Common Questions

Most organizations achieve audit-readiness within 2–6 weeks of deployment, depending on complexity. SaaS startups using our SOC-2 fast-track can often complete the journey in as little as four weeks.

No. Iron Fort is designed to eliminate the need for expensive external consultants for routine compliance work. Our platform includes built-in HIPAA, ITSG-33, and SOC-2 expertise, guided workflows, and AI-assisted policy review so your internal team can do the work.

Yes. Iron Fort offers a free trial through AWS Marketplace. You can also book a free 30-minute strategy call with our compliance experts to get a personalized readiness assessment at no cost.

Generic GRC platforms are built for broad security management and require significant customization for healthcare and government compliance. Iron Fort ships with pre-mapped controls for HIPAA (including NIST 800-66 Rev.2 and HITRUST CSF), ITSG-33, and SOC-2 — purpose-built for the specific audit workflows, evidence requirements, and reporting formats those frameworks require.

Iron Fort integrates with AWS, Microsoft Azure, Google Cloud Platform, and on-premises environments including EHR systems. It also supports hybrid deployments for organizations with mixed infrastructure.

Iron Fort runs automated compliance scans against Microsoft Office 365, GitHub, and Azure DevOps in addition to all major cloud platforms. Scans check for misconfigured permissions, missing MFA enforcement, exposed secrets, and other common compliance drift patterns.

Most organizations are live and running their first automated scans within a few hours of signing up. Pre-built connectors for AWS, Azure, and GCP require only read-level API credentials — no agents to install, no firewall changes required.

Iron Fort is available through multiple Government of Canada procurement vehicles including RFSA (SaaS), SLSA (Software Licensing), TBIPS, CSPV, and ProServices programs. It is also available directly through AWS Marketplace.

Yes. Iron Fort is listed on AWS Marketplace and supports consolidated AWS billing. Any existing AWS Marketplace credits or committed spend can be applied directly toward your Iron Fort subscription — no separate vendor relationship required.

Yes. Annual billing saves approximately 17% compared to monthly pricing across all self-serve plans. Enterprise plans include additional volume and multi-year commitment options — contact our sales team for a custom quote.

ITSG-33 (IT Security Risk Management: A Lifecycle Approach) is the Government of Canada's security control framework, published by the Communications Security Establishment (CSE). Any federal department, agency, or contractor processing government information is required to achieve SA&A (Security Assessment & Authorization) compliance under ITSG-33.

Yes. Iron Fort includes pre-configured control baselines for Unclassified, Protected A, and Protected B classification levels aligned to ITSG-33 Annex 3. The platform automatically scopes the appropriate control set based on your system's data classification.

Yes. All SA&A documentation, reports, and policy templates are delivered in both official languages to meet Treasury Board requirements for bilingual government documentation.