🛡️Security & Compliance
Rely.io’s Internal Developer Portal (IDP) is designed for the most complex enterprise environments, therefore it was built with security, scale, and consistency in mind.
Therefore, the product is designed to meet the rigorous standards of enterprise engineering teams, ensuring that your data remains safe and your compliance requirements are met.
This page outlines our approach to data security, compliance certifications, and the measures we take to protect your data.
Certifications & Compliance
We are actively pursuing key certifications to meet the needs of our customers in highly regulated industries:
SOC 2 Type II -> we adhere to stringent data security, availability, processing integrity, confidentiality, and privacy protocols.
ISO 27001 -> we are aligning our Information Security Management System (ISMS) with ISO 27001 standards to protect against data breaches and operational disruptions.
PCI DSS -> while we do not process cardholder data, we adhere to PCI DSS security standards as part of our commitment to maintaining high-security measures.
These certifications are of utmost priority to us, as we continue expanding into highly regulated industries, such as fintech and financial services, where we are gaining significant traction.
Data Security & Privacy
Data Segregation Strategy
At Rely.io, our multi-tenant architecture is built to balance performance, security, and compliance. We implement clear access controls and data segregation to protect your data at all times. We offer a tiered approach to data storage, segregating data based on account type:
Tier One: Temporary Accounts – Metadata for free trials, pilots, and test accounts is stored in a pooled data model with Row-Level Security (RLS) to maintain access control. User data is fully isolated within its own organization (Org) to ensure data segregation.
Tier Two: Permanent Accounts – Active customers and partners benefit from a Bridge Data Model, where each tenant has a dedicated database schema for both metadata and user data, providing maximum isolation and security.
Data Encryption
Encryption at Rest: All data is encrypted using AES-256 encryption to ensure security even if physical access is somehow compromised.
Encryption in Transit: Data sent to and from Rely.io is secured via TLS v1.2+ to prevent interception during transfer.
Identity & Access Management (IAM)
We support modern Identity Providers (IdPs) like Okta, integrating seamlessly via SAML and SCIM protocols. Our platform also supports OAuth standards for secure access and identity management.
OAuth with Google SSO: Users can sign in using Google SSO, allowing for streamlined and secure authentication. Soon we will also support SSO with Okta.
OAuth2 for the Public API: Our Public REST API supports OAuth2 authentication, ensuring secure, token-based access to programmatic features of Rely.io.
OpenID Connect: We also support OpenID Connect (OIDC) for standardized authentication across your organization’s systems.
Data Ingestion & API Access
Data can be ingested into Rely.io through multiple methods, including:
Our Public REST API enables seamless integration into your existing workflows. It supports all CRUD operations (create, read, update, delete) for managing your catalog, scorecards, and self-service actions. Each API request is authenticated using OAuth2, ensuring secure token-based access.
GitOps with Rely.io – Entity and Configuration Definition Files
Rely.io is designed to integrate tightly with your existing GitOps workflows. We support entity and code definition files, allowing you to manage services, scorecards, and self-service actions via code.
GitOps Integration: Configure a job in your CI/CD pipeline to push changes in entity and configuration files to our Public API. This ensures your catalog, scorecards, and workflows are always up-to-date with the latest configurations.
Continuous Updates: Soon, Rely.io will release the capability to continuously scrape your Git repositories for changes, automatically updating your system without manual intervention.
Data Retention & Removal
Data Access -> each tenant’s access to their data is tightly controlled via RBAC and IAM policies. Logs are maintained to track access and changes.
Data Retention -> data remains in the system as long as needed for operational purposes. Upon termination or request, data is deleted after a 7-day backup retention period.
Data Deletion -> users can delete data via the Rely.io UI or API, ensuring full control over data lifecycle management.
Handling PII
Rely.io is designed to store infrastructure metadata, and we do not collect or process personally identifiable information (PII) beyond what is required for authentication:
First name
Last name
Email address
These details are only used for user authentication and account access management.
Open-Source Frameworks
Rely.io offers flexible deployment options through open-source components that allow for self-hosting or managed services, ensuring compliance with security policies in regulated industries. We provide users with the ability to run key elements of Rely.io within their infrastructure, ensuring full control over data and operations.
Galaxy Integration Framework
Our Galaxy Integration Framework is an open-source framework that integrates seamlessly with your existing engineering stack. Galaxy runs entirely within your cloud environment, allowing you to gather data from tools like Git, CI/CD pipelines, and monitoring systems without exposing public APIs.
Self-Hosted Plugins: With Docker or Helm, you can deploy plugins within your infrastructure. The Galaxy integration agent periodically communicates with your tools’ APIs and securely transmits data to Rely.io without external exposure.
Managed Plugins: For those preferring managed solutions, Rely.io offers cloud-hosted plugins that periodically fetch data over HTTPS and use webhooks for real-time updates.
Self-Service Agent
The Self-Service Agent is a key open-source component, designed to run within your environment and automate routine tasks such as resource provisioning or service deployment. It ensures that Rely.io has no direct access to your infrastructure, putting full control in your hands.
Open-Source & Self-Hosted: Available as an open-source project on Gitlab , the Self-Service Agent can be deployed via Helm or Docker. It runs within your environment, checking for and executing tasks triggered through the Rely.io UI or API, without needing Rely.io to have direct write access to your systems.
Managed Option: Alternatively, Rely.io can manage the agent for you, handling automation tasks while keeping your environment secure. The agent interacts with tools like Kubernetes, GitLab, or Jenkins, performing the required actions based on predefined workflows.
