Your data, your customers, protected.
Ironscale handles real customer data, real phone numbers, and real revenue. We treat security like an operating requirement, not a marketing checkbox. Here's exactly what's in place — and what we don't do with your data.
SMS deliverability & A2P 10DLC compliance
A2P 10DLC is the US carrier compliance framework that determines whether your SMS messages actually get delivered. Without proper registration, AT&T, Verizon, and T-Mobile silently block 60–90% of business SMS traffic. With it, you hit 95%+ deliverability.
What Ironscale does for you:
- Brand registration with The Campaign Registry (TCR) under your business name
- Campaign registration for your messaging use cases (marketing, notifications, customer care)
- Throughput optimization — verified senders get up to 30 messages/second vs 1 msg/sec for unverified
- Opt-in / opt-out handling — every message includes STOP language; replies trigger automatic suppression
- Carrier reporting — when a message is rejected, you see the reason and we route around it
Data security & encryption
Every byte of customer data Ironscale processes is encrypted in transit and at rest. No exceptions, no opt-outs, no "we'll get to it later."
- TLS 1.3 for every connection — browser, API, mobile, webhook
- AES-256 for data at rest, including database, backups, and call recordings
- HTTPS-only with HSTS preload — browsers refuse to connect insecurely, ever
- Strict Content Security Policy — prevents script injection attacks on your portal
- DDoS protection at the edge via Cloudflare — bank-grade attack mitigation, included
- Regular security audits — quarterly internal review of access logs and configuration
Access control
Your data is your data. We restrict access at every level.
- Multi-factor authentication available on every account, recommended for all admins
- Role-based permissions — give team members access to exactly what they need, nothing more
- Audit logs on every sensitive action — who viewed what, who changed what, when
- Session management — automatic timeout on inactive sessions, force-logout on suspicious activity
- API key rotation built in — rotate keys without downtime
Privacy commitments
We make these promises in writing, and we mean them:
- We don't sell your data. Not to advertisers, not to data brokers, not to anyone.
- We don't train AI models on your data. Your customer conversations stay yours. Period.
- We don't share your customer list. With anyone, ever, regardless of the business reason.
- We support data export. Want everything? One click, full export, no questions asked.
- We support data deletion. Cancel + delete, your data is purged from all systems within 30 days.
- We honor DSARs. Your customers can request data export or deletion under GDPR/CCPA and we have a workflow for it.
Full details in our Privacy Policy.
Infrastructure
The underlying telecom and hosting stack — for the technically curious:
- Telephony + SMS: Telnyx, Tier-1 US carrier connectivity, A2P 10DLC verified
- CRM + automation backend: GoHighLevel (enterprise tier), white-labeled as Ironscale
- Hosting + CDN: Cloudflare global edge — 300+ data centers, automatic HTTPS, DDoS protection
- DNS: Cloudflare, with DNSSEC available on request
- Email: Multiple SMTP routes with SPF, DKIM, and DMARC alignment for deliverability
- Database: Encrypted PostgreSQL with daily backups, point-in-time recovery
We use industry-standard infrastructure on purpose. Building proprietary telecom or hosting would mean reinventing problems already solved by companies with billion-dollar engineering budgets.
Incident response
If something goes wrong, you'll know within hours, not weeks.
- Status page at status.ironscalemarketing.com (subscribe for alerts)
- Security incidents disclosed to affected accounts within 72 hours per GDPR Article 33
- Customer support with real humans, response within one business day on all tiers
- Responsible disclosure welcomed — email support@ironscalemarketing.com (we read it)
What we're working toward
Security is never "done." Here's what's on the roadmap:
- SOC 2 Type II attestation (in progress, target completion late 2026)
- HIPAA-aligned tier for healthcare-adjacent operators (in evaluation)
- SSO + SAML for enterprise tier accounts
- Granular data residency options (EU-only storage available on request)
Try it. The security claims are easy to verify.
Start the 14-day free trial. Check our headers, inspect our DNS, run a Mozilla Observatory scan. We built it to hold up to scrutiny.