We follow industry secure-coding best practices and are deployed on gold-standard infrastructure at Fly.io (DPA available on request). These include, but are not limited to:
- Evergreen dependencies
- Data encrypted at rest
- All applications are served over TLS only (A rating on Qualsys SSL Labs)
- Scanning, exfiltration and DDoS protection via Cloudflare
- Automated code scanning as part of CI/CD process
- Regular external ("black box") automated scans via Metasploit/Snyk
- Enforced password complexity and storage using PBKDF function (bcrypt)
- MFA available via SMS, TOTP or Webauthn
There are various other security features available for Enterprise customers including:
- Single Sign-on via SAML, Azure Active Directory, OAuth, or any OIDC provider
- HRIS/SCIM integration for onboarding and offboarding
- Detailed, compliance-ready audit logging
- Management Portal for IT administrators
- (On request) 3rd party penetration test reporting, including supporting internal teams running custom tests
- (On request) Machine learning account takeover and anomalous behaviour tracking
- (On request) Private Cloud deployment
As we are a new business, we are not yet SOC2 certified. We are working to SOC2 Alignment however, and are happy to make any Enterprise agreements conditional on achieving SOC2 certification within 18 months.