RRally10
Sign inStart free trial

Security Overview

Last updated

Rally10 is built for business-critical data. This page summarizes how we protect it. For more, email security@rally10.com or request our security questionnaire responses.

Infrastructure

  • Hosted on Vercel’s global edge network (SOC 2 Type II, ISO 27001).
  • Managed Postgres via Neon with point-in-time recovery and automated backups.
  • Authentication via Clerk — SOC 2 Type II compliant.
  • Payments via Stripe — PCI-DSS Level 1 compliant. We never store card data.

Encryption

  • TLS 1.2+ for all data in transit.
  • AES-256 at rest for database and backups.
  • Blob storage encrypted at rest via Vercel Blob.

Multi-tenant isolation

Every database row is scoped to an Organization. Our server-side requireOrg(slug) helper validates membership on every request before any query runs. Integration tests assert org-A cannot read or write org-B’s data.

Access control

  • Role-based access (Owner, Admin, Member, Viewer) within each organization.
  • Principle of least privilege for engineering access to production systems.
  • All production access logged.

AI data handling

AI features route through the Vercel AI Gateway to Anthropic (and optionally OpenAI/Google). Under contract, these providers do not retain your content for model training. We send only the relevant portions of your organization’s data needed to generate the AI output.

Vulnerability management

  • Automated dependency scanning on every commit.
  • Security patches applied within published SLAs (critical: 24 hours; high: 7 days).
  • Third-party penetration testing annually.

Incident response

On-call engineering rotation. Incidents are triaged within 1 hour and escalated per severity. Customers are notified within 72 hours of confirmed Personal Data breach.

Compliance roadmap

  • SOC 2 Type I — in progress (target Q3 2026).
  • SOC 2 Type II — target Q1 2027.
  • GDPR-ready via our DPA.
  • Enterprise: SSO (SAML) and SCIM provisioning available on the Enterprise plan.

Report a vulnerability

Email security@rally10.com. We’ll acknowledge within 2 business days. Responsible disclosure is welcomed; we do not pursue good-faith research.