// Trust & Security Report

    Ironclad, Inc. logo

    Ironclad, Inc.

    AI Contract Lifecycle Management (CLM) platform; sub-products include Ironclad CLM, Ironclad AI (Jurist AI assistant), Ironclad Signature (eSignature), and Ironclad ClickWrap (API-driven clickwrap agreements)

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Routine audits to receive a certified 3rd party SOC 1 & SOC 2 Type II report, certifying against multiple Trust Categories which include security, availability, confidentiality, and privacy. Trust portal lists SOC 2 as a held report; SOC 2 report date (per the SafeBase trust portal) is reported as 2024-11-15.

    Verify on ironcladapp.com
    SOC 1 Type II
    HELD

    Routine audits to receive a certified 3rd party SOC 1 & SOC 2 Type II report. Trust portal lists SOC 1 and SOC 1 Type 2 as held reports; SOC 1 report date (per the SafeBase trust portal) is reported as 2024-11-15.

    Verify on ironcladapp.com
    ISO/IEC 27001
    HELD

    ISO 27001/17/18 compliant. Trust portal lists ISO/IEC 27001 as a held certification. Vanta case study: 'successfully achieved their ISO 27001 certification' in their first year with Vanta (achieved ~2022).

    Verify on ironcladapp.com
    ISO/IEC 27017:2015
    HELD

    ISO 27001/17/18 compliant. Trust portal explicitly lists ISO/IEC 27017:2015. Vanta case study: 'by spring 2023, they expanded their certifications to include ISO 27017, 27018, and 27701.'

    Verify on ironcladapp.com
    ISO/IEC 27018:2019
    HELD

    ISO 27001/17/18 compliant. Trust portal explicitly lists ISO/IEC 27018:2019. Vanta case study: 'by spring 2023, they expanded their certifications to include ISO 27017, 27018, and 27701.'

    Verify on ironcladapp.com
    ISO/IEC 27701
    HELD

    Trust portal explicitly lists ISO/IEC 27701 as a held certification. Ironclad support documentation states: 'Ironclad's Signature product is in scope for Ironclad's ISO 27001, 27701, 27017, and 27018 certifications.' Note: scope may be specific to Ironclad Signature sub-product.

    Verify on security.ironcladapp.com
    GDPR
    HELD

    Ironclad's GDPR compliance program includes Standard Contractual Clauses in conjunction with its Data Processing Addendum. For transfers of customer personal data out of the EEA, the 2021 Standard Contractual Clauses apply. Trust portal lists GDPR as a held compliance item.

    Verify on ironcladapp.com
    HIPAA
    HELD

    We also comply with US HIPAA to keep PII and PHI data safe. IT product page: 'SOC2 Type II, ISO 27001, GDPR, and HIPAA certifications.' Trust portal lists HIPAA. HIPAA BAA availability for enterprise customers should be confirmed via DPA.

    Verify on ironcladapp.com
    CSA STAR
    HELD

    Our security team participates in monthly and annual security calls with the CSA...Trusted Provider status at Star Level One. Publishes public Consensus Assessments Initiative Questionnaire (CAIQ). Trust portal lists both CSA STAR and CSA Trusted Cloud Provider.

    Verify on ironcladapp.com
    CCPA
    HELD

    Trust portal lists CCPA as a held compliance item. Privacy policy (legal.ironcladapp.com/privacy-policy) includes a CA Privacy Notice and Do Not Sell My Information option. Privacy policy explicitly references CCPA.

    Verify on security.ironcladapp.com
    > Show 4 unconfirmed / not-held certifications
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP on ironcladapp.com/product/security/ or security.ironcladapp.com. Microsoft 365 App Certification (self-attested by Ironclad, October 2025): 'Is the app FedRAMP compliant? No.'

    source: ironcladapp.com
    HITRUST CSF
    NOT CONFIRMED

    No mention of HITRUST on Ironclad's security page or trust portal. Microsoft 365 App Certification (self-attested by Ironclad, October 2025): 'Does the app comply with HITRUST CSF? No.'

    source: ironcladapp.com
    PCI DSS
    NOT CONFIRMED

    Ironclad security page notes 'All of our public cloud vendors are certified under SOC 2, ISO 27001, and PCI DSS.' This is the cloud host's (GCP) certification, not Ironclad's own. Microsoft 365 App Certification: PCI DSS annual assessments listed as N/A. No vendor-domain evidence of Ironclad's own PCI DSS certification.

    source: ironcladapp.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification on Ironclad's trust center, security page, or IT product page as of June 2026.

    source: security.ironcladapp.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (Google Cloud Platform) for core CLM production servers. No confirmed multi-region or EU data residency option for the core CLM product. An Ironclad EU variant exists for Microsoft Teams integration. GDPR cross-border transfers covered by 2021 SCCs.

