// Trust & Security Report
Ably Realtime (UK Limited)
Real-time messaging platform with Pub/Sub, Chat, AI Transport, LiveObjects, Spaces, and LiveSync products for building interactive applications at global scale. Enterprise-grade infrastructure serving 2B+ devices monthly.
Certifications held
5
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on ably.com“Ably regularly completes audits of our product, infrastructure, and policies to the satisfaction of the SOC 2 Type 2 standard.”
Verify on ably.com“Ably's physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance. Ably achieved ISO 27001 certification in December 2019.”
Verify on ably.com“Ably provides HIPAA Business Associate Agreements for healthcare organizations requiring compliance safeguards. Available for Committed Use customers.”
Verify on ably.com“EU GDPR Compliance: The company ensures proper consent for personal data use, secure collection and storage, and compliant data transfers outside the EU.”
Verify on ably.com“Regulatory Coverage: EU GDPR, UK GDPR, CCPA, and applicable national data protection laws.”
> Show 4 unconfirmed / not-held certifications
source: ably.comNo public evidence of FedRAMP certification found on vendor domain.
source: ably.comNo public evidence of PCI DSS certification found on vendor domain.
source: ably.comNo public evidence of AI governance certification on vendor domain.
source: ably.comNo public evidence of CSA STAR AI certification on vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region: EU, US, Australia. Organizations can control where data streams route and store messages exclusively in specified regions.
Privacy policy explicitly states: 'We do not use personal data for the purpose of using automated decision making or profiling.' Ably acts as a data processor; customer content/data is held momentarily (2 minutes to 24 hours) for delivery purposes only.
// Security controls
Encryption in Transit
TLS 1.2+ for all client-to-server and server-to-server communication (default/mandatory)
ably.comEncryption at Rest
AES-256 encryption available using private keys, preventing even Ably from reading messages without authorization
ably.comDDoS Mitigation
Network edge detection blocks invalid connections; Cloudflare integration; massive scalability absorbs traffic spikes
ably.comAuthentication
Token-based authentication with JWT support, API keys, key expiration limits, granular channel and action permissions
ably.comData Access Controls
Role-based access control, API key scoping, channel-level permissions
security.ably.comInfrastructure Security
AWS-hosted with multiple regions, firewalls, IDS/IPS systems, DNSSEC, endpoint detection & response
security.ably.comBackup & Disaster Recovery
Data backups and erasure capabilities. Recovery Time Objective: 12 hours. Recovery Point Objective: 24 hours. 99.999% uptime SLA.
security.ably.comVulnerability Management
Regular penetration testing, responsible disclosure program, code analysis, vulnerability assessments
security.ably.comData Residency
EU, US, Australia options. International transfers use Standard Contractual