Security at IRONFEED — Enterprise-Grade Data Protection
How IRONFEED protects your product data and keeps your feeds running 24/7. We treat security and reliability as core product features, not afterthoughts.
Data Encryption
Encryption in Transit (TLS 1.3)
All traffic to and from IRONFEED is encrypted with TLS 1.3, including API calls, dashboard sessions and outbound feed deliveries to Google, Meta, TikTok and other channels.
Encryption at Rest (AES-256)
Databases, object storage and backups are encrypted at rest with AES-256. Backups are encrypted independently and stored across multiple availability zones.
Key Management & Rotation
Encryption keys are managed by our cloud provider's KMS. Keys are rotated automatically on a regular schedule. No engineer has direct access to raw key material.
Access Controls
Role-Based Access Control (RBAC)
Granular roles (Admin, Manager, Viewer) on every account. Permissions are enforced server-side at the database row level via Row-Level Security policies.
Single Sign-On (SAML 2.0)
Enterprise customers can connect their identity provider (Okta, Azure AD, Google Workspace, JumpCloud) over SAML 2.0 with SCIM provisioning available on request.
Two-Factor Authentication (2FA)
2FA via TOTP authenticator apps is available on all plans and can be enforced organization-wide by admins on Pro and Enterprise.
Infrastructure & Reliability
Multi-AZ Cloud Redundancy
IRONFEED runs on a major cloud provider with multi-AZ redundancy. Database replicas, object storage and edge workers are distributed across multiple availability zones.
99.9% Uptime SLA
We target 99.9% uptime with a contractual SLA on Enterprise plans. Live status, incident history and post-mortems are published on our system status page.
Infrastructure-as-Code & Peer Review
Every infrastructure change is defined as code, peer-reviewed and deployed through automated pipelines. No manual production access without two-person approval.
Data Retention & Portability
Customer data is retained for the life of your account. On cancellation, all data is deleted within 30 days. You can export your configuration, mapping rules and feed history at any time in standard JSON and CSV formats — no lock-in.
GDPR Compliance & DPAs
IRONFEED is GDPR compliant. We act as a data processor for the product data you import. Our privacy policy details how we handle personal data. A Data Processing Agreement (DPA) is included by default for Enterprise customers and available on request for all other plans.
Responsible Disclosure Program
We welcome reports from the security community. Please email security@ironfeed.app with detailed reproduction steps. We acknowledge all reports within 48 hours and keep you informed throughout remediation. Responsible reporters are credited in our hall of fame (with consent).
Frequently Asked Questions
Is IRONFEED SOC 2 compliant?
We are working toward SOC 2 Type II. Our controls already align with the Trust Services Criteria — encryption, access management, change management and monitoring. Enterprise customers can request our current security questionnaire and roadmap.
Where is customer data stored?
Customer data is stored in EU regions (Frankfurt and Dublin) by default, with multi-AZ redundancy. US-region hosting is available for Enterprise customers on request.
Can I request a DPA?
Yes. A Data Processing Agreement is included by default for Enterprise plans and available on request for all other plans. Email legal@ironfeed.app to receive our standard DPA.
Check live system status · Read our privacy policy.
Start shipping better feeds today
Join the teams using IRONFEED to power their product catalogs across every marketing channel.
No credit card required · 14-day free trial