Product

Product

The Threat Modeling Tool
The industry trusted automated threat modeling tool

AI Threat Modeling with Jeff
Our powerful AI Assistant which aids you throughout your diagram creation and saves time

Bex AI - Conversational Security in Jira
Automatically assess and improve the security of your software directly in Jira

Services
Tailored services to help you elevate your threat modeling and IriusRisk tool

Key Features

Integrations
Fit into your SDLC and existing technology investments

Content Library
Check how we can help ensure you meet regulatory, industry and operational best practices

Get Started

Book a demo

Pricing

Free Community Version

Solutions

Solutions by painpoint

Building Software Securely
At every stage of your SDLC

Regulation and Compliance
Align to regulatory compliance or security frameworks

AI & Machine Learning
The first ever to threat model AI and ML applications

ROI - Forrester Report
Forrester Total Economic Impact of IriusRisk Threat Modeling

Solutions by need

Industry
Financial Services
Medical Devices
Operational Tech

Public Services
Technology

Solutions by role
Security Teams
Become the hero of the SDLC by increasing development speed while reducing risk.

Developers
Unleash the power of threat modeling when developers need it and where they want it.

CISOs
Show the value of your security posture while saving time, money and reducing risk.

Resources

Blog
All the latest news and useful content from the threat modeling world

Webinars
Live or on-demand, find out what we can teach you

Threat Modeling Training
Get certified in automated threat modeling, for free

Guides & ebooks
Who doesn't like free advice and hacks

Events
Find out where you can meet us, across the globe

Documentation
All the info and help you need to use our product

Methodologies
The key ways and methods to threat model

Video
Grab your popcorn and watch some of our threat modeling content

Case studies
‍
Financial Institution Based in America
A large financial institution in a regulated market needed an on-premise threat modeling solution.

Raiffeisen Bank International
Providing an end-to-end solution for threat modeling across the company's network.

See all case studies

About

About IriusRisk

Origins
Not your average company history!

Leadership Team

Meet our team helping to bring our vision to life

Technical Advisory Board

The threat modeling pioneers who help shape what we do

Careers

Like what you see? Come and work with us

Trust, Legal & Security Hub

Your trust is our priority. Read how we protect your data, ensure security, and meet compliance

Contact

We're a friendly bunch, so get in touch

Partners

Partners

Find out more
What does partnership look like with IriusRisk

Become a partner
Team up with and take threat modeling to the world

Threat Modeling training with Toreon

Effectively scale your threat modeling program

Shostack + Associates Training and Accelerator

Designed by Adam Shostack: Threat Modeling Training and The Accelerator Program

Free Community Version
Book a Demo

Book a demoTry now

Welcome to the IriusRisk Trust, Legal & Security Hub
Your trust is our priority. Here you'll find everything about how we protect your data, ensure security, and meet global compliance - all in one place.

Customer Subscription Terms
Security & Compliance
Privacy & Data Protection
Service Status & Availability
Legal Notice
Contact & FAQs

Customer Subscription Terms
Explore the legal terms that govern the use of our IriusRisk product. We provide clear, easy-to-access subscription agreements tailored for customers in different regions. These agreements outline your rights and obligations when using our platform, including billing, service usage, and termination terms.
International / EU Customer Subscription
Applicable if your company is based outside of the United States, including in the European Union and other international locations.
Download

North American / US Customer Subscription Terms
Applicable if your company is based in the United States or any other part of North America.
Download

Security & Compliance
At IriusRisk, security is built into everything we do-from how we design our platform to how we operate as a company. As experts in threat modeling, we apply the same proactive, risk-based principles internally to protect our systems and data. We follow industry best practices, undergo independent audits, and commit to transparency at every level.
ISO 27001 Certification
Our ISO/IEC 27001 certification demonstrates that we maintain strong, independently audited controls to protect customer data across people, processes, and technology.

External Security Testing & Vulnerability Reporting
We welcome responsible testing from customers and the security community. Testing is allowed within your own domain and data, with DoS strictly prohibited. Notify us 30 days in advance and report findings to security@iriusrisk.com. We promptly review and address all valid reports.

Notify

Security by Design Pledge
IriusRisk is a proud signatory of the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Security by Design Pledge, reflecting our commitment to embed security throughout the software development lifecycle, minimize default risks, and lead with transparency.
Read the Pledge

IriusRisk Information Security Policy
IriusRisk is committed to protecting the confidentiality, integrity, and availability of its information assets by maintaining a robust Information Security Management System (ISMS) aligned with ISO/IEC 27001 and international best practices and guidance from organizations such as OWASP, CIS, INCIBE, and NCSC.The ISMS is supported at the highest levels of the organization and integrates information security principles into daily operations and company culture. The objectives of the ISMS are to:

- Strengthen security controls and procedures in response to evolving threats and compliance needs
- Prevent unauthorized access, alteration, or loss of critical information
- Minimize the risk of security incidents through proactive monitoring and incident response
- Ensure the continuity of business operations
- Promote a strong security culture through ongoing training and awareness initiatives

Privacy & Data Protection
We are deeply committed to handling personal data responsibly, securely, and in compliance with global data protection laws. This section provides access to our data processing agreements (DPAs), details on our subprocessors, and privacy-related documents to help you understand how we manage data throughout our operations.
International / EU Data Processing Agreement (DPA) + Standard Contractual Clauses (SCCs)
This DPA applies if your company is based outside of the United States, including in the European Union and other international jurisdictions. It outlines our roles and responsibilities as a data processor and includes Standard Contractual Clauses (SCCs) for lawful international data transfers under GDPR and other applicable laws, and describes the security measures we implement to protect personal data.
Read the DPA

North American / US Data Processing Agreement (DPA)
This DPA is applicable if your company is based in the United States or elsewhere in North America.

