: ironcladapp.comNo mention of FedRAMP on ironcladapp.com/product/security/ or security.ironcladapp.com. Microsoft 365 App Certification (self-attested by Ironclad, October 2025): 'Is the app FedRAMP compliant? No.'
source: ironcladapp.comNo mention of HITRUST on Ironclad's security page or trust portal. Microsoft 365 App Certification (self-attested by Ironclad, October 2025): 'Does the app comply with HITRUST CSF? No.'
source: ironcladapp.comIronclad security page notes 'All of our public cloud vendors are certified under SOC 2, ISO 27001, and PCI DSS.' This is the cloud host's (GCP) certification, not Ironclad's own. Microsoft 365 App Certification: PCI DSS annual assessments listed as N/A. No vendor-domain evidence of Ironclad's own PCI DSS certification.
source: security.ironcladapp.comNo public evidence of ISO/IEC 42001 certification on Ironclad's trust center, security page, or IT product page as of June 2026.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (Google Cloud Platform) for core CLM production servers. No confirmed multi-region or EU data residency option for the core CLM product. An Ironclad EU variant exists for Microsoft Teams integration. GDPR cross-border transfers covered by 2021 SCCs.
Ironclad does not train on customer data by default. The AI page states 'Ironclad's AI NEVER exposes sensitive or identifiable information from your contracts' and enforces strict 'zero data retention' policies with third-party LLM providers. Customers may voluntarily opt-in to aggregate data sharing to improve Ironclad's global AI models. Full opt-out controls are available. An AI Addendum is published in the legal center at legal.ironcladapp.com. Terms of Service explicitly prohibit customers from using Ironclad's service content for ML/AI training purposes.
// Security controls
Customer-managed encryption
Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) options available for enterprise customers
ironcladapp.comInfrastructure
US-hosted Google Cloud Platform; multi-zone deployment for outage protection
ironcladapp.comMFA
Enabled for code repositories, DNS management, and credential access (self-attested via Microsoft 365 App Certification)
ironcladapp.comIncident response
Formal security incident response process; breach notification to supervisory authorities and affected individuals within 72 hours of detection
ironcladapp.com// Products & data scope
data: Contract content, counterparty PII, company-confidential deal terms, workflow and approval data
Core platform; covered under SOC 2 Type II and ISO 27001 certifications. Gartner and Forrester Leader (2025).
data: Contract content, clause data; zero data retention enforced with third-party LLM providers
Does not train on customer data by default. Optional opt-in for aggregate model improvement. AI Addendum governs usage terms.
data: Signatory PII, signature events, executed document content
Explicitly cited as in scope for ISO 27001, 27701, 27017, and 27018 certifications. Covered under annual SOC 1 and SOC 2 Type II audits.
data: Click-acceptance events, user identifiers, agreement versions
API-first product governed by separate ClickWrap API Terms of Use in the legal center.
// What to watch
- ISO cert scope ambiguity: Ironclad support documentation explicitly states 'Ironclad's Signature product is in scope for Ironclad's ISO 27001, 27701, 27017, and 27018 certifications.' It is unclear whether this scoping language means ONLY Signature is in scope for the ISO certs, or whether Signature is cited as an example of an in-scope product. The security page and trust portal present the ISO certs as applying to Ironclad generally. AIFOXX should request the actual certificate scope statement from the trust portal (security.ironcladapp.com) before listing ISO certs as covering the entire product suite.
- AI training opt-in: Customers can voluntarily opt-in to aggregate data sharing to improve Ironclad's global AI models. This opt-in should be disclosed in enterprise procurement conversations and reviewed in the AI Addendum document.
- Data residency limited to US (GCP) by default: No confirmed EU or multi-region data residency option for the core CLM product. An Ironclad EU variant exists for Teams integration only. Customers with GDPR data-residency mandates should confirm data location explicitly in their DPA.
- PCI DSS host vs vendor: The security page references PCI DSS certification for Ironclad's cloud vendors (GCP), not for Ironclad itself. Do not list PCI DSS as an Ironclad certification; it belongs to the infrastructure provider.
// At a glance
Pricing model
Enterprise subscription; no public pricing (demo required); enterprise contracts via Enterprise Services Agreement
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Ironclad, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.ironcladapp.com