fly.io-specific experience and/or resources relating to SOC 2 compliance process?

I read this Latacora guide on SOC2 and am hoping someone has some experience or feedback how it relates to fly.io. I am just trying to be proactive in getting the ball rolling …

Some of our startup’s prospects are requesting SOC 2 Type 2 compliance before closing the deal. Regarding Fly as a vendor for hosting ones customers’ data, which will come up, I was wondering:

  1. How did your customers take the “your data is on fly.io” statement?
  2. For some critical questions, such as encryption at rest or “firewalls,” the answers are buried in the docs or blog posts. Will customers or the auditor require a more “comprehensive & consolidated” security statement?
  3. Has someone already tried to get their apps/environment/setup/process running on fly.io through a SOC 2 auditing process and can share resources or pitfalls?

Hey there. I wrote that Latacora SOC2 guide.

The short and most important answer I can give you to this question is that we aren’t currently SOC2 (it’s on our roadmap, but the number of months out it is depends a lot on whether customers drag us into it, because that’s the rational reason to get SOC2’d).

We’re happy to talk to auditors or to prospective customers or security teams or whatever about our security practices. If a prospective client of ours handed us a security questionnaire, we’d fill it out (and then probably turn the answers into a better /security web page, though that probably wouldn’t change the number of questionnaires we received). Generally: our answers to the kinds of questions that get asked on these things are pretty enterprise-security-team compatible.

1 Like

I had an inkling that you wrote this guide. Thanks for the swift response!

1 Like