Security at Redocly

From product architecture, to legal compliance, to privacy protection, we take security very seriously to remain worthy of thousands of developers who trust us with their API lifecycles.

Redocly is secure by design and designed to help you stay secure

HTTPS & data encryption

TLS (1.2+)

TLS certificate to encrypt data in transit, free on every plan.

AES-256

We encrypt all data at rest with the highest security standard.

Identity and access management

Redocly’s cloud application Workflows features highly customizable access policies to fit your exact security requirements.

SSO

Enterprise

SAML2 or OpenID connect with domain verification.

READ THE DOCS

Roles & permissions

Give project-level permissions to groups of people.

READ THE DOCS

Team mapping

Map users to relevant teams based on their IdP attributes.

READ THE DOCS

Audit trail

Rich event logging to track how users updated projects over time.

Regular security measures and activities

Penetration testing

Redocly conducts internal and external (3rd party) penetration testing at least annually.

Vulnerability management

We scan our code and dependencies daily with AWS Elastic Container Registry. Critical issues are resolved in under one week.

People security

Background checks, security awareness training, access levels following the principle of least privilege.

Malware protection

Continuous monitoring of containers using AWS ECR, and agents for continuous monitoring of our devices.

SOC 2 Type II

SOC 2 Type II

Redocly has completed the System and Organization Controls (SOC) 2, Type II audit. Log in to download this and other reports.

Your data and content belong to you

As an API documentation provider, we have stewardship over one of the most crucial assets in today’s economy. We are fierce in making sure that every code sample, dox_page.md and asset you create belongs to you, and take responsibility to protect yours and your users’ data. You can access all our compliance reports in your Redocly dashboard.

PRIVACY NOTICEACCESS ALL REPORTS
CSA

Secure cloud provider

Completed the CAIQ version 4 questionnaire and certified under the Cloud Security Alliance’s (CSA) STAR program for cybersecurity.VIEW THE LISTING
PCI DSS compliant

PCI DSS compliant

Redocly doesn’t store or process payment information. For that we rely on third parties who are PCI DSS Level 1 service providers, Stripe and Rebilly.
Committed to privacy

Committed to privacy

We offer a Data Processing Addendum (DPA) that enables you to comply with GDPR, CCPA and other privacy regulations.Data Processing Addendum

Third party vendor management

We ensure each of our providers adheres to our standards of privacy and security, and inspect their compliance records annually. Please refer to our full list of sub-processors for an up to date list.

SUB-PROCESSORS WE USE
AWS

SaaS delivery

Our platform runs on AWS and we use 3rd parties for identity management and payments & subscription billing.
gears

Support services

We use a range of tools for email, meetings, CRM, status page, project management and communication .

Service availability

We take aggressive measures to ensure business continuity for us and our customers, with frequent backups and fast disaster recovery, both tested regularly. All traffic is protected by web application firewall (WAF) and we keep our status up to date at status.redocly.com.

RPO

Recovery Point Objective: how frequently we take backups
10 min

RTO

Recovery Time Objective: how long to restore from last recovery point
30 min
Last tested: June 14, 2021
READ Redocly’s SLA

Win at the API economy in full safety and confidence