top of page

Security and Privacy at Irongate

 

Security sits at the core of everything we build. Our system controls who gets onto site, so we hold ourselves to the same high standards we expect from our customers.

​

We protect your data, your workforce, and your operations with a security-first approach across our platform and hardware.

Governance

Our Security and Compliance team sets the policies and controls that keep Irongate running safely. We actively monitor how these controls are followed across our platform and hardware, and we back it up with independent third-party audits. This ensures our systems stay secure, reliable, and trusted by the projects that depend on us.

​

​

Our policies are based on the following foundational principles:

01.

Least-privilege access

Only people with a genuine business need get access. Permissions are kept tight to protect your data and site operations.

02.

Layered protection (defence in depth)

We use multiple layers of security across our platform, hardware, and infrastructure so no single point of failure exposes your project.

03.

Consistent controls across the business​

Every part of Irongate — from software to devices deployed on-site — follows the same security standards and controls.

04.

Continuous improvement

Our controls evolve over time, becoming stronger, easier to audit, and reducing friction for your project teams.

Security and Compliance at Irongate

We’re committed to meeting the security expectations of the construction industry and the global organisations we work with. Irongate is aligning to the highest industry standards, including SOC 2 Type II and ISO 27001.​​

​

We also follow global privacy regulations and industry-specific requirements, ensuring our approach stays compliant across regions and project types.

Data Protection
 

Data at Rest

  • All Irongate data stores — including databases and cloud storage — are encrypted at rest.

  • Sensitive information is further protected with field-level encryption, meaning data is encrypted before it reaches the database.

  • This ensures that even with physical or logical access to our systems, the most sensitive data cannot be read.

 

 

Data in Transit

  • We secure all data moving across the network using TLS 1.2 or higher, protecting information travelling between devices, servers, and integrations such as HammerTech.

  • We also enforce HSTS to prevent insecure connections.

  • TLS certificates and keys are managed through AWS and deployed via our load balancers to ensure consistent, hardened protection.

 

 

Secret Management

  • Our encryption keys are managed through AWS Key Management Service (KMS) and stored in Hardware Security Modules (HSMs), which prevents direct access — even by AWS or Irongate staff.

  • Application secrets are encrypted and stored securely using AWS Secrets Manager and Parameter Store, with access tightly controlled and monitored.

Product Security

 

Penetration Testing

We partner with independent security specialists to perform full-scope penetration testing on the Irongate platform and infrastructure. These assessments are done at least once a year and include:

  • Full access to relevant source code

  • Testing across all application layers, APIs, and cloud services

  • A focus on real-world attack methods that could impact construction sites or data integrity

 

We share high-level findings with partners upon request once testing is complete.

 

Vulnerability Scanning

Security checks are built into every stage of our development process. As part of our Secure Development Lifecycle (SDLC), we use:

  • Static Application Security Testing (SAST): Automated code reviews during pull requests and ongoing monitoring

  • Software Composition Analysis (SCA): Identifying vulnerabilities in open-source or third-party libraries

  • Malicious Dependency Scanning: Preventing compromised or infected packages from entering our codebase

  • Dynamic Application Security Testing (DAST): Testing live, running applications

  • Network Vulnerability Scanning: Regular scheduled scans of our cloud infrastructure

  • External Attack Surface Monitoring (EASM): Continuous discovery of new or exposed external assets

 

These layers of protection help us catch issues early, harden the platform over time, and maintain a strong security posture as we scale.

Enterprise Security

 

Endpoint Protection

All Irongate corporate devices are centrally managed and secured using mobile device management (MDM).

We enforce strong endpoint controls, including:

  • Full-disk encryption

  • Automatic software updates

  • Screen-lock and timeout policies

  • Anti-malware protection

  • 24/7/365 monitoring of endpoint security alerts

 

Vendor Security

We take a risk-based approach when working with third-party vendors. We assess vendors based on factors such as:

  • Whether they access customer or corporate data

  • Their level of integration with our production systems

  • The potential impact on Irongate’s brand and operations

 

Secure Remote Access

Remote access to Irongate’s internal resources is secured using a modern, encrypted VPN solution based on WireGuard technology. We also use DNS filtering to block malicious domains and protect employee endpoints during everyday browsing.

 

Security Education

Every Irongate team member completes security training during onboarding and annually thereafter. This includes:

  • Core security awareness and safe-working practices

  • Threat updates and internal security briefings

  • Secure-coding sessions for engineers

 

Identity & Access Management

We use an enterprise-grade identity platform to manage authentication and access. Our approach includes:

  • Phishing-resistant authentication (WebAuthn wherever possible)

  • Role-based access control for all applications

  • Automatic deprovisioning when employment ends

  • Approval workflows for elevated or sensitive access

bottom of page