Product Product The Threat Modeling Tool The industry trusted automated threat modeling tool AI Threat Modeling with Jeff Our powerful AI Assistant which aids you throughout your diagram creation and saves time Bex AI - Conversational Security in Jira Automatically assess and improve the security of your software directly in Jira Services Tailored services to help you elevate your threat modeling and IriusRisk tool Key Features Integrations Fit into your SDLC and existing technology investments Content Library Check how we can help ensure you meet regulatory, industry and operational best practices Get Started Book a demo Pricing Free Community Version Solutions Solutions by painpoint Building Software Securely At every stage of your SDLC Regulation and Compliance Align to regulatory compliance or security frameworks AI & Machine Learning The first ever to threat model AI and ML applications ROI - Forrester Report Forrester Total Economic Impact of IriusRisk Threat Modeling Solutions by need Industry Financial Services Medical Devices Operational Tech Public Services Technology Solutions by role Security Teams Become the hero of the SDLC by increasing development speed while reducing risk. Developers Unleash the power of threat modeling when developers need it and where they want it. CISOs Show the value of your security posture while saving time, money and reducing risk. Resources Blog All the latest news and useful content from the threat modeling world Webinars Live or on-demand, find out what we can teach you Threat Modeling Training Get certified in automated threat modeling, for free Guides & ebooks Who doesn't like free advice and hacks Events Find out where you can meet us, across the globe Documentation All the info and help you need to use our product Methodologies The key ways and methods to threat model Video Grab your popcorn and watch some of our threat modeling content Case studies ‍ Financial Institution Based in America A large financial institution in a regulated market needed an on-premise threat modeling solution. Raiffeisen Bank International Providing an end-to-end solution for threat modeling across the company's network. See all case studies About About IriusRisk Origins Not your average company history! Leadership Team Meet our team helping to bring our vision to life Technical Advisory Board The threat modeling pioneers who help shape what we do Careers Like what you see? Come and work with us Trust, Legal & Security Hub Your trust is our priority. Read how we protect your data, ensure security, and meet compliance Contact We're a friendly bunch, so get in touch Partners Partners Find out more What does partnership look like with IriusRisk Become a partner Team up with and take threat modeling to the world Threat Modeling training with Toreon Effectively scale your threat modeling program Shostack + Associates Training and Accelerator Designed by Adam Shostack: Threat Modeling Training and The Accelerator Program Free Community Version Book a Demo Book a demoTry now Welcome to the IriusRisk Trust, Legal & Security Hub Your trust is our priority. Here you'll find everything about how we protect your data, ensure security, and meet global compliance - all in one place. Customer Subscription Terms Security & Compliance Privacy & Data Protection Service Status & Availability Legal Notice Contact & FAQs Customer Subscription Terms Explore the legal terms that govern the use of our IriusRisk product. We provide clear, easy-to-access subscription agreements tailored for customers in different regions. These agreements outline your rights and obligations when using our platform, including billing, service usage, and termination terms. International / EU Customer Subscription Applicable if your company is based outside of the United States, including in the European Union and other international locations. Download North American / US Customer Subscription Terms Applicable if your company is based in the United States or any other part of North America. Download Security & Compliance At IriusRisk, security is built into everything we do-from how we design our platform to how we operate as a company. As experts in threat modeling, we apply the same proactive, risk-based principles internally to protect our systems and data. We follow industry best practices, undergo independent audits, and commit to transparency at every level. ISO 27001 Certification Our ISO/IEC 27001 certification demonstrates that we maintain strong, independently audited controls to protect customer data across people, processes, and technology. External Security Testing & Vulnerability Reporting We welcome responsible testing from customers and the security community. Testing is allowed within your own domain and data, with DoS strictly prohibited. Notify us 30 days in advance and report findings to security@iriusrisk.com. We promptly review and address all valid reports. Notify Security by Design Pledge IriusRisk is a proud signatory of the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Security by Design Pledge, reflecting our commitment to embed security throughout the software development lifecycle, minimize default risks, and lead with transparency. Read the Pledge IriusRisk Information Security Policy IriusRisk is committed to protecting the confidentiality, integrity, and availability of its information assets by maintaining a robust Information Security Management System (ISMS) aligned with ISO/IEC 27001 and international best practices and guidance from organizations such as OWASP, CIS, INCIBE, and NCSC.The ISMS is supported at the highest levels of the organization and integrates information security principles into daily operations and company culture. The objectives of the ISMS are to: - Strengthen security controls and procedures in response to evolving threats and compliance needs - Prevent unauthorized access, alteration, or loss of critical information - Minimize the risk of security incidents through proactive monitoring and incident response - Ensure the continuity of business operations - Promote a strong security culture through ongoing training and awareness initiatives Privacy & Data Protection We are deeply committed to handling personal data responsibly, securely, and in compliance with global data protection laws. This section provides access to our data processing agreements (DPAs), details on our subprocessors, and privacy-related documents to help you understand how we manage data throughout our operations. International / EU Data Processing Agreement (DPA) + Standard Contractual Clauses (SCCs) This DPA applies if your company is based outside of the United States, including in the