Security
122 isolation tests.
Zero cross-tenant leaks. Ever.
Your data is yours. Steel Motion hosts the platform, you control the data. 122 automated tests verify tenant isolation on every deploy. A single failure blocks the release.
Start Free TrialTenant Isolation
Every customer lives in their own silo
IronWorks enforces company-level data isolation at the application layer. Every database query, file access, and API response is scoped to a company_id. There is no shared context between tenants.
122 HTTP-level tests attempt cross-tenant access on every deploy. A single failure blocks the release. This is not a design principle -- it is a tested guarantee.
A compromised account at one company cannot access another company's data, even with valid credentials.
All database operations filter by company_id before any other condition. The application layer enforces this — database-level RLS is a secondary backstop.
Every request is validated against the authenticated user's company membership. Membership changes take effect immediately — no token refresh required.
A dedicated test suite attempts every form of cross-tenant access on every deployment. All 122 must pass before code ships to production.
All API keys, OAuth tokens, and user-supplied credentials are encrypted using AES-256-GCM before storage. Each company has a unique encryption context. The plaintext never touches disk.
All communication between clients, the application server, and the database uses TLS 1.2 or higher. HTTP is redirected to HTTPS. HSTS is enforced with a max-age of one year.
LLM API keys are never logged, never transmitted in plaintext to monitoring systems, and cannot be read by Steel Motion staff. They are decrypted in memory only when needed to make an LLM call, and that decrypted value is never persisted.
Encryption
Your secrets stay secret
The most sensitive data IronWorks holds is your LLM API keys. These keys grant access to your provider accounts and could incur unbounded charges if leaked. IronWorks treats them accordingly.
Keys are encrypted immediately on receipt using AES-256-GCM with a per-company encryption key. The encrypted ciphertext is stored in the database. The key material used for encryption is stored separately and is not accessible through the same code path that stores the ciphertext.
All other data — agent configurations, issues, goals, knowledge base content — is stored in a standard PostgreSQL database with encryption at rest provided by the disk layer, in addition to the application-layer isolation described above.
Authentication
Secure sessions, role-based access
IronWorks authentication is powered by Better Auth, a battle-tested authentication library with a strong security track record. Sessions are managed server-side with cryptographically signed tokens and short expiration windows.
Password authentication
Passwords are hashed using bcrypt with a work factor of 12. Plaintext passwords are never stored or logged at any point in the authentication flow.
Session security
Sessions use HTTP-only, Secure, SameSite=Strict cookies. Session tokens are rotated on privilege changes. Logout invalidates the session server-side immediately.
Role-based access control
Users are assigned roles within a company: Owner, Admin, or Member. Each role has a defined permission set. Permission checks are enforced at the API layer, not just the UI.
Rate limiting and brute-force protection
Authentication endpoints are rate-limited at the application layer. Repeated failed login attempts trigger a progressive lockout. IP-level blocking is applied for sustained attack patterns.
Full audit trail
Every significant action is logged: logins, agent config changes, data exports, permission changes, API key additions and deletions. Audit logs are append-only and retained for 90 days.
OAuth support
Google and GitHub OAuth are supported as login methods. OAuth tokens are stored encrypted and follow the same zero-knowledge handling as LLM API keys.
Data Processor Model
You are the controller. We are the processor.
Steel Motion LLC operates as a data processor under your instructions as the data controller. This is not marketing language — it is the legal framework that governs our relationship with your data and is formalized in our Data Processing Agreement.
Practically, this means your data is used solely to operate the IronWorks service for your account. It is not used to train AI models. It is not used to improve IronWorks for other customers. It is not sold, shared with advertising networks, or accessed for our own analytics.
You can request a full export of all your data at any time. You can request permanent deletion of all your data at any time. Both requests are processed within 30 days.
IronWorks generates revenue from subscriptions, not from data. Your agent instructions, issues, goals, and knowledge base content are never monetized, analyzed for our benefit, or shared.
IronWorks does not use customer data to fine-tune or train language models. The LLM providers you connect to have their own data use policies — review them when setting up your keys.
We use a small number of subprocessors to operate the service (database hosting, email delivery, payment processing). These are disclosed in the DPA and updated when they change.
Export all your data in JSON format from account settings at any time. Deletion requests are processed within 30 days and include removal from backups after the backup retention window expires.
Infrastructure
Dedicated infrastructure, not shared cloud
IronWorks runs on a dedicated virtual dedicated server, not a shared hosting environment. This gives us direct control over the operating system, firewall rules, and security configuration — control that is not available in most managed cloud platforms.
The application, database, and file storage run on a dedicated server. No CPU, memory, or network sharing with other tenants at the infrastructure layer.
Only ports 80, 443, and a non-standard SSH port are open inbound. All other ports are blocked by default. UFW rules are audited on each deployment.
fail2ban monitors SSH and application logs for brute-force patterns and automatically blocks offending IPs. Bans are reported to a monitoring channel.
Full database backups run daily and are retained for 30 days. Backup restoration is tested monthly. Backup files are encrypted at rest.
npm audit runs on every deployment. Known-vulnerable packages block the release pipeline. Dependency updates are reviewed weekly.
Unattended security upgrades are enabled on the host OS. Critical patches are applied within 24 hours of release. The kernel is updated on a monthly maintenance window.
Legal and Compliance
Clear agreements, no surprises
All legal documents governing the IronWorks service are publicly available and written in plain language. There are no hidden clauses granting us rights to your data beyond what is required to operate the service.
The Enterprise plan includes a dedicated Compliance Director AI agent for automated GRC monitoring. It tracks GDPR, CCPA, SOC 2, HIPAA, and PCI-DSS requirements across your entire AI workforce, creates compliance-tagged issues when gaps are identified, and generates structured compliance reports. The role has read-only access to all operations and cannot modify configs or delete data — by design. Learn more about the Compliance Director role.
Governs your use of the platform. Defines permitted use, payment terms, and account termination conditions.
Defines what the platform may and may not be used for. Prohibits abuse, illegal use, and activity that could harm other users.
Explains what personal data is collected, how it is used, and your rights regarding that data. No-surprises data handling.
Formal agreement establishing the controller/processor relationship. Includes subprocessor list and data handling obligations.
Defines uptime commitments, incident response times, maintenance windows, and remedies for service failures.
Compliance Roadmap
Where we are headed
IronWorks is an early-stage platform. We are building the security and compliance program from a strong foundation, not retrofitting it. The following milestones are on our roadmap:
122 automated HTTP-level cross-tenant access tests run on every deployment. Complete.
All five governing documents published before first paying customer. Complete.
Per-company encrypted secret storage for all LLM API keys and OAuth tokens. Complete.
Third-party penetration test targeting authentication, tenant isolation, and API security. Planned for Q3 2026.
SOC 2 Type I examination covering Security and Availability trust service criteria. Planned for Q4 2026.
SOC 2 Type II report covering a 12-month observation period. Planned for 2027. Available to enterprise customers under NDA on request after completion.
Have specific compliance requirements for your organization? Contact our security team to discuss your needs. We are happy to provide additional documentation, answer questionnaires, or work through custom contractual requirements for larger accounts.
Security you can verify, not just trust
122 tenant isolation tests. AES-256-GCM encryption. Zero API keys logged. Try it free for 14 days.