Trust Centre
Security, compliance and verification at MaxIron
Everything a procurement, security or audit team needs to assess MaxIron in one place: live status of our current ISO/IEC 27001:2022 certification, the sub-processors we use, the security contact and PGP key, and a link to the latest quarterly Trust Report.
Last updated: 1 May 2026 · Next quarterly review due: 1 August 2026
Live status
ISO/IEC 27001:2022
Certified (27274-ISMS-001)
Certified by ISOQAR (UKAS 0026)
UK GDPR / DPA 2018
Compliant
Documented ROPA, DPIA process
Certified to ISO/IEC 27001:2022 by ISOQAR (UKAS-accredited Certification Body 0026) — certificate number 27274-ISMS-001.
Security overview
The detail behind the live status above.
MaxIron delivers IBM Maximo implementation, cloud hosting, managed support, and licensing services to enterprise and critical-infrastructure customers across the United Kingdom and Europe. Security is fundamental to what we do. This page summarises our information security posture for customers, prospects, and other stakeholders who need assurance about how we protect systems and data.
Governance and certification
| Standard | Status |
|---|---|
| ISO/IEC 27001:2022 | Certified to ISO/IEC 27001:2022 by ISOQAR (UKAS-accredited Certification Body 0026) — certificate number 27274-ISMS-001 |
| UK GDPR / Data Protection Act 2018 | Compliant |
We operate a formal Information Security Management System (ISMS) certified to ISO/IEC 27001:2022 by ISOQAR (UKAS-accredited Certification Body 0026) under certificate number 27274-ISMS-001. UKAS is a signatory of the International Accreditation Forum Multilateral Recognition Arrangement (IAF MLA), so the certification is recognised internationally as equivalent to certifications accredited by IAF MLA peers including ANAB (United States), JAS-ANZ (Australia and New Zealand) and DAkkS (Germany). The ISMS covers 26 policies, 11 procedures, and a Statement of Applicability addressing all 93 Annex A controls. It is subject to annual internal audit, quarterly performance reporting against defined security objectives, and an annual management review.
Cloud hosting security
All customer IBM Maximo environments are hosted on enterprise cloud infrastructure.
| Capability | Detail |
|---|---|
| Cloud platforms | Amazon Web Services (AWS), Microsoft Azure and Oracle Cloud Infrastructure (OCI) — full proficiency across all three; chosen per customer requirement |
| Threat detection | AWS GuardDuty, Azure Defender, OCI Cloud Guard enabled on all active environments |
| Audit logging | CloudTrail / Activity Log / Audit logging enabled; logs retained for 12 months |
| Monitoring | Cloud security alerts reviewed weekly by the security lead |
| Data residency | Default UK/Ireland regions; alternative regions agreed per customer |
| Shared responsibility | Formally documented. MaxIron manages identity, patching, encryption, network configuration, monitoring, and backup within the customer layer |
All cloud infrastructure providers hold SOC 2 Type II and ISO 27001 certifications.
Access control and identity management
- Multi-factor authentication (MFA) enforced on all accounts: cloud console, Microsoft 365, VPN, and all SaaS tooling
- Least-privilege access model with named individual accounts. No shared credentials
- Customer environment access via VPN with IP whitelisting
- Semi-annual access rights review; access revoked within five business days of any personnel or contract change
- Privileged access to cloud infrastructure restricted to a small number of named individuals
Endpoint and device security
- All endpoint devices managed under Microsoft Intune (MDM), enforcing consistent security configuration across the estate
- Full-disk encryption enforced on all devices (BitLocker on Windows; FileVault on macOS)
- Endpoint Detection and Response (EDR) and antimalware active on all endpoints, managed via Intune
- Screen lock, patch compliance, and application policies enforced centrally
- Remote wipe capability enabled on all enrolled devices
- MDM compliance dashboard reviewed monthly by the security lead
Personnel security
- Pre-engagement screening for all employees and contractors
- Non-disclosure agreement and policy acknowledgement required before any system or data access
- Annual security awareness training using NCSC-accredited content
- Dedicated AI use policy governing the use of artificial intelligence tools. No customer data is permitted in unapproved AI services
Incident management
- Defined incident classification (P1 to P4) with service-level response times
- P1 (critical) incidents: one-hour acknowledgement target
- Customer notification without undue delay for any incident affecting their environment
- Post-incident review and formal corrective action process for all significant incidents
- Evidence preservation and chain-of-custody procedures documented
