Security at Redocly

From product architecture, to legal compliance, to privacy protection, we take security very seriously to remain worthy of thousands of developers who trust us with their API lifecycles.

Redocly is secure by design and designed to help you stay secure

HTTPS & data encryption

TLS (1.2+)

TLS certificate to encrypt data in transit, free on every plan.


We encrypt all data at rest with the highest security standard.

Identity and access management

Redocly’s cloud application Workflows features highly customizable access policies to fit your exact security requirements.



SAML2 or OpenID connect with domain verification.


Roles & permissions

Give project-level permissions to groups of people.


Team mapping

Map users to relevant teams based on their IdP attributes.


Audit trail

Rich event logging to track how users updated projects over time.

Regular security measures and activities

Penetration testing

Redocly conducts internal and external (3rd party) penetration testing at least annually.

Vulnerability management

We scan our code and dependencies daily with AWS Elastic Container Registry. Critical issues are resolved in under one week.

People security

Background checks, security awareness training, access levels following the principle of least privilege.

Malware protection

Continuous monitoring of containers using AWS ECR, and agents for continuous monitoring of our devices.

SOC 2 Type II

SOC 2 Type II

Redocly has completed the System and Organization Controls (SOC) 2, Type II audit. Log in to download this and other reports.

Your data and content belong to you

As an API documentation provider, we have stewardship over one of the most crucial assets in today’s economy. We are fierce in making sure that every code sample, and asset you create belongs to you, and take responsibility to protect yours and your users’ data. You can access all our compliance reports in your Redocly dashboard.


Secure cloud provider

Completed the CAIQ version 4 questionnaire and certified under the Cloud Security Alliance’s (CSA) STAR program for cybersecurity.

PCI DSS compliant

PCI DSS compliant

Redocly doesn’t store or process payment information. For that we rely on third parties who are PCI DSS Level 1 service providers, Stripe and Rebilly.

Committed to privacy

Committed to privacy

We offer a Data Processing Addendum (DPA) that enables you to comply with GDPR, CCPA and other privacy regulations.

Data Processing Addendum

Third party vendor management

We ensure each of our providers adheres to our standards of privacy and security, and inspect their compliance records annually. Please refer to our full list of sub-processors for an up to date list.


SaaS delivery

Our platform runs on AWS and we use 3rd parties for identity management and payments & subscription billing.

Support services

We use a range of tools for email, meetings, CRM, status page, project management and communication .

Service availability

We take aggressive measures to ensure business continuity for us and our customers, with frequent backups and fast disaster recovery, both tested regularly. All traffic is protected by web application firewall (WAF) and we keep our status up to date at


Recovery Point Objective: how frequently we take backups

10 min


Recovery Time Objective: how long to restore from last recovery point

30 min

Last tested: July 19, 2023

READ Redocly’s SLA

Win at the API economy in full safety and confidence