Security
How we protect your data with enterprise-grade security. Encryption, access controls, incident response, and continuous monitoring.
Last updated: February 19, 2026
TLS 1.3 Encryption
All data encrypted in transit and at rest
EU Data Hosting
Infrastructure hosted in European Union
24h Incident Response
Rapid response to security incidents
GDPR Compliant
Full compliance with data protection law
1. Infrastructure Security
Cloud Hosting
Apidly is hosted on enterprise-grade cloud infrastructure within the European Union. Our hosting providers maintain SOC 2 Type II, ISO 27001, and PCI DSS certifications. All infrastructure is managed through infrastructure-as-code with automated security scanning.
Network Security
Our network architecture employs defence in depth: firewalls, intrusion detection systems (IDS), DDoS protection, and network segmentation. All traffic between services uses private networking. Public endpoints are protected by Web Application Firewalls (WAF).
Redundancy & Availability
We maintain multiple availability zones for high availability. Automated failover ensures service continuity. Regular disaster recovery drills validate our backup and recovery procedures. We target 99.9% uptime.
2. Data Encryption
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints and use HSTS headers to prevent downgrade attacks. Our TLS configuration is regularly audited.
Encryption at Rest
All data stored in our databases and file systems is encrypted at rest using AES-256 encryption. Encryption keys are managed through dedicated key management services with automatic rotation.
API Security
API communications use industry-standard authentication (OAuth 2.0, API keys) with rate limiting and request signing. All API keys are hashed before storage and never logged in plaintext.
3. Access Controls
Principle of Least Privilege
Access to systems and data follows the principle of least privilege. Team members only have access to the resources required for their role. All access is reviewed quarterly.
Authentication
Multi-factor authentication (MFA) is mandatory for all team members accessing production systems. We use single sign-on (SSO) with role-based access control (RBAC) for internal tools.
Audit Logging
All access to production systems and customer data is logged and monitored. Audit logs are immutable and retained for a minimum of 12 months. Anomalous access patterns trigger automated alerts.
4. Incident Response
Response Plan
We maintain a documented incident response plan with defined roles, escalation paths, and communication protocols. The plan is tested through regular tabletop exercises and simulated incidents.
Notification Timeline
In the event of a security incident affecting customer data, we will notify affected customers within 72 hours as required by GDPR. Critical incidents are communicated via email and our status page.
Post-Incident Review
Every security incident is followed by a thorough post-mortem review. We document root causes, remediation actions, and preventive measures. Findings are used to improve our security posture.
5. Vulnerability Management
Regular Scanning
We perform automated vulnerability scanning on all infrastructure and application code. Dependencies are monitored for known vulnerabilities with automated alerts for critical issues.
Responsible Disclosure
We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue, please email security@apidly.com with details. We aim to acknowledge reports within 24 hours and provide a resolution timeline within 72 hours.
Patch Management
Critical security patches are applied within 24 hours of availability. High-severity patches are applied within 7 days. All patches are tested in staging environments before production deployment.
6. Employee Security
Background Checks
All team members with access to customer data undergo background verification checks. Security awareness training is mandatory for all employees and conducted annually.
Device Security
All devices used to access company systems must meet security requirements: full-disk encryption, automated updates, endpoint protection software, and remote wipe capability.
Offboarding
When a team member leaves, all access is revoked immediately. SSH keys, API tokens, and credentials are rotated. Device audits ensure no company data remains on personal devices.
Found a vulnerability or have security concerns? We appreciate responsible disclosure.
Security Team: security@apidly.com
DPO: dpo@apidly.com