Iron Gorilla Trust Center

Customers and reviewers use this Trust Center to understand how Iron Gorilla protects company and customer data, manages subprocessors, handles incidents, and maintains internal security controls.

Our internal security program focuses on access control, secure operations, vulnerability management, privacy commitments, vendor oversight, and clear security review paths for procurement teams.

Main website•Help Center•Developer Docs

security@irongorilla.ai Legal

Controls

Updated June 19, 2026

View all

Policies

Data protection policy is documented

Security incident process is defined

Vendor and subprocessor review is covered by policy

Acceptable-use expectations are documented

Privacy responsibilities are assigned internally

Access Control

System access standards are in place

Access requests require documented approval

Privileged access is scoped to job responsibility

Access is reviewed when roles change

Offboarding includes access removal

Data Protection

Customer data handling expectations are documented

Sensitive access is limited to business need

Data retention and deletion paths are defined

Backups protect critical operating records

Production data use is reviewed for support need

Change Management

Production changes are tracked before release

Infrastructure changes are reviewed for risk

Emergency changes receive follow-up review

Release context is retained for review

Security-sensitive changes receive extra scrutiny

Secure Development

Code changes are reviewed before release

Protected branches gate production changes

Secrets are kept out of source control

Dependency changes are reviewed during delivery

Security-sensitive work keeps implementation context

Logging & Monitoring

Application errors route to monitoring

Cloud and edge events support investigation

Security-relevant activity is retained for review

Alerts route to responsible owners

Logs are used to support incident analysis

Incident Response

Security events are triaged by severity

Customer impact is assessed during review

Response owners and escalation paths are defined

Containment and remediation actions are tracked

Follow-up work is captured after resolution

Vulnerability Management

Security findings are triaged by severity

Dependency and platform updates are reviewed

Vulnerability reports route to security triage

Remediation work is tracked to closure

Security monitoring supports investigation

Business Continuity

Critical dependencies have named owners

Backup and restore expectations are documented

Operational contacts are maintained

Service-impacting events receive follow-up review

Continuity plans account for key providers

Subprocessors

View all

Cloudflare • Edge hosting and customer support

Resend • Email delivery

Amazon Web Services • Application hosting

Microsoft 365 • Business productivity and internal operations

Sentry • Logging and monitoring

Twilio • SMS and phone verification

Stripe • Payment processing

OpenAI • LLM API

Anthropic • LLM API

Grok • LLM API

FAQ

View all

Can we review private security documents?

Yes. Send a request from your company email and include the deal, procurement, or security-review context. We will share the appropriate packet directly.

Where should a vulnerability report go?

Send it to security@irongorilla.ai with the affected surface, reproduction steps, impact, and any supporting evidence. Please avoid accessing customer data while validating a report.

How technical is the security review?

We can keep the review at a business level for procurement teams or go deeper for security engineers who need hosting, access control, monitoring, subprocessor, and incident-response details.

Control detail

Data Protection

Customer and company data is handled with documented expectations for access, support, retention, deletion, and recovery.

Handling expectations

Customer data, operational records, prompts, outputs, and support context are handled according to documented internal rules.

Support access

Production data access is limited to business need such as support, security, reliability, or incident response.

Retention and deletion

Retention and deletion paths are defined so customer review, legal, and operational requests have clear handling.

Backups

Critical operating records are backed up where needed to support recovery and business continuity.

Reviewability

Sensitive data handling can be reviewed during procurement and security review without exposing other customer information.

Request evidence

Control detail

Business Continuity

Continuity planning focuses on critical providers, operating records, restore expectations, and follow-up after service-impacting events.

Dependency ownership

Critical providers and internal systems have named owners who can coordinate response and review.

Recovery expectations

Backup and restore expectations are documented for the records and systems needed to keep operations running.

Operational contacts

Security, legal, support, and operational contacts are maintained for urgent review and response.

Provider continuity

Continuity plans account for key providers such as hosting, edge delivery, email, monitoring, and business productivity systems.

Event review

Service-impacting events receive follow-up review so continuity gaps can be tracked and closed.

Request evidence

Controls

All controls

The Trust Center summarizes the public control families we can discuss during procurement and security review.

Policies

Data protection policy is documented Security incident process is defined Vendor and subprocessor review is covered by policy Acceptable-use expectations are documented Privacy responsibilities are assigned internally

Access Control

System access standards are in place Access requests require documented approval Privileged access is scoped to job responsibility Access is reviewed when roles change Offboarding includes access removal

Data Protection

Customer data handling expectations are documented Sensitive access is limited to business need Data retention and deletion paths are defined Backups protect critical operating records Production data use is reviewed for support need

Change Management

Production changes are tracked before release Infrastructure changes are reviewed for risk Emergency changes receive follow-up review Release context is retained for review Security-sensitive changes receive extra scrutiny

Secure Development

Code changes are reviewed before release Protected branches gate production changes Secrets are kept out of source control Dependency changes are reviewed during delivery Security-sensitive work keeps implementation context

Logging & Monitoring

Application errors route to monitoring Cloud and edge events support investigation Security-relevant activity is retained for review Alerts route to responsible owners Logs are used to support incident analysis

Incident Response

Security events are triaged by severity Customer impact is assessed during review Response owners and escalation paths are defined Containment and remediation actions are tracked Follow-up work is captured after resolution

Vulnerability Management

Security findings are triaged by severity Dependency and platform updates are reviewed Vulnerability reports route to security triage Remediation work is tracked to closure Security monitoring supports investigation

Business Continuity

Critical dependencies have named owners Backup and restore expectations are documented Operational contacts are maintained Service-impacting events receive follow-up review Continuity plans account for key providers

Request evidence