Trust
Security, privacy, and how we treat your data.
Ironlake holds the most sensitive parts of a household's balance sheet — entities, holdings, beneficiaries, vault contents. We treat that responsibility seriously. This page explains how the product is built, what's in place today, and what's coming as we move toward general availability.
Where we are right now
The product foundation was chosen for a financial product from day one: a managed database with encrypted storage and database-enforced tenant isolation, type-checked code paths from the API to the database, two-factor authentication recommended on every account, application-level encryption on the most sensitive specific fields, and a deliberate read-only relationship with your brokerages.
We don't yet hold third-party certifications like SOC 2 or ISO 27001 — those are appropriate milestones for a product with paying customers. The external validations we're committed to are listed below.
The strongest protection is one we built into the product
Ironlake never moves money. We don't place trades, schedule transfers, or initiate any financial transaction — even when account aggregation is enabled at higher tiers. Every action happens in your brokerage's own interface. A compromise of Ironlake cannot directly cause a financial loss, because there is no path from our system into yours.
How the product is built
Three things matter most for a product that holds financial data — keeping each customer's data fenced off, encrypting it everywhere it sits, and validating every input before it reaches the database.
Tenant isolation
Your data is fenced from every other customer at the database itself, not just at the application layer. Every query is automatically scoped to your account — even a flaw in the application would not let one user read another user's data. Verified end-to-end with multi-user testing.
Encryption at every layer where data sits
Encrypted in transit on every connection (TLS 1.3) and at rest in the database (AES-256, the default on the managed database we run on). The most sensitive specific fields — Social Security Numbers, EINs, vault contents — get an additional application-level encryption layer, so they remain encrypted even within the database itself.
Validation by construction
Every API call is checked against a strict schema before it touches business logic. The database access layer parameterizes queries automatically, so whole classes of attacks (SQL injection, malformed-input crashes) are structurally prevented rather than defended against.
Edge protection
Network traffic terminates at our hosting provider's edge with TLS 1.3 and platform-level DDoS protection. The www subdomain redirects to the apex through HTTPS-only paths — there is no insecure fallback.
Account access
- Two-factor authentication is supported and strongly recommended. Every account can enable two-factor authentication with a standard authenticator app.
- Passwords are never visible to us. They're hashed and salted at the authentication provider before storage. Even our own database administrators never see them.
- Sessions expire automatically. Sessions are short-lived and renewed on activity. Logging out invalidates the session immediately.
Data privacy
- We don't sell or share your information. Not with marketers, not with affiliates, not with anyone. The product is funded by subscription, not by data.
- You decide what happens to your data. Export, correct, or delete it at any time — email privacy@ironlake.app to begin. When you close your account, we permanently remove your data; vault contents become unrecoverable because the encryption key is derived from your password and never stored separately.
Subprocessors
The third-party services that touch your data. Each one is contractually bound to handle data on our behalf and is not permitted to use your data for any other purpose.
| Provider | Role | Data | Region |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All application data. | US East (AWS us-east-1) |
| Vercel | Application hosting (frontend + API) | Request and response data in transit. Application logs. | Global edge (US-anchored) |
| Cloudflare | DNS | DNS lookups. | Global |
| Inngest | Background job orchestration (scheduled refresh of market reference data) | Function execution metadata — step inputs / outputs and retry state. Functions deployed today operate only on public market reference data (ticker lists, ETF holdings); no personally identifiable customer data passes through. | US |
| Resend | Transactional email delivery | Recipient email addresses and message contents for outbound mail (sign-up, password reset, security alerts, scheduled report notifications). | US |
| HubSpot | Marketing CRM | Name, email, phone, comments. Not connected to product data. | US (NA2) |
Incident response
If something goes wrong, you'll hear from us. We commit to notifying affected customers within 72 hours of confirming a security incident that involves their data, with a description of what happened, what data was involved, what we've done, and what you should do.
To report a security concern or vulnerability, email security@ironlake.app. We acknowledge reports within one business day. Responsible disclosure is appreciated and protected.
External validations we're committed to
The product foundation is built. What remains is independent confirmation of it. We'll update this section as each milestone moves from planned to in-progress to complete.
- Attorney-reviewed privacy policy and Terms of Service. Drafted internally and reviewed by a fintech-specialist attorney before the first paid signup.
- Independent penetration test. Scheduled before commercial launch. A redacted findings summary will be published here once remediation has landed.
- SOC 2 Type 1, then Type 2. Targeted within 12 months of commercial launch. Type 2 follows after the observation window.
Have a question we haven't answered, or want to talk through a specific control before submitting an access request? Email security@ironlake.app and we'll respond directly.