Use this section to understand how Iteration Layer handles workflow data before you connect production systems or client files.
Where Should A Security Review Start
Start with Security, Privacy Policy, and Data Processing Agreement, then use these docs for technical details.
| Review Area | Where to Start |
|---|---|
| Security practices | Security |
| Privacy and subprocessors | Privacy Policy |
| Data Processing Agreement | Data Processing Agreement |
| API authentication | Authentication |
| Rate limits | Rate Limits |
| Webhook behavior | Webhooks |
| Billing and account policies | Credits & Pricing, Account Policies |
What Trust Controls Are In Place
Iteration Layer is designed for teams that need a clear processing boundary for document, image, website, spreadsheet, and generated-file workflows.
- EU-hosted core infrastructure - The main application and API infrastructure runs on EU-hosted infrastructure.
- Transient content processing - Submitted files and generated outputs are processed for the request and are not kept as customer content after processing.
- No customer-data model training - Customer data is not used by Iteration Layer to train or improve AI models.
- DPA available - Customers can use Data Processing Agreement for GDPR processor terms.
- Public subprocessor list - Subprocessors and their purposes are listed in Privacy Policy.
- Hashed API keys - API keys are stored as hashes, and the plaintext key is shown only at creation.
Which Certifications Are Available
Iteration Layer does not currently provide a SOC 2 report, ISO 27001 certificate for Iteration Layer as an organization, ISO 42001 certificate for Iteration Layer as an organization, BSI C5 attestation, HIPAA BAA, or formal EU AI Act conformity assessment.
Iteration Layer runs on certified European infrastructure, including data centers covered by ISO/IEC 27001:2022 and BSI C5:2020 Type 2. These certifications apply to the hosting provider and data-center services, not to Iteration Layer as a separately certified organization. Security and compliance reviews should rely on Security, Privacy Policy, Data Processing Agreement, implemented controls, and provider evidence where applicable.
Which Trust Pages Should Be Reviewed
Use the pages in this section based on the question your team needs to answer.
- Data Handling & Retention explains what request data is processed and what metadata is retained.
- EU Hosting & Subprocessors explains provider boundaries and hosting scope.
- Security Controls explains API keys, transport security, webhooks, rate limits, and operational controls.
- Compliance explains GDPR posture, EU AI Act boundaries, and certification status.
- Auditability explains how to design workflows that are easier to review after processing.
- Responsible AI Use explains when AI inference providers may be involved and how responsible AI data use is handled.
- Incident Response explains how to report security issues and rotate exposed API keys.