Security

Every day, thousands of organizations rely on Iframely for rich media experiences of their end-users. We value the effort behind your work and are committed to keeping their privacy and data safe. Below are some of the ways we protect your information.

Compliance

SOC 2

Iframely follows the criteria set forth by the SOC 2 Framework. SOC 2 is an internationally recognized audit framework for evaluating how service providers handle data security and operational controls. Iframely prepares for its first full SOC 2 Type 1 and Type 2 audits.

GDPR

We adhere to the principles of the EU General Data Protection Regulation (GDPR) to ensure that personal data of both customers and employees is collected, stored, and processed responsibly.

Data security

Iframely’s infrastructure operates on Amazon Web Services (AWS) data centers located in the United States.

Our systems are distributed across several AWS availability zones—each housed in independent physical facilities—to ensure resilience against localized failures.

For more details, see AWS Cloud Security.

Encryption at rest

Customer data, including backups, is stored in open-source NoSQL databases and AWS-managed data stores (S3 and EBS).

All of these are configured with AES-256 encryption at rest to ensure strong data protection.

Secrets and encryption key management

Sensitive credentials and keys are managed securely through AWS Key Management Service (KMS) and an internal Key Vault system.

Access to keys and secrets follows the principle of least privilege and is restricted to authorized infrastructure services, managed directly by Iframely’s operations team.

Separation of environments

Production, staging, and development environments are fully segregated and operate on isolated networks.

Product security

Secure development

Iframely follows a continuous delivery model that enables frequent, safe, and automated updates to our systems.
We push new releases to production several times a day with strict quality and security controls in place.

  • All code modifications are submitted via pull requests, reviewed, and approved before deployment.
  • Dependency updates are automated through GitHub and Dependabot.
  • Source code is analyzed to detect potential vulnerabilities or code quality issues.
  • Sentry monitors errors in both web and desktop products.
  • The security and engineering teams collaborate closely to address risks throughout the development process.

External security testing

Beyond internal audits, Iframely engages independent third-party firms to perform regular penetration tests on both application and cloud environments.

All findings are evaluated, prioritized, and remediated promptly by our security team.

Infrastructure and Network Security

Transport security

All data—whether between Iframely services or between users and our platform—is protected with TLS encryption.

We enforce TLS 1.2 or higher and use strong cipher suites supporting Forward Secrecy.

We also implement HTTP Strict Transport Security (HSTS) and maintain inclusion in the HSTS Preload List to prevent downgrade attacks.

External attack surface

Only public-facing applications and APIs are exposed to the internet.

All internal services are restricted to private networks and accessible only through VPN and require two-factor authentication.

Our external perimeter is continuously monitored for new or unexpected exposures by a trusted third-party provider.

Network segmentation

Network segmentation is a key layer of our defense strategy.

Iframely uses a multi-account AWS architecture to separate production, development, and testing environments, as well as supporting domains like security, marketing, and logging.

Within AWS, additional segmentation is achieved through VPCs, security groups, ACLs, and subnets to isolate services.

Intrusion detection and prevention

We aggregate network, host, and application logs into a centralized logging system.

Detailed audit trails are maintained for core services including AWS CloudTrail, GitHub, and Google Workspace.

Automated analysis tools detect and flag suspicious activities, with alerts monitored continuously by a Security Operations Center.

Organizational security

Security training

All new employees complete mandatory security awareness training during onboarding.

Ongoing annual refreshers are required for all staff, with dedicated technical security training for engineering teams.

Asset inventory

Iframely keeps an up-to-date inventory of all infrastructure assets and employee devices.

Access to customer data is strictly limited based on role and business need, audited regularly, and subject to least-privilege principles.

Support staff can only access customer data after explicit approval.

All employees are bound by non-disclosure agreements (NDAs).

Security incident management

Logs and alerts from multiple systems are analyzed centrally to identify and investigate unusual behavior.
Our incident response process defines how alerts are prioritized, escalated, and resolved.

Anyone — customer or not — may report suspected vulnerabilities or incidents to the Iframely Security Team.

For major incidents, Iframely coordinates internal expertise and, when necessary, external specialists to ensure full remediation.

Information security policies

Iframely maintains a comprehensive suite of security policies that form the backbone of our information security program.

Employees review these policies upon joining the company.

Covered areas include:

  • Access and identity management
  • Change and configuration control
  • Risk and incident management
  • Data classification and asset governance
  • Network and endpoint protection
  • Encryption and key handling
  • Secure development lifecycle
  • Vendor and supply chain management
  • Vulnerability detection and remediation
  • Mobile and remote work standards
  • Business continuity and disaster recovery

Operational security

Backups and disaster recovery

All customer data is stored redundantly across multiple AWS data centers to ensure continuous availability.

Iframely runs automated backup routines and quarterly restoration tests to verify reliability.

Data backups are securely stored off-site and enable rapid recovery in the event of failure or disaster.

Endpoint security

All company devices are centrally managed and protected with full-disk encryption, firewalls, automatic updates, session timeouts, and anti-malware protection.

If a device is lost or stolen, it can be remotely wiped to protect company and customer information.

Risk management and assessment

Iframely conducts regular risk assessments to validate that its security controls meet regulatory and organizational requirements.

Vulnerability disclosure

To report a security vulnerability, please email security@iframely.com with details of the issue, steps to reproduce it, and its potential impact.