Data security and privacy at Third Iron

Modified on Mon, 7 Jul at 1:04 PM

Third Iron is dedicated to ensuring transparency, security, and compliance in all our operations. We prioritize protecting customer data through rigorous security measures, meeting industry compliance standards, and a commitment to privacy


Third Iron’s IT team establishes policies and controls, monitors compliance with those controls, and proves our security and compliance to third-party auditors.  Our policies are based on the following foundational principles:

  1. Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
  2. Security controls should be implemented and layered according to the principle of defense in depth.
  3. Security controls should be applied consistently across all areas of the enterprise.
  4. The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased accountability, and decreased friction.

 

Third Iron maintains a SOC 2 attestation, CyberEssentials certification, and conducts regular penetration tests.  Our reports are available on our Trust Center.

 

Data is protected across the customer lifecycle.

  • Data at rest.   All datastores with customer data are encrypted at rest and in transit.
  • Third Iron uses TLS 1.2 or higher everywhere customer data is transmitted over potentially insecure networks.  We use features such as HTTPS to maximize the security of our data transit.  Server TLS keys and certificates are managed by DigiCerts and AWS.

Third Iron practices enterprise security

  • Endpoint protection.  All corporate devices are centrally managed and are equipped with anti-malware protection.   Endpoint security alerts are monitored with 24/7/365 coverage.
  • Security education.  Third Iron provides comprehensive security training to all employees upon onboarding and annually through educational modules.  Third Iron’s IT team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.