ShieldIQ is a server-side SaaS — your config is uploaded to our servers to be audited. We think you deserve to see the whole path it takes, in plain terms, before you trust us with it. No marketing spin: this is the real data flow.
A firewall config file (JSON, XML, or text) is sent to ShieldIQ over an encrypted TLS connection. No agent, no network credentials required for an upload-based audit.
The config is parsed entirely in server memory. The raw configuration is never written to disk, never stored in our database, and never logged. The vendor-specific syntax is normalized to abstract rule objects before the 15 checks run.
Only the normalized audit results — findings, risk scores, and remediation guidance — are saved to the database. The raw config is discarded the moment the audit completes. We never store your network topology, IP ranges, or rule logic.
If you turn AI explanations on, the metadata for the flagged findings — rule names, source/destination addresses and ports, the rule action, and the vendor — is sent to our AI provider, Anthropic, so it can write a plain-English explanation. The executive summary additionally includes your device name and organization name. The raw uploaded configuration file is never sent. Anthropic does not train on API inputs.
AI explanations are optional and can be disabled per-organization. With AI off, no rule data leaves ShieldIQ — all processing stays on our servers and you still get the full 15-check audit, scores, and remediation guidance.
The finished audit becomes a scored report you can export (HTML, and PDF/DOCX/CSV on paid plans) or share via a read-only link. Everything in the report is built from the stored findings and scores — never from a retained copy of your config, because there isn't one.
When AI analysis is enabled, ShieldIQ sends Anthropic's Claude API the metadata for flagged findings — rule names, source/destination addresses and ports, the rule action, and the vendor — so it can write plain-English explanations. The executive summary additionally includes your device name and organization name. The raw uploaded configuration file is never sent. Anthropic does not train on API inputs and processes them under its commercial terms.
AI analysis is optional and can be disabled per-organization. If you prefer no third party to receive any rule data, run audits with AI disabled — all other processing stays within ShieldIQ.
We will only claim what is true today. ShieldIQ is not yet SOC 2 certified — SOC 2 Type I is on our 2026 roadmap, with Type II to follow, and an independent penetration test is planned. In the meantime, the practices on this page are the ones in place now. See our Security Practices page for the full roadmap.
Encryption, access control, audit trail, infrastructure, and the full security roadmap.
Data subject rights, retention, third-party services (Stripe, Anthropic, Vultr), and cookies.
Run an audit and see exactly what gets stored — nothing more.