Third Iron is dedicated to ensuring transparency, security, and compliance in all our operations. We prioritize protecting customer data through rigorous security measures, meeting industry compliance standards, and a commitment to privacy. Third Iron welcomes reports of potential security vulnerabilities in our products and services. We are committed to investigating and resolving verified issues promptly.
Governance and Security Principles
Third Iron’s IT team establishes policies and controls, monitors compliance, and demonstrates security and compliance to third-party auditors. Our policies are guided by foundational principles:
- Least privilege access: Access is granted strictly based on business need.
- Defense in depth: Security controls are layered to reduce risk.
- Consistency: Security measures are uniformly applied across all systems and environments.
- Continuous improvement: Controls are iteratively refined to improve effectiveness, accountability, and usability.
- Management roles: Chief Information Security and Data Privacy Officer roles ensure accountability and reinforce governance.
Compliance and Certifications
Third Iron maintains:
- SOC 2 Type 2 attestation: Reporting on security, availability, processing integrity, confidentiality and privacy.
- CyberEssentials certification: Ensuring compliance with UK/EU cybersecurity standards.
- Regular penetration testing: Conducted by independent security firms to validate the effectiveness of controls.
These reports are available in our Trust Center.
Data Protection Across the Customer Lifecycle
Data is protected across the customer lifecycle using industry-leading security measures:
- Encryption
- At rest: AES-256 encryption.Data at rest is encrypted to AES-256 standard.
- In transit: TLS 1.2+ with HTTPS; server key and certificates managed via DigiCerts and AWS.
- Endpoint security: All corporate devices are centrally managed, anti-malware protected, and monitored 24/7/365.
- Monitoring and threat detections: Security alerts are continuously monitored, anomalous activity triggers incident response protocols.
- Data retention
- LibKey: IP address information is stored for 90 days, or up to 365 days if needed for a forensic examination, then permanently deleted.
- BrowZine: IP address information policy is the same as that for LibKey. For users who elect to make use of the optional BrowZine personalization features and provide an email address, the email address is stored for the duration of the subscription period then permanently deleted. Users may also delete their BrowZine account at anytime.
- Data segregation: Customer data is logically separated from other customers using processes including use of unique customer identifiers and secure API tokens.
Incident Responses and Business Continuity
Third Iron maintains a disaster recovery and business continuity plan that is tested annually.
RTO and RPO
| Tier | RTO | RPO |
| Tier 1 (Mission critical) | <1 hour | <30 minutes |
| Tier 2 (Important but not critical) | 8-24 hours | ~ 4 hours |
Privacy Practices
Data collected is limited to what is required for service delivery and customer data are protected according to relevant privacy laws, including GDPR, COPPA, and more. Our Third Iron website privacy statement is is available here and our product privacy statement is available here.