European Union and other international jurisdictions. It outlines our roles and responsibilities as a data processor and includes Standard Contractual Clauses (SCCs) for lawful international data transfers under GDPR and other applicable laws, and describes the security measures we implement to protect personal data. Read the DPA North American / US Data Processing Agreement (DPA) This DPA is applicable if your company is based in the United States or elsewhere in North America. It defines our data protection obligations, including how we handle personal data, the roles of the parties, and the security measures we implement to protect that data. Read the DPA List of authorized subprocessors We maintain a current list of third-party subprocessors that may process personal data on our behalf in connection with the delivery of our services. The list includes their purpose and geographic location, ensuring transparency for our customers. Subprocessors list IriusRisk Privacy Policy The IriusRisk Privacy Policy applies to all IriusRisk websites and explains how we collect and use personal data when you interact with our sites-for example, by requesting a demo, using the IriusRisk Community Edition, subscribing to communications, registering for events, applying for a job, or participating in hackathons. This policy does not cover personal data processed through use of the IriusRisk product. Privacy Policy IriusRisk website Cookie Policy This policy explains how we use cookies and similar technologies on our public website for analytics, performance monitoring, and personalization. Like the privacy policy, it is not relevant to customers using the IriusRisk platform, which does not rely on cookie-based tracking. Cookie policy Service Status & Availability Stay informed about the performance and reliability of the IriusRisk platform. This section includes our Enterprise Support site. It provides access to helpful resources, technical assistance, and documentation all to ensure transparency and responsiveness. Take a look Legal notice Find our general legal disclosure, including company identification, website usage, and regulatory notices here. Legal notice Contact & FAQs Have questions about legal, privacy, or security topics? Find quick answers in our FAQs or contact the appropriate team directly. For security-related inquiries security@iriusrisk.com For privacy & data protection dpo@iriusrisk.com For legal or contractual matters legal@iriusrisk.com Frequently Asked Questions Have questions about legal, privacy, or security topics? Find quick answers in our FAQs or contact the appropriate team directly. 1. What terms govern my use of the IriusRisk platform? keyboard_arrow_down Your use of IriusRisk Cloud Services is governed by our Customer Subscription Terms and the applicable Order Form. We provide separate terms for customers based in North America/US and those in the EU or other international regions. 2. Does IriusRisk offer a Data Processing Agreement (DPA), and where can I find it? keyboard_arrow_down Yes, IriusRisk offers tailored Data Processing Agreements for North America/US and International/EU customers. These agreements include the Standard Contractual Clauses (SCCs) for lawful international data transfers and can be accessed directly in the Privacy & Data Protection section of this hub. 3. How does IriusRisk secure my data? keyboard_arrow_down IriusRisk implements robust technical and organizational security measures including encryption in transit and at rest, access controls, regular penetration testing, and incident response procedures. Our ISO 27001 certification validates our commitment to best-in-class security standards. Learn more in our Security & Compliance section. 4. Can I test the security of the IriusRisk platform? keyboard_arrow_down We support responsible disclosure and security testing within the scope of your own environment. Denial-of-service (DoS) and other intrusive testing is strictly prohibited. Please notify us 30 days in advance and report any findings to security@iriusrisk.com . 5. Who are your subprocessors, and how are they selected? keyboard_arrow_down We maintain a list of authorized subprocessors, each vetted for security and compliance. We only use subprocessors that meet our standards and provide notice of any changes. This list is available in our Subprocessor List under the Privacy and Data Protection section. 6. What data should I avoid uploading to IriusRisk? keyboard_arrow_down Customers must not upload sensitive or regulated data such as health information (e.g. PHI), financial data requiring special treatment, IDs, or special category data under GDPR. Likewise, third-party data protected by intellectual property, trade secrets, or confidentiality rights must not be submitted unless the customer has obtained all necessary permissions. The IriusRisk Cloud Services are not designed or certified to process such data, and customers are responsible for ensuring compliance with applicable laws and obligations. 7. Where can I view the platform's service status? keyboard_arrow_down You can view system performance and uptime statistics in our Service Status & Availability section. For additional info, please visit our Support Portal. 8. What support options does IriusRisk offer? keyboard_arrow_down IriusRisk provides Standard, Gold, and Platinum support plans with varying levels of availability, response time, and dedicated support channels. For additional info, please visit our Support Portal. 9. Who owns the data I upload to IriusRisk? keyboard_arrow_down You do. The customer retains full ownership of any data uploaded to the platform. IriusRisk only uses this data to deliver and support the service in accordance with the Customer Subscription Terms. 10. Can I request the deletion or return of my data? keyboard_arrow_down Yes. Upon termination or at any time upon request, we will delete or return your personal data in accordance with our DPA-unless we are legally required to retain it. Product Threat Modeling Tool IriusRisk Reporting Integrations Content Library Updates Get Started Pricing Services Free Community Version Book a Demo Solutions Building Secure Software Infrastructure as Code Case Studies Regulation & Compliance AI & Machine Learning Secure by Design Industry Financial Services Operational Technology Medical Devices Public Services Technology Role CISO Security Teams Developers Resources Blog Events Webinars Guides & eBooks Forrester Study Customer Updates Newsletter sign up About Us Our Story Partners Leadership Team Technical Advisory Board Careers Trust, Legal & Security Hub Contact Subscribe to our newsletter Legal | Privacy Policy | Cookie Policy