Terms of service: security

The fly ToS states fly employees will access the content of private repositories for support reasons with consent, or where access is required for security reasons. What context is the latter? Is the account holder notified? How is this audited?

Thank you

We haven’t had to access any apps for security reasons yet. We’ll notify the account holder if it happens. We do audit access to servers, but there’s nothing user visible (and in the context of a user app, once we connect we’d theoretically lose some of the audit trail).

One thing to consider is that we’ll see logs that apps output while we’re running the services. Most of the interactions we have with apps are through logs or looking at metrics or making external requests.

Oh, one oversight in my answer: we do scan Docker images for abusive apps. Cryptocurrency miners, botnet stuff, etc. We don’t notify people at scan time – you can pretty much assume we’ll scan any app that gets deployed.