Ironclad AI
Ironclad, Inc. · EFROS US AI Vendor Governance Index entry
Composite governance score
C = mixed posture. Acceptable for non-regulated use; requires meaningful additional controls in regulated workloads.
About this vendor
Contract lifecycle management platform with AI features for contract drafting, review, and metadata extraction. Targets in-house legal teams.
- Enterprise tier
- Ironclad Business, Ironclad Enterprise (AI features included)
- Vendor homepage
- https://ironcladapp.com
- Trust center
- https://ironcladapp.com/trust
Twelve-axis governance scoring
Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).
| Axis | Status | EFROS note | Source |
|---|---|---|---|
| BAA / DPA available | Yes | Ironclad signs BAAs for enterprise customers with PHI obligations. | Ironclad Trust |
| Training-data opt-out | Yes | Customer contract content not used for training Ironclad's AI models. | Ironclad Trust |
| US data residency option | Yes | US data residency available for enterprise customers. | Ironclad Trust |
| SOC 2 Type II report | Yes | Ironclad holds SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018. | Ironclad Trust |
| ISO/IEC 42001 attestation | No | No ISO/IEC 42001 attestation. | Public posture review |
| NIST AI RMF self-attestation | No | No public NIST AI RMF self-attestation. | Public posture review |
| Colorado AI Act readiness | No | No Colorado AI Act-specific public statement. | Public posture review |
| HHS-OCR Section 1557 readiness | N/A | Not positioned for clinical use. | Ironclad positioning |
| FRB SR 11-7 readiness | N/A | Not positioned as a banking decisioning system. | Ironclad positioning |
| ABA Formal Op 512 readiness | Partial | Ironclad publishes general AI governance documentation; explicit ABA Op 512 mapping less prominent than legal-research-focused vendors. | Ironclad AI governance documentation |
| Subprocessor list public | Yes | Subprocessor list public via trust portal. | Ironclad Trust |
Trust-center maturity
Mature trust portal with public certificate library, audit reports under NDA, subprocessor list. AI-specific governance less prominent than platform fundamentals.
Source: ironcladapp.com/trust
Deep dive
Overview
Ironclad is best understood as a CLM platform with AI features rather than a pure legal AI vendor. The governance posture is strong on platform fundamentals (BAA, residency, SOC 2 + ISO stack), matching the standard a corporate legal team would require for any CLM. AI-specific governance is less prominent because the AI is an overlay on the contract workflow.
Strengths
- BAA, US residency, SOC 2, ISO 27k stack
- Mature trust portal
- Default no-train
- Public subprocessor list
Weaknesses
- No ISO/IEC 42001
- No NIST AI RMF self-attestation
- ABA Op 512 mapping less prominent than research-focused legal vendors
Best-fit use case
In-house legal teams using Ironclad as primary CLM, where AI features are workflow overlays rather than standalone deliverables.
Avoid when
Litigation or research-heavy practices. Ironclad's AI is contract-workflow-oriented, not research or matter-aware drafting.
Operator's take
Deploy Ironclad AI when in-house legal teams using Ironclad as primary CLM, where AI features are workflow overlays rather than standalone deliverables. The composite score of 63 (grade C) reflects a mixed posture for regulated US workloads. Skip the vendor when litigation or research-heavy practices. Ironclad's AI is contract-workflow-oriented, not research or matter-aware drafting. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.
How this scoring is computed
The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.
Read the full methodology →Disagree with this scoring?
EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).
Disagree with a score?
Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Ironclad AI, submit a formal challenge — we re-verify against the source and respond within 14 days.
Similar vendors (same category or sector)
Vendors in the same category as Ironclad AI, padded with vendors that share its primary sector. All scored on the same twelve axes — useful for head-to-head shortlisting.
Where Ironclad AI shows up in the rest of the Index
Ironclad AI is scored in every state and (where applicable) sector slice of the Index. Use these views to compare Ironclad AI against its peers from a state or sector lens rather than category.
Take the scoring into production
The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.