Iron Mountain InSight® security whitepaper


Learn how Iron Mountain InSight® incorporates an end-to-end security strategy that covers content ingestion to storage of digital documents and metadata.

29 April 202412 mins
Iron Mountain InSight® security whitepaper
Executive Summary

About Iron Mountain security

Iron Mountain incorporates an in-depth security approach that covers content ingestion, storage, and processing of digital documents as well as hosting in a secure data centre. Iron Mountain leverages the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) as our enterprise security framework. We provide secure deployment of services, data storage with end-user privacy safeguards, communications between services, and administration support with separation of duties.


Iron Mountain works with highly regulated industries requiring workforce security and privacy training. Employees take various security courses and training developed throughout the year as mandated by our enterprise-wide training program. The training includes annual security awareness, data privacy training, secure code training, code of ethics, and business conduct. We work with customers so that personnel are properly vetted with background checks. Our employment is contingent upon a background investigation as applied through various local and client requirements.

Iron Mountain InSight products

I. Compliance programs

Iron Mountain InSight has established a broad and specific security compliance program aligning with industry and regulatory customer needs. This includes security compliance and data privacy.

Compliance attestations

  • ISO-27001 - InSight has been continuously certified since 2020. This is an international standard that helps organisations manage the security of their information assets. It provides a management framework for implementing an information security management system (ISMS) to ensure the confidentiality, integrity, and availability of all data.
  • SOC2 Type 2 - Iron Mountain has maintained a SOC2 Type 2 attestation for InSight since 2020. SOC2 Type 2 Report is a Service Organisation Control (SOC) audit on how a cloud-based service provider handles sensitive information.

Industry compliance

  • InSight is 21 CFR Part 11 capable.
  • StateRAMP - Ready status received in January 2024.
  • FedRAMP (NIST 800-53/37) - Third-party testing performed against the NIST 800-53 Revision 4 controls, as well as additional FedRAMP requirements. InSight has received FedRAMP Authorisations to Operate (ATO) as well as FedRAMP Ready status.

Data privacy

  • General Data Protection Regulation (GDPR) - InSight has undergone a GDPR assessment and a copy of the report is available upon request.
  • Health Insurance Portability and Accountability Act (HIPAA) - InSight is HIPAA-compliant and has implemented privacy and security measures to protect the privacy and security of personally identifiable information (PII).

II. Operational security overview

Identity and access management

  • We implement and enforce role-based access control for privileged users wherein their use and allocation is restricted. Multi-factor authentication (MFA) is mandatory so that access is limited to authenticated users. Least privilege is implemented for authorised users and processes.


  • Security scanning - The InSight environment includes a monitoring system which scans container images and systems, and detects vulnerabilities.
  • Application security testing - InSight conducts static application security testing (SAST), dynamic application security testing (DAST) and manual penetration testing.
  • System monitoring and audit logs - InSight includes a security information and event management (SIEM) system for log management, real time monitoring of security events, correlation and alerting of security events, and audit logs.
  • Incident response - Our cyber incident and response team (CIRT) is responsible for classifying audit events that are of particular interest for the Iron Mountain InSight information system, and for conducting reviews and analysis of audit records.
  • Incident management - Our cyber incident and response team (CIRT) maintains a cyber response plan to identify, protect, detect, respond, and recover in real time to include comprehensive logging and monitoring of our products and infrastructure. We also maintain employee awareness and training programs to include internal information security policies and procedures.

Business continuity

  • InSight’s Recovery Time Objective (RTO) for Tier 1 business applications is between 10 - 24 hours and the Recovery Point Objective (RPO) was assessed to be 1 hour in our last business continuity plan (BCP) test conducted in Q4 2023. RTO/RPO can be modified based upon customer needs.

Disaster recovery

  • InSight’s disaster recovery test is designed so that we can effectively recover objects, databases, and indices from accidental deletion or update, as those are the sources of persistent data for the InSight application within the given RTO/RPO as documented in our business continuity plan (BCP).

Capacity planning

  • Our capacity planning is geared towards monitoring workload performance and allowing capacity to meet current and future demands. This includes measuring performance and monitoring so that we do not reach capacity limits.

Patching and vulnerability management

  • Patching and vulnerability management, anti-malware, endpoint disk encryption, and intrusion prevention are managed through our Information Technology asset and endpoint management solutions.


  • All data is encrypted in flight and at rest following the Federal Information Processing Standards (FIPS 140-2) using industry standards such as Advanced Encryption Standard (AES) 256 and service managed keys.

III. Data privacy

Data residency

  • Data residency describes where customer’s data is stored at rest. To help comply with data residency requirements, InSight has the ability to control where data is stored and also customise and restrict data storage to certain regions.

Data protection

  • InSight applies appropriate technical, organisational and administrative measures, including encryption and multi-factor authentication (MFA) so that customer data remains secure at all times. InSight can deploy a web application firewall (WAF) at a customer’s request.

Data protection impact assessments (DPIAs)

  • Iron Mountain handles private and personally identifiable information on behalf of others. As a data controller or data processor, Iron Mountain can handle or process customer information without being made aware of the actual content or origin of the data.
  • When we act as a data controller or data processor from the European Economic Area (EEA) and Switzerland (or access data from the United States in the EEA or Switzerland) data will be processed pursuant to the applicable Privacy Shield Principles.
  • We conduct data protection impact assessments (DPIAs) at regular intervals as mandated associated with the processing of personal data.

NOTE: Please view Iron Mountain’s privacy policy statement for information about the types of personal data and the purposes for which such data is transferred and processed, as well as the third parties with whom such data may be shared.

Elevate the power of your work

For more than 70 years, Iron Mountain has been your strategic partner to care for your information and assets. A global leader in storage and information management services and trusted by more than 225,000 organisations around the world, including over 90% of the Fortune 1000, we protect, unlock, and extend the value of your work— whatever it is, wherever it is, however it’s stored.