00 Architecture overview

How we protect CUI.

US-only hosting, tenant-scoped keys, signed JWT claims, and zero operator access to tenant content.

  • US-only data plane
  • FedRAMP Moderate cloud path
  • FIPS 140-3 modules
  • zero operator access
01 Data residency

Your data never leaves the US.

IRONKEEP hosts customer data in the United States on FedRAMP Moderate authorized cloud infrastructure, administered by US citizens.

Tenant data is encrypted at rest and replicated across redundant databases and file storage with automatic failover inside the same US authorization boundary.

02 Identity and SSO

Customer identity stays in control.

Teams can use IRONKEEP built-in identity with MFA or connect a customer-owned identity provider through SAML, OIDC, and SCIM 2.0. Every authenticated API request carries tenant and user identity from signed JWT claims.

01

IRONKEEP identity

Built-in identity provider with MFA for teams that do not bring an external IdP.

02

SAML / OIDC

Federation with customer-owned identity providers, including Okta and Entra.

03

SCIM 2.0

Automated user and group lifecycle management.

04

MFA

Multi-factor enforcement through IRONKEEP identity or the customer identity layer.

05

Roles

Role-based access for users, tenant admins, compliance officers, and platform admins.

06

Recovery

Break-glass tenant recovery path for emergency access scenarios.

07

Signed claims

Tenant context comes from signed identity claims. Request parameters are ignored.

03 Encryption stack

Each access path gets its own layer.

Storage encryption, envelope encryption, and client-cache encryption protect different access paths using FIPS 140-3 validated cryptographic modules.

L1

Storage encryption

Databases and file storage are encrypted at rest with annually rotated, tenant-scoped encryption keys.

  • Crypto AES-256 at rest
  • Key Tenant encryption key
  • Control Database + files
L2

Envelope encryption

Sensitive fields are encrypted before persistence with a tenant-bound data key.

  • Crypto AES-256-GCM
  • Key Per-operation data key
  • Control Sensitive-field writes
L3

Client cache encryption

Local web-app cache is encrypted with a key derived from the user PIN.

  • Crypto PBKDF2-HMAC-SHA-256
  • Key User PIN-derived key
  • Control Local cache
04 Tenant isolation

One tenant's data can't reach another's.

01

Database queries

Every query is scoped to the requesting tenant.

02

Tenant keys

Each tenant has its own encryption key for all tenant data.

03

Encryption context

Every key-service encrypt/decrypt call includes tenant-specific context.

04

Auth claims

Tenant identity is read from signed JWT claims.

05 Role model

Access splits into four bounded roles.

R1

Platform Operator

Tenant records and infrastructure. No tenant data.

R2

Tenant Admin

Tenant-scoped users, DLP, geo-fencing, and access policies.

R3

Compliance Officer

Legal holds and eDiscovery exports scoped to the tenant.

R4

User

Own mailbox, calendar, contacts, files, docs, and chat.

06 Operator access

Zero operator access to tenant content.

Operation IRONKEEP staff
Manage tenant records and metadata Permitted
Create console-only accounts Permitted
Configure infrastructure Permitted
Create product users Denied
Read decrypted tenant content Denied
Run tenant decrypt operations Denied
Generate tenant search tokens Denied
07 Browser and API protection

Requests are constrained at the edge.

Browser and API controls reduce the attack surface before requests reach application logic. They add enforcement around authentication, authorization, and encryption.

01

Transport

TLS 1.2+ protects data in transit.

02

Content policy

Strict CSP limits scripts, images, frames, and API call origins.

03

Frame controls

Frame restrictions reduce clickjacking risk.

04

Rate limits

Authenticated and unauthenticated API traffic is rate limited.

05

Network policy

Optional IP allowlisting and geo-fencing by country or CIDR range.

06

Error hygiene

Sanitized errors avoid leaking account or session state.

08 Email security

Every message is inspected, whichever way it flows.

