IronShield Technologies Inc.
Applies to: dashboard.tolerance.app · tolerance.app · onboarding.tolerance.app
IronShield Technologies Inc. (“IronShield,” “we,” “us,” or “our”) provides a CMMC compliance management platform that helps defense industrial base contractors track cybersecurity posture, manage Plans of Action and Milestones (POA&Ms), calculate SPRS scores, and prepare for CMMC assessments. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our platform, websites, and related services (collectively, the “Services”).
This Policy applies to all visitors, demo users, and paying customers. By accessing or using the Services, you agree to the practices described in this Policy.
Controller / Processor Distinction
When IronShield processes compliance assessment data (SPRS scores, POA&M entries, NIST SP 800-171 assessment results, and related documentation) on behalf of your organization, IronShield acts as a data processor and your organization acts as the controller. When IronShield processes account registration data, billing information, and platform usage analytics, IronShield acts as an independent controller. This Policy covers both roles.
Before describing our data practices, IronShield makes the following important disclosures:
Not FedRAMP Authorized: IronShield is not a FedRAMP Authorized cloud service provider and does not claim FedRAMP Moderate Equivalency as defined by the DoD Chief Information Officer. The platform is not designed or approved for the processing, storage, or transmission of CUI, CDI, or FCI as defined under DFARS 252.204-7012.
No Government Affiliation: IronShield is not endorsed by, affiliated with, or sponsored by the Department of Defense, the Cyber AB (CMMC Accreditation Body), NIST, DCSA, or any federal agency.
Not Compliance Advice: Use of the platform does not constitute legal, compliance, or cybersecurity advice and does not ensure or guarantee CMMC certification, a specific SPRS score, or DoD contract eligibility.
Do Not Upload CUI: Customers should not upload, enter, or transmit actual Controlled Unclassified Information, classified information, or ITAR-controlled technical data into the platform. Each customer is solely responsible for ensuring that information entered into the platform does not violate applicable data handling obligations.
When you use the platform to manage your CMMC compliance program, we collect and store the compliance assessment data you input, including:
IronShield treats Compliance Assessment Data as sensitive business information. We process this data solely to provide the Services and do not use it for advertising, analytics, model training, or any purpose beyond service delivery.
When you register for or use the Services, we collect:
We automatically collect certain technical information when you access the Services, including IP addresses and approximate geographic location, browser type and device identifiers, pages and features accessed, session duration and navigation patterns, error logs and performance data, and referring URLs.
We collect information you provide when contacting support, submitting feedback, responding to surveys, or communicating with us by any means.
We use cookies and similar technologies to maintain session state, remember preferences, measure platform performance, and improve the Services. We do not use third-party advertising cookies. You may disable cookies in your browser settings, but doing so may affect platform functionality. We honor Global Privacy Control (GPC) signals for applicable opt-out rights.
IronShield does not use Compliance Assessment Data for platform improvement, analytics, or any purpose other than service delivery.
IronShield does not sell or rent your information to third parties. We share information only as described below.
We share information with vetted service providers who process data on our behalf to deliver the Services. All subprocessors are contractually bound to process data only as directed and to maintain appropriate security measures. Our current subprocessors are listed at tolerance.app/legal/subprocessors. We provide at least 30 days' advance notice before adding or replacing a subprocessor. All subprocessors used for storage or processing of Customer Data are US-based.
We share information when you direct us to, such as when you export compliance reports for submission to a C3PAO assessor, a prime contractor, or the SPRS portal.
We may disclose information if required by applicable law, regulation, court order, or lawful government request. Where permitted, we will notify you before disclosing.
In the event of a merger, acquisition, or sale of substantially all of our assets, Customer Data may be transferred to the acquiring entity subject to the same protections described in this Policy. We will provide notice before any such transfer.
We may share information in other circumstances with your prior written consent.
IronShield implements technical, administrative, and physical security measures designed to protect your information. Our security practices include:
No security program is perfect. If you believe a security incident has occurred, contact us immediately at [email protected].
IronShield is working toward SOC 2 Type II certification. We will publish our certification status at tolerance.app/security.
We retain information for as long as necessary to provide the Services and fulfill the purposes described in this Policy, subject to legal obligations.
You may request deletion of your data at any time by contacting [email protected]. We will provide written confirmation of deletion upon request.
You may access, correct, or request deletion of your Account Data at any time through your account settings or by contacting [email protected]. Compliance Assessment Data is owned and controlled by your organization — contact your account administrator to modify or delete compliance records.
You may export your Compliance Assessment Data in standard formats (JSON, CSV, PDF) at any time through the platform's export features.
You may opt out of marketing and non-essential communications at any time by clicking “unsubscribe” in any email or contacting [email protected]. You cannot opt out of transactional communications such as account security alerts, billing notices, and service updates.
California residents have additional rights under the CCPA as amended by the CPRA:
To exercise California rights, submit a request to [email protected]. We will respond within 45 days. We may require identity verification before processing your request. California residents may designate an authorized agent by providing written authorization.
Delaware residents have rights under the Delaware Personal Data Privacy Act (DPDPA) including rights of access, correction, deletion, portability, and opt-out of targeted advertising and profiling. Submit requests to [email protected]. You may appeal a denied request by emailing [email protected] with the subject line “Privacy Request Appeal.”
If you access the Services through a demo, trial, or beta program:
The Services are intended for use by business entities and their employees. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor has submitted information to our platform, contact [email protected] and we will promptly delete it.
We may update this Policy from time to time. For material changes, we will provide at least 14 days' advance notice via email to account administrators and/or in-platform notification before changes take effect. Non-material changes (such as clarifications or contact information updates) will be effective upon posting. The updated Policy will always be available at tolerance.app/legal/privacy. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
This Policy is designed to meet the requirements of applicable US state privacy laws. To the extent any state law provides rights not addressed above, those rights are hereby incorporated by reference. For state-specific questions or requests, contact [email protected] and identify your state of residence.
For privacy questions, requests, or concerns:
IronShield Technologies Inc.
Email: [email protected]
Rights requests: Subject: Privacy Request — [Your Name / Organization]
Appeals: Subject: Privacy Request Appeal
Last updated: March 16, 2026 · Version 1.0