    Ironclad does not train on customer data by default. The AI page states 'Ironclad's AI NEVER exposes sensitive or identifiable information from your contracts' and enforces strict 'zero data retention' policies with third-party LLM providers. Customers may voluntarily opt-in to aggregate data sharing to improve Ironclad's global AI models. Full opt-out controls are available. An AI Addendum is published in the legal center at legal.ironcladapp.com. Terms of Service explicitly prohibit customers from using Ironclad's service content for ML/AI training purposes.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher

    ironcladapp.com

    Encryption at rest

    AES-256

    ironcladapp.com

    Customer-managed encryption

    Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) options available for enterprise customers

    ironcladapp.com

    Infrastructure

    US-hosted Google Cloud Platform; multi-zone deployment for outage protection

    ironcladapp.com

    Penetration testing

    Annual third-party penetration testing

    ironcladapp.com

    Vulnerability scanning

    Quarterly vulnerability scanning

    ironcladapp.com

    Disaster recovery

    Semi-annual DR testing with defined RTO and RPO

    ironcladapp.com

    Security grades

    SecurityScorecard: A, ImmuniWeb: A, Qualys SSL Labs: A+

    security.ironcladapp.com

    MFA

    Enabled for code repositories, DNS management, and credential access (self-attested via Microsoft 365 App Certification)

    ironcladapp.com

    Incident response

    Formal security incident response process; breach notification to supervisory authorities and affected individuals within 72 hours of detection

    ironcladapp.com

    IDPS

    Intrusion Detection and Prevention System deployed at network perimeter

    ironcladapp.com

    // Products & data scope

    Ironclad CLMContract Lifecycle Management

    data: Contract content, counterparty PII, company-confidential deal terms, workflow and approval data

    Core platform; covered under SOC 2 Type II and ISO 27001 certifications. Gartner and Forrester Leader (2025).

    Ironclad AI / JuristAI assistant for contract drafting, redlining, and analysis

    data: Contract content, clause data; zero data retention enforced with third-party LLM providers

    Does not train on customer data by default. Optional opt-in for aggregate model improvement. AI Addendum governs usage terms.

    Ironclad SignatureeSignature

    data: Signatory PII, signature events, executed document content

    Explicitly cited as in scope for ISO 27001, 27701, 27017, and 27018 certifications. Covered under annual SOC 1 and SOC 2 Type II audits.

    Ironclad ClickWrapClickwrap agreement management / API

    data: Click-acceptance events, user identifiers, agreement versions

    API-first product governed by separate ClickWrap API Terms of Use in the legal center.

    // What to watch

    • ISO cert scope ambiguity: Ironclad support documentation explicitly states 'Ironclad's Signature product is in scope for Ironclad's ISO 27001, 27701, 27017, and 27018 certifications.' It is unclear whether this scoping language means ONLY Signature is in scope for the ISO certs, or whether Signature is cited as an example of an in-scope product. The security page and trust portal present the ISO certs as applying to Ironclad generally. AIFOXX should request the actual certificate scope statement from the trust portal (security.ironcladapp.com) before listing ISO certs as covering the entire product suite.
    • AI training opt-in: Customers can voluntarily opt-in to aggregate data sharing to improve Ironclad's global AI models. This opt-in should be disclosed in enterprise procurement conversations and reviewed in the AI Addendum document.
    • Data residency limited to US (GCP) by default: No confirmed EU or multi-region data residency option for the core CLM product. An Ironclad EU variant exists for Teams integration only. Customers with GDPR data-residency mandates should confirm data location explicitly in their DPA.
    • PCI DSS host vs vendor: The security page references PCI DSS certification for Ironclad's cloud vendors (GCP), not for Ironclad itself. Do not list PCI DSS as an Ironclad certification; it belongs to the infrastructure provider.

    // At a glance

    Pricing model

    Enterprise subscription; no public pricing (demo required); enterprise contracts via Enterprise Services Agreement

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ironclad, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.ironcladapp.com

    > Browse all vendor trust reports