Inbound, outbound, and internal routing are separate control points. Accept, quarantine, block, and route decisions are audit-logged.

Inbound

Checked before it reaches the inbox.

SPF, DKIM, DMARC validation, malware scanning, quarantine, then encrypted delivery.

Outbound

DLP and malware scanning.

Deny rules evaluate first. Actions can block, quarantine, flag, or allow delivery.

Internal

Internal route classification.

Messages between IRONKEEP users route inside the platform, then enter the audit log.

09 DLP and classification

Policy checks before data leaves.

Outbound messages, attachments, file actions, document exports, and chat attachments can be evaluated against tenant policy before delivery or download.

01

Email

Send, reply, forward, and attachment upload checks.

02

Files

Share, download, preview, export, and print checks.

03

Docs

Collaborative document export checks.

04

Chat

Message posting and attachment upload checks.

05

Cache lock

Content access is blocked while the local encrypted cache is locked.

06

Fail closed

Protected actions fail closed when policy evaluation is unavailable or unknown.

10 File and document security

Files and docs stay inside the boundary.

Uploaded files are encrypted, scanned, versioned, and governed by sharing permissions, retention settings, and legal holds. Collaborative documents inherit the same model.

01

Upload scanning

Virus scanning on upload with automatic quarantine.

02

Tenant storage

Tenant-scoped object storage and encrypted metadata for sensitive file details.

03

Download access

Short-lived, authorized download access.

04

Sharing

View and edit permissions with folder-level inheritance.

05

Versioning

Version history and restore support.

06

Retention

Legal hold preservation for protected records.

12 Backups and recovery

Backups carry the same protections as live data.

Backups inherit live-data key permissions. Recovery jobs enforce tenant key policy and legal-hold state.

01

Database

Daily backups, point-in-time recovery, and multi-zone failover.

02

Deleted data

Trash retention is configurable. Legal holds block permanent deletion.

03

Backup encryption

Backups use the same tenant key permissions as live data.

13 Audit evidence

Evidence your team can use.

Administrative actions, authentication failures, authorization failures, DLP decisions, legal-hold actions, and key operations are logged with tenant and actor context.

01

Change history

Administrative changes with before-and-after values.

02

Security events

Blocked URLs, malicious attachments, DLP decisions, and authentication failures.

03

Key operations

CloudTrail records for cryptographic key operations.

04

API access

Sanitized request metadata for API access logs.

05

Legal events

Legal hold and eDiscovery export events.

06

Exports

Per-tenant exports for assessor review.

14 Security monitoring

Events with tenant context.

Security logs include actor, tenant, action, timestamp, decision, and sanitized metadata. Message bodies, file contents, secrets, and sensitive justification text stay out of general application logs.

01

Identity

Failed authentication and authorization attempts.

02

Rate limits

Rate-limit rejections.

03

DLP

Blocks, warnings, and justification decisions.

04

Threats

URL verification blocks and attachment quarantine decisions.

05

Legal hold

Legal hold lifecycle events.

06

Keys

Key usage and failed decrypt attempts.

07

Administration

Administrative configuration changes.

15 Compliance targets

Designed to produce audit evidence.

IRONKEEP maps control objectives to primary evidence: audit logs, key policies, JWT claims, DLP decisions, and access events.

CMMC Level 2

Mapped

Controls and evidence mapped for customer assessments.

NIST SP 800-171

Mapped

CUI controls mapped to access, audit, encryption, and incident-response evidence.

FedRAMP Moderate

In progress

Authorization work is in progress under the FedRAMP 20x program. Status updates will publish as milestones complete.

DFARS 7012

Mapped

Covered defense information handling patterns.

ITAR

Mapped

US-hosted infrastructure and US-person operator controls.

Private beta · Q2 2026

Get on the list.

Receive product updates and the CMMC Level 2 readiness checklist.

Request access →
  • Beta updates
  • Readiness checklist
  • No sales call required