Business continuity
- Business continuity plan covering service disruption, cloud provider failure, and key-person scenarios
- Backup policy with regular restore testing (minimum semi-annual per production environment)
- ICT recovery planning managed within MaxIron's certified ISO/IEC 27001:2022 ISMS, including control A.5.30
IBM Maximo Application Suite security
We configure and maintain the security capabilities built into IBM Maximo Application Suite:
- HTTPS-only access with valid TLS certificates; HTTP-to-HTTPS redirection enforced
- Role-based access control using Maximo security groups, sites, and conditions
- Application-level audit logging for user actions and configuration changes
- Maximo fix packs and critical security patches applied in line with IBM's support timeline and our vulnerability management procedure
MaxIron Portal security
The MaxIron Portal, our service management and delivery platform, is secured with the same standards applied to customer environments:
- MFA-protected access
- Role-based permissions
- Encrypted data in transit and at rest
- Hosted on MaxIron-managed cloud infrastructure within the ISMS scope
Supplier and third-party security
- All suppliers risk-classified across four tiers (Critical, Significant, Standard, Contractor)
- Tier 1 suppliers (AWS, Azure, OCI, Microsoft 365) assessed annually against published security certifications
- Contractual security terms required for all supplier engagements
- Contractor access governed by a dedicated onboarding process including NDA, policy acknowledgement, MFA, and MDM enrolment
Data classification
All information handled by MaxIron is classified under a four-tier scheme: Public, Internal, Confidential, and Restricted. Customer information received during service delivery is treated as Confidential by default, unless the customer specifies otherwise.
Sub-processors
The third parties below process customer or MaxIron-internal data on our behalf. The list is reviewed quarterly and updated when material changes occur. Customers under DPA receive notification of any addition or material change at least 30 days in advance unless an urgent security or operational need requires faster action.
| Sub-processor | Purpose | Region | Certifications |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud platform for customer Maximo environments and MaxIron internal services | eu-west-1 Ireland, eu-west-2 London | ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS |
| Microsoft Azure | Cloud platform for customer Maximo environments | UK South, North Europe | ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 |
| Oracle Cloud Infrastructure (OCI) | Cloud platform for customer Maximo environments | UK South, EU Frankfurt | ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 |
| Microsoft 365 | MaxIron internal email, collaboration, identity (Entra ID) | EU | ISO 27001, SOC 1/2 |
| Microsoft Intune | Endpoint MDM, EDR and device compliance enforcement | EU | ISO 27001, SOC 1/2 |
| Cloudflare | CDN, edge proxy and DDoS protection for maxiron.com and the MaxIron Portal | Global edge | ISO 27001, ISO 27018, SOC 2 |
| Resend | Transactional email delivery for contact and quote forms | EU | SOC 2 |
| Plausible Analytics | Cookie-less, privacy-first website analytics | EU (Germany) | GDPR-aligned, no PII collected |
| Cal.com | Booking widget for the free 30-minute Maximo Health Check review | EU | ISO 27001, GDPR-aligned |
Quarterly Trust Report
Each quarter MaxIron publishes a short Trust Report covering: changes to the sub-processor list, security incidents that affected any customer environment (or a clear "none" if applicable), and policy updates. The current edition is shared on request to office@maxiron.com while the dedicated landing page is being built.
Customers under NDA can also request the current ISMS Statement of Applicability.
Security contact and disclosure
For security-related queries, vulnerability reports or due-diligence requests:
- Email. security@maxiron.com — monitored during UK business hours, with same-business-day acknowledgement target.
- General. office@maxiron.com
- PGP key. Available on request to security@maxiron.com for encrypted vulnerability disclosure.
- Coordinated disclosure. We commit to acknowledging any reported vulnerability within one business day, providing a status update within five business days, and crediting researchers in any subsequent advisory if requested.
Verification links
- IBM Partner Plus directory listing — IBM Gold Partner, company 8294, verifiable on ibm.com.
- ISO/IEC 27001:2022 certified by ISOQAR (UKAS-accredited Certification Body 0026) — certificate number 27274-ISMS-001.
- UK G-Cloud 14 supplier listing — MaxIron Ltd as supplier 721548.
- Companies House — MaxIron Ltd, company number 14444817.
- MaxIron on LinkedIn