Security & Compliance
Enterprise security, built from the ground up.
Every layer of Irys is architected for enterprise-grade data protection. Your clients' confidences remain confidential.
Built by lawyers. Audited by experts. Trusted by enterprise legal teams.
The promise
Your data stays yours. Full stop.
We never store or train on your data. Every AI inference is stateless and containerized. Nothing is cached or retained after a session ends — by us or by our model providers.
No Training on Your Data
Customer content is never used to train any model — internal or third-party. Your work product remains yours.
Ephemeral Processing
AI inferences are stateless and containerized. Nothing is cached or retained after a session ends — by us or by our model providers.
Tenant Isolation
Every organization is hard-isolated. Workspaces and matters are segregated containers — never commingled, never pooled across clients.
Certifications & Standards
Audited. Certified. Compliant.
SOC 2 Type II
Audited & certified for availability, confidentiality, and integrity
ISO 27001
Information security management meets international standards
HIPAA Ready
Healthcare compliance controls for sensitive data
GDPR Aligned
Lawful basis, data minimization, and subject rights
CCPA Ready
California privacy rights: know, delete, opt-out
Security Architecture
Layers of protection at every level.
From access control to data transit to AI inference — every layer is designed to protect your clients' data.
Encryption at Every Layer
All data is encrypted in transit and at rest. Third-party model calls are stateless — vendor caching is disabled so nothing persists outside your tenant boundary.
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest
- Zero vendor-side data retention
Multi-Factor Authentication
MFA is enforced across all user sessions. Role-based access control ensures least-privilege access at every level of the organization.
- MFA enforced for all accounts
- Least-privilege role model (Org Admin, Matter Owner, Contributor)
- SSO / SCIM for enterprise deployments
Session Controls & Audit
Inactive sessions are automatically terminated. Full audit trail tracks every action, access event, and change across the platform.
- Automatic idle-session expiry
- Complete audit trail — exportable for compliance
- Hard tenant isolation — no data commingling
Architecture Before AI
RAG, OCR, and a matter-centric Knowledge Graph provide context first. AI models are only invoked for narrow inference — never as a general data store.
- Matter-centric workspaces, never pooled
- AI invoked only for narrow inference
- Processing is ephemeral and containerized
Your Data Rights
You own your data. Always.
No Training
Customer content is never used to train any model.
Deletion on Demand
Delete your data at any time. All content is deleted or returned within 30 days of contract termination.
No Retention
Third-party model calls are stateless. Vendor caching is disabled.
Exportability
Content can be exported in standard formats (Word or PDF) at any time.
Built for legal
Privilege-safe by design.
Irys is not a general AI tool retrofitted for law. It was architected from day one for privilege, confidentiality, and professional responsibility. RAG, OCR, and a matter-centric Knowledge Graph provide context first. AI models are only invoked for narrow inference — never as a general data store.
Documentation
Full transparency. Every policy published.
From our Head of AI
Research and analysis from Devansh, Co-Founder & Head of AI at Irys.
Security you can trust.
Built by lawyers. Audited by experts. See Irys in action.