It defines our data protection obligations, including how we handle personal data, the roles of the parties, and the security measures we implement to protect that data.

Read the DPA

List of authorized subprocessors
We maintain a current list of third-party subprocessors that may process personal data on our behalf in connection with the delivery of our services.

The list includes their purpose and geographic location, ensuring transparency for our customers.
Subprocessors list

IriusRisk Privacy Policy
The IriusRisk Privacy Policy applies to all IriusRisk websites and explains how we collect and use personal data when you interact with our sites-for example, by requesting a demo, using the IriusRisk Community Edition, subscribing to communications, registering for events, applying for a job, or participating in hackathons. This policy does not cover personal data processed through use of the IriusRisk product.
Privacy Policy

IriusRisk website Cookie Policy
This policy explains how we use cookies and similar technologies on our public website for analytics, performance monitoring, and personalization.

Like the privacy policy, it is not relevant to customers using the IriusRisk platform, which does not rely on cookie-based tracking.
Cookie policy

Service Status & Availability
Stay informed about the performance and reliability of the IriusRisk platform. This section includes our Enterprise Support site. It provides access to helpful resources, technical assistance, and documentation all to ensure transparency and responsiveness.
Take a look

Legal notice
Find our general legal disclosure, including company identification, website usage, and regulatory notices here.
Legal notice

Contact & FAQs
Have questions about legal, privacy, or security topics? Find quick answers in our FAQs or contact the appropriate team directly.

For security-related inquiries
security@iriusrisk.com

For privacy & data protection
dpo@iriusrisk.com

For legal or contractual matters
legal@iriusrisk.com

Frequently Asked Questions
Have questions about legal, privacy, or security topics? Find quick answers in our FAQs or contact the appropriate team directly.

1. What terms govern my use of the IriusRisk platform?
keyboard_arrow_down

Your use of IriusRisk Cloud Services is governed by our Customer Subscription Terms and the applicable Order Form. We provide separate terms for customers based in North America/US and those in the EU or other international regions.

2. Does IriusRisk offer a Data Processing Agreement (DPA), and where can I find it?
keyboard_arrow_down

Yes, IriusRisk offers tailored Data Processing Agreements for North America/US and International/EU customers. These agreements include the Standard Contractual Clauses (SCCs) for lawful international data transfers and can be accessed directly in the Privacy & Data Protection section of this hub.

3. How does IriusRisk secure my data?
keyboard_arrow_down

IriusRisk implements robust technical and organizational security measures including encryption in transit and at rest, access controls, regular penetration testing, and incident response procedures. Our ISO 27001 certification validates our commitment to best-in-class security standards. Learn more in our Security & Compliance section.

4. Can I test the security of the IriusRisk platform?
keyboard_arrow_down

We support responsible disclosure and security testing within the scope of your own environment. Denial-of-service (DoS) and other intrusive testing is strictly prohibited. Please notify us 30 days in advance and report any findings to security@iriusrisk.com .

5. Who are your subprocessors, and how are they selected?
keyboard_arrow_down

We maintain a list of authorized subprocessors, each vetted for security and compliance. We only use subprocessors that meet our standards and provide notice of any changes. This list is available in our Subprocessor List under the Privacy and Data Protection section.

6. What data should I avoid uploading to IriusRisk?
keyboard_arrow_down

Customers must not upload sensitive or regulated data such as health information (e.g. PHI), financial data requiring special treatment, IDs, or special category data under GDPR. Likewise, third-party data protected by intellectual property, trade secrets, or confidentiality rights must not be submitted unless the customer has obtained all necessary permissions. The IriusRisk Cloud Services are not designed or certified to process such data, and customers are responsible for ensuring compliance with applicable laws and obligations.

7. Where can I view the platform's service status?
keyboard_arrow_down

You can view system performance and uptime statistics in our Service Status & Availability section. For additional info, please visit our Support Portal.

8. What support options does IriusRisk offer?
keyboard_arrow_down

IriusRisk provides Standard, Gold, and Platinum support plans with varying levels of availability, response time, and dedicated support channels. For additional info, please visit our Support Portal.

9. Who owns the data I upload to IriusRisk?
keyboard_arrow_down

You do. The customer retains full ownership of any data uploaded to the platform. IriusRisk only uses this data to deliver and support the service in accordance with the Customer Subscription Terms.

10. Can I request the deletion or return of my data?
keyboard_arrow_down

Yes. Upon termination or at any time upon request, we will delete or return your personal data in accordance with our DPA-unless we are legally required to retain it.

Product
Threat Modeling Tool
IriusRisk Reporting
Integrations
Content Library
Updates

Get Started
Pricing
Services
Free Community Version
Book a Demo

Solutions
Building Secure Software
Infrastructure as Code
Case Studies

Regulation & Compliance
AI & Machine Learning
Secure by Design

Industry
Financial Services
Operational Technology
Medical Devices
Public Services
Technology

Role
CISO
Security Teams
Developers

Resources
Blog
Events
Webinars
Guides & eBooks
Forrester Study
Customer Updates
Newsletter sign up

About Us
Our Story
Partners
Leadership Team
Technical Advisory Board
Careers
Trust, Legal & Security Hub
Contact

Subscribe to our newsletter

Legal | Privacy Policy | Cookie Policy