fly.io-specific experience and/or resources relating to SOC 2 compliance process?

I read this Latacora guide on SOC2 and am hoping someone has some experience or feedback how it relates to fly.io. I am just trying to be proactive in getting the ball rolling …

Some of our startup’s prospects are requesting SOC 2 Type 2 compliance before closing the deal. Regarding Fly as a vendor for hosting ones customers’ data, which will come up, I was wondering:

  1. How did your customers take the “your data is on fly.io” statement?
  2. For some critical questions, such as encryption at rest or “firewalls,” the answers are buried in the docs or blog posts. Will customers or the auditor require a more “comprehensive & consolidated” security statement?
  3. Has someone already tried to get their apps/environment/setup/process running on fly.io through a SOC 2 auditing process and can share resources or pitfalls?

Hey there. I wrote that Latacora SOC2 guide.

The short and most important answer I can give you to this question is that we aren’t currently SOC2 (it’s on our roadmap, but the number of months out it is depends a lot on whether customers drag us into it, because that’s the rational reason to get SOC2’d).

We’re happy to talk to auditors or to prospective customers or security teams or whatever about our security practices. If a prospective client of ours handed us a security questionnaire, we’d fill it out (and then probably turn the answers into a better /security web page, though that probably wouldn’t change the number of questionnaires we received). Generally: our answers to the kinds of questions that get asked on these things are pretty enterprise-security-team compatible.

1 Like

I had an inkling that you wrote this guide. Thanks for the swift response!

1 Like

I was about to ask this same question and was amused when I saw the first post referring my favorite SOC2 article back to the person that probably wrote it. :slight_smile:

We deal with HIPAA data and are going after SOC2 at the moment (with Vanta). We’re frankly tired of rolling our own infra on AWS using terraform and would love to use something like fly. Although as I type this, I realize we’d have to find ways to report the infra back into Vanta manually.

Also some of our gov clients would further scrutinize this if it ever came up. I’m also not exactly sure if all our vendors need to be SOC2 compliant. That’s a question we’ll ask our auditors.

So any updates on this (or a potential roadmap)?

1 Like

Yes! SOC2 is in process. Which is about as good as things get on our roadmap. We should have SOC2 Type 1 in place in <6 months.

We’re also doing BAAs very soon, if it helps your HIPAA work.

Excellent, thanks for the update.

Hey @kurt - we’re in the exact same situation as @ashish.

  • HIPAA
  • Using Vanta today to help us monitor compliance
  • Would lose some of the reporting automation Vanta provides with AWS, but would strongly consider Fly if a BAA could be signed (today we use it for non-PHI purposes) because honestly the implementation complexity difference is so massive that a bit of manual pain on compliance artifacts would be worth it.

We deal with HIPAA data and are going after SOC2 at the moment (with Vanta). We’re frankly tired of rolling our own infra on AWS using terraform and would love to use something like fly. Although as I type this, I realize we’d have to find ways to report the infra back into Vanta manually.

Is there any possibility of becoming an early/beta customer on the BAA side? We would be extremely, very interested.

For now we are just tinkering on the periphery. So for example, trying to use fly for our gitlab runner to speed things up (but haven’t gotten that working yet, and haven’t had time to troubleshoot)

Hi fly friends! Any update on SOC2 and/or (separately) ISO 27001? We’re considering using fly, and any roadmap / timeline would be helpful in making a call.

Still in process, almost done! Probably 1-2 weeks from Today.

Awesome, thank you! Just to confirm, are you guys also going for ISO 27001, or just SOC2 (type 1)?

It looks like to have SOC2 now - what is the best way to share that with our auditors as we go through the same process? Is there a way to get a copy of the report or is there something else you can share with us that will work?

Hi - We do have our SOC2 Type I audit completed. We can send the report to customers on our Enterprise plans; these also require an NDA with us before we can share them (because auditors). If that’s something you want to talk about, shoot us a note at support@fly.io.

We do have a standard security questionnaire that we can share with customers on our Scale plan.

Our Security page documents our current practices, so that may be a good place to start. We also have a Healthcare Apps on Fly doc that details the controls we have in place to support HIPAA compliance. The HIPAA info is useful even for folks who aren’t running healthcare apps, because these controls are in place for our entire platform.

Hope that gets you started, and good luck with the process!