IRIS CRM Security

  • IRIS CRM meets the most extensive compliance standards
  • IRIS CRM utilizes Amazon's top-tier secure cloud services
  • IRIS CRM's platform and infrastructure undergo routine pen-tests and are monitored continuously by dedicated teams
  • IRIS CRM complies with data privacy standards outlined by our agreements

An Industry Standard

IRIS CRM is the Merchant Services CRM pioneer. Founded in 2010, IRIS CRM’s Merchant Services platform is used by ISOs spanning all industries, platforms and sizes.

PCI Compliance

IRIS CRM is audited on an annual basis and holds a PCI Level 1 Service Provider designation.

Hosting and Infrastructure

Security is a top concern for organizations that leverage Software-as-a-Service (SaaS). IRIS CRM’s Software-as-a-Service (SaaS) solution is provided as a hosted cloud application utilizing top-tier secure cloud services provided by Amazon. Application architecture and the data model are designed to ensure correct data segregation.

SOC 2 Type 2 Certified

This SOC 2 certification is a milestone in our continuous effort to create and improve our data privacy. After an extensive review, a certified SOC 2 auditor determined our products to be fully compliant, assuring current and future users that IRIS CRM’s offerings are created and delivered safely and securely.

Penetration Tests and Monitoring

IRIS CRM’s front and back-end applications, as well as its IT infrastructure undergo routine annual pen-tests by independent companies. This is done in addition to Amazon AWS’s own independent tests, periodic internal tests, and 24/7 monitoring of security-related events by dedicated teams.


Data Privacy

The information that IRIS collects concerning each User is called User Data. In general terms, IRIS will collect most of the information relevant to the operation of your business, such as your: name, address, company name, credit card information, bank account information, DBAs, logos, email addresses, telephone numbers, recordings of telephone calls, User IP addresses, processors, processor pricing, processor platform passwords and other credentials, processor ISO portfolio reporting, agent names, agent addresses, agent telephone numbers, agent email addresses, agent pricing, agent IRIS preferences, merchant application forms, merchant pricing, merchant names, merchant addresses, merchant phone numbers, merchant email addresses, merchant reporting preferences, User patterns of activity and such other information that Users may elect to input into IRIS.

Operations and Access Control

Service Models

IRIS CRM’s typical SaaS model is set up on Amazon Web Services (AWS), with management servers located on Amazon EC2, and storage divided between Amazon RDS for secure data, and Amazon S3 for published content for fast download rates.

Monitoring & Auditing – Intrusion Prevention and Detection

IRIS CRM has an extensive Security Information and Event Management system (SIEM), that collects security audit trail logs across infrastructure components in industry standard formats using an Intrusion Detection System and for analysis and control.

IRIS CRM’s SIEM alerts are based on comprehensive pre-defined scenarios, including identification of suspicious signs such as failed login attempts, logins from unknown and off-premise IP addresses or logins during off-hours.

SIEM alerts are monitored 24/7 by IRIS CRM’s Dev Ops team. The SIEM prioritizes all alerts, notifies IRIS CRM’s Security team in real time and escalates them according to severity.

Access Control – User Management and Permissions

IRIS CRM’s platform has an integrated, comprehensive role-based user management and enforcement system.

Assigning roles to users requires authorization from the relevant parties in IRIS CRM, and application permissions are granularly controlled per action and screen. Default roles are built into the platform, including: administrator, manager, sales rep, referral partner, merchant, etc. IRIS CRM allows customers to delegate usage and administrative permissions for the components and GUI elements deployed by IRIS CRM, while maintaining central management of the entire deployment cycle.

IRIS CRM’s internal corporate access control is centrally and manually managed based on strict need-to know and least-privileged principles on all levels: Application (strong authentication), Network (segmentation, firewall), OS (access to servers), and Procedural (who’s authorized to review/approve code, manage changes, etc.).

All internal duties within IRIS CRM are segregated based on duties between R&D (code development), Dev Ops (deployment) and Support (client services).


As the Merchant Services CRM market leader, backed with an uncompromising commitment to security and privacy, IRIS CRM is trusted by thousands of users, including public organizations. IRIS CRM makes sure to comply with legal, corporate and industry standards, maintaining and abiding by the strictest requirements, regulations and security measures at all levels – from its staff, through infrastructure and down to the finest details of its products and procedures.

IRIS CRM has received the most demanding certification in the industry, and offers its customers the ability to enforce hierarchy and access permissions internally, while providing an overarching security umbrella – hosting IRIS CRM’s infrastructure with the top-tier cloud provider, actively monitoring customer security 24/7, and performing periodic independent pen-tests on IRIS CRM’s platform and IT infrastructure.

Schedule Demo