The Self-Service Agent follows the same security-by-design principles as the Galaxy Framework, enabling you to benefit from automation without compromising security or exposing your infrastructure to unnecessary risks.
Infrastructure & Network Security
Physical Security
Rely.io leverages Google Cloud for hosting, providing world-class physical security measures that include:
Biometric controls and multi-factor authentication for physical access.
24/7 CCTV monitoring and intrusion detection systems at all data centers.
No physical access for Rely.io personnel to Google Cloud’s data centers.
Logical Security
We enforce Role-Based Access Control (RBAC) to manage user permissions, and we segregate development, staging, and production environments through distinct virtual private networks (VPNs), ensuring strict separation of access.
Intrusion Detection
Rely.io uses a combination of Auth0's Suspicious IP Throttling and Brute-Force Protection to detect and prevent unauthorized access attempts. These tools identify suspicious activity, such as repeated failed login attempts or access from known malicious IP addresses, and take immediate action to block such behavior.
Additionally, we leverage Google Cloud’s Firewalls for signature-based threat detection. This provides another layer of protection by identifying traffic patterns that align with known attack vectors, helping to defend our infrastructure from malicious activity.
Rate Limiting & Traffic Control
Rely.io is enrolled in Google Cloud Armor's Standard tier, which provides comprehensive Web Application Firewall (WAF), DDoS protection, and rate limiting. These features ensure that our infrastructure is protected from a variety of threats:
WAF: Google Cloud Armor's WAF helps prevent common web-based attacks, such as bot-driven traffic, by analyzing traffic patterns and blocking malicious requests.
DDoS Protection: Google Cloud Armor offers built-in DDoS mitigation to handle distributed denial-of-service attacks, ensuring that our platform remains available even under high-volume traffic assaults.
Rate Limiting: We enforce custom rate-limiting rules to manage traffic and prevent abuse, protecting the platform from overwhelming requests or unauthorized access attempts.
Monitoring & Vulnerability Management
Security Audits & Penetration Testing
We conduct both internal and external penetration tests regularly. Vulnerabilities are addressed based on severity:
Critical vulnerabilities: Remediated within 2 days.
High vulnerabilities: Remediated within 7 days.
Medium vulnerabilities: Remediated within 30 days.
Our secure software development lifecycle (SDLC) ensures that security is built into every stage of product development.
Incident Response & Business Continuity
Rely.io employs advanced monitoring tools for real-time threat detection and intrusion prevention. Our incident response team is equipped to handle security incidents swiftly and effectively.
Business Continuity & Disaster Recovery
Backups & High Availability
We maintain encrypted backups across multiple regions to ensure business continuity in the event of an outage. Redundant systems and geographical distribution provide high availability for our customers.
Disaster Recovery Plan (DRP)
Rely.io’s Disaster Recovery Plan ensures services can be restored quickly in the event of an incident. We regularly test our DRP to ensure preparedness and to minimize disruption during outages.
Corporate Security
Malware Protection
At Rely.io, we believe strong security practices begin within our own organization. To safeguard against internal threats and vulnerabilities, all company-provided workstations are enrolled in Endpoint Detection and Response (EDR) solutions. These systems enforce critical security measures, including full-disk encryption and regular OS updates, to ensure our internal infrastructure is secure.
Security Policies
Rely.io’s security policies are continuously updated to reflect the latest best practices and emerging threats. We conduct annual reviews of our security framework to identify potential gaps and make improvements. Our core security policies include:
Access Management
Backup Management
Change Management
Data Retention Management
Information Security
Incident Response
Risk Management
Vulnerability Management
Business Continuity and Disaster Recovery (BCP & DR)
These policies are available to enterprise customers upon request.
Security Training
All new employees at Rely.io undergo comprehensive onboarding, including environment and permissions setup, security policies, and corporate ethics training. In addition, all employees complete annual security training to ensure they stay current on the latest security practices and protocols. Our security policies are reviewed annually to ensure they align with industry standards and best practices.
Disclosure Policy
In the event of a data breach, Rely.io is committed to notifying affected customers as quickly as possible via email and the primary contact channel. We provide regular updates during the resolution process, ensuring transparency and timely communication throughout.
Rely.io also maintains a live status page where customers can subscribe for updates regarding service uptime and any incidents. Known issues and outages are reported in real-time to keep our customers informed.
Vulnerability Disclosure
At Rely.io, we take security very seriously and encourage responsible disclosure of vulnerabilities. If you discover a vulnerability or have a security concern, you can report it by contacting security@rely.io. Please include:
A proof of concept demonstrating the vulnerability.
A list of tools used (including their versions).
The output or logs from the tools you used.
Once we receive your disclosure, our security team promptly investigates and verifies the issue. We prioritize the resolution of vulnerabilities and take swift action to ensure the security of our platform.
Penetration Testing
Rely.io undergoes annual penetration testing conducted by an independent, third-party security agency. These tests are performed in an isolated environment, with no customer data exposed during the assessment. We provide the testing agency with a high-level architecture diagram of the platform to ensure a thorough review of potential vulnerabilities.
Any security vulnerabilities discovered during the penetration test are evaluated and remediated based on their severity. A summary of the findings and remediation efforts is available to our customers upon request.
Privacy Policy
You can find Rely.io's Privacy Policy here.
Data Processing Addendum
You can find Rely.io's Data Processing Addendum (DPA) here.
Last updated