How we protect CUI.
US-only hosting, tenant-scoped keys, signed JWT claims, and zero operator access to tenant content.
- US-only data plane
- FedRAMP Moderate cloud path
- FIPS 140-3 modules
- zero operator access
Your data never leaves the US.
IRONKEEP hosts customer data in the United States on FedRAMP Moderate authorized cloud infrastructure, administered by US citizens.
Tenant data is encrypted at rest and replicated across redundant databases and file storage with automatic failover inside the same US authorization boundary.
Customer identity stays in control.
Teams can use IRONKEEP built-in identity with MFA or connect a customer-owned identity provider through SAML, OIDC, and SCIM 2.0. Every authenticated API request carries tenant and user identity from signed JWT claims.
01 IRONKEEP identity
Built-in identity provider with MFA for teams that do not bring an external IdP.
02 SAML / OIDC
Federation with customer-owned identity providers, including Okta and Entra.
03 SCIM 2.0
Automated user and group lifecycle management.
04 MFA
Multi-factor enforcement through IRONKEEP identity or the customer identity layer.
05 Roles
Role-based access for users, tenant admins, compliance officers, and platform admins.
06 Recovery
Break-glass tenant recovery path for emergency access scenarios.
07 Signed claims
Tenant context comes from signed identity claims. Request parameters are ignored.
Each access path gets its own layer.
Storage encryption, envelope encryption, and client-cache encryption protect different access paths using FIPS 140-3 validated cryptographic modules.
L1 Storage encryption
Databases and file storage are encrypted at rest with annually rotated, tenant-scoped encryption keys.
- Crypto AES-256 at rest
- Key Tenant encryption key
- Control Database + files
L2 Envelope encryption
Sensitive fields are encrypted before persistence with a tenant-bound data key.
- Crypto AES-256-GCM
- Key Per-operation data key
- Control Sensitive-field writes
L3 Client cache encryption
Local web-app cache is encrypted with a key derived from the user PIN.
- Crypto PBKDF2-HMAC-SHA-256
- Key User PIN-derived key
- Control Local cache
One tenant's data can't reach another's.
01 Database queries
Every query is scoped to the requesting tenant.
02 Tenant keys
Each tenant has its own encryption key for all tenant data.
03 Encryption context
Every key-service encrypt/decrypt call includes tenant-specific context.
04 Auth claims
Tenant identity is read from signed JWT claims.
Access splits into four bounded roles.
R1 Platform Operator
Tenant records and infrastructure. No tenant data.
R2 Tenant Admin
Tenant-scoped users, DLP, geo-fencing, and access policies.
R3 Compliance Officer
Legal holds and eDiscovery exports scoped to the tenant.
R4 User
Own mailbox, calendar, contacts, files, docs, and chat.
Zero operator access to tenant content.
Requests are constrained at the edge.
Browser and API controls reduce the attack surface before requests reach application logic. They add enforcement around authentication, authorization, and encryption.
01 Transport
TLS 1.2+ protects data in transit.
02 Content policy
Strict CSP limits scripts, images, frames, and API call origins.
03 Frame controls
Frame restrictions reduce clickjacking risk.
04 Rate limits
Authenticated and unauthenticated API traffic is rate limited.
05 Network policy
Optional IP allowlisting and geo-fencing by country or CIDR range.
06 Error hygiene
Sanitized errors avoid leaking account or session state.
Every message is inspected, whichever way it flows.
Inbound, outbound, and internal routing are separate control points. Accept, quarantine, block, and route decisions are audit-logged.
Inbound Checked before it reaches the inbox.
SPF, DKIM, DMARC validation, malware scanning, quarantine, then encrypted delivery.
Outbound DLP and malware scanning.
Deny rules evaluate first. Actions can block, quarantine, flag, or allow delivery.
Internal Internal route classification.
Messages between IRONKEEP users route inside the platform, then enter the audit log.
Policy checks before data leaves.
Outbound messages, attachments, file actions, document exports, and chat attachments can be evaluated against tenant policy before delivery or download.
01 Email
Send, reply, forward, and attachment upload checks.
02 Files
Share, download, preview, export, and print checks.
03 Docs
Collaborative document export checks.
04 Chat
Message posting and attachment upload checks.
05 Cache lock
Content access is blocked while the local encrypted cache is locked.
06 Fail closed
Protected actions fail closed when policy evaluation is unavailable or unknown.
Files and docs stay inside the boundary.
Uploaded files are encrypted, scanned, versioned, and governed by sharing permissions, retention settings, and legal holds. Collaborative documents inherit the same model.
01 Upload scanning
Virus scanning on upload with automatic quarantine.
02 Tenant storage
Tenant-scoped object storage and encrypted metadata for sensitive file details.
03 Download access
Short-lived, authorized download access.
04 Sharing
View and edit permissions with folder-level inheritance.
05 Versioning
Version history and restore support.
06 Retention
Legal hold preservation for protected records.
Protected records stay preserved.
Compliance officers can preserve records for legal or regulatory matters. Active holds prevent permanent deletion until release.
01 Custodians
Custodian-based holds for legal or regulatory matters.
02 Preservation
Held emails, files, and related records remain preserved.
03 Deletion block
Permanent deletion is blocked while a hold is active.
04 Exports
Standard-format eDiscovery exports.
05 Lifecycle logs
Hold creation, release, export start, completion, failure, and download events are logged.
06 Retrieval
Tenant-scoped evidence retrieval for compliance review.
Backups carry the same protections as live data.
Backups inherit live-data key permissions. Recovery jobs enforce tenant key policy and legal-hold state.
01 Database
Daily backups, point-in-time recovery, and multi-zone failover.
02 Deleted data
Trash retention is configurable. Legal holds block permanent deletion.
03 Backup encryption
Backups use the same tenant key permissions as live data.
Evidence your team can use.
Administrative actions, authentication failures, authorization failures, DLP decisions, legal-hold actions, and key operations are logged with tenant and actor context.
01 Change history
Administrative changes with before-and-after values.
02 Security events
Blocked URLs, malicious attachments, DLP decisions, and authentication failures.
03 Key operations
CloudTrail records for cryptographic key operations.
04 API access
Sanitized request metadata for API access logs.
05 Legal events
Legal hold and eDiscovery export events.
06 Exports
Per-tenant exports for assessor review.
Events with tenant context.
Security logs include actor, tenant, action, timestamp, decision, and sanitized metadata. Message bodies, file contents, secrets, and sensitive justification text stay out of general application logs.
01 Identity
Failed authentication and authorization attempts.
02 Rate limits
Rate-limit rejections.
03 DLP
Blocks, warnings, and justification decisions.
04 Threats
URL verification blocks and attachment quarantine decisions.
05 Legal hold
Legal hold lifecycle events.
06 Keys
Key usage and failed decrypt attempts.
07 Administration
Administrative configuration changes.
Designed to produce audit evidence.
IRONKEEP maps control objectives to primary evidence: audit logs, key policies, JWT claims, DLP decisions, and access events.
CMMC Level 2
Mapped
Controls and evidence mapped for customer assessments.
NIST SP 800-171
Mapped
CUI controls mapped to access, audit, encryption, and incident-response evidence.
FedRAMP Moderate
In progress
Authorization work is in progress under the FedRAMP 20x program. Status updates will publish as milestones complete.
DFARS 7012
Mapped
Covered defense information handling patterns.
ITAR
Mapped
US-hosted infrastructure and US-person operator controls.
Private beta · Q2 2026
Get on the list.
Receive product updates and the CMMC Level 2 readiness checklist.