Security at Redocly

From product architecture to legal compliance to privacy protection, we take security very seriously to remain worthy of thousands of developers who trust us with their API lifecycles.

Redocly is secure by design and designed to help you stay secure

HTTPS and encryption

  • TLS 1.2+: TLS certificates to encrypt data in transit.
  • AES-256: We encrypt all data at rest with the highest security standard.

Identity and access management

Redocly's cloud application Workflows features highly customizable access policies to fit your exact security requirements.

  • SSO: SAML2 or OpenID Connect with domain verification
  • Roles and permissions: Give project-level permissions to groups of people.
  • Team mapping: Map teams to relevant IdP's based on their attributes.
  • Audit trail: Rich event to track how users updated projects over time.

Regular security measures and activities

  • Penetration testing: Redocly conducts internal and external (3rd party) penetration tests at least annually.
  • Vulnerability management: We scan our code and dependencies daily with AWS Elastic Container Registry. Critical issues are resolved in under a week.
  • People security: Background checks, security awareness training, access levels following the principle of least privilege.
  • Physical security: CCTV, alarm systems, and card readers for access to our corporate offices.

Your data and content belong to you

As an API documentation provider, we have stewardship over one of the most crucial assets in today's economy. We are fierce in making sure that every code sample, doc page, and asset you create belongs to you, and take responsibility to protect yours and your users' data.

SOC 2 Type II

With all systems and controls already in place, we anticipate completing our first audit by the end of 2021.

Committed to privacy

We offer a Data Processing Addendum (DPA) that enables you to comply with GDPR, CCPA and other privacy regulations.

Cloud Security Alliance

We've completed our CAIQ version 4. Contact us for a copy.

Third party vendor management

We ensure each of our providers adheres to our standards of privacy and security, and inspect their compliance records annually. Please refer to our full list of sub-processors for an up to date list.

  • SaaS delivery: Our platform runs on AWS and we use 3rd parties for identity management and payments/subscription billing.
  • Support services: We use a range of tools for email, meetings, CRM, status page, project management, and communication.

Service availability

We take aggressive measures to ensure business continuity for us and our customers, with frequent backups and fast disaster recovery, both tested regularly. All traffic is protected by web application firewall (WAF) and we keep our status updated at

  • RPO: 10 min
  • RTO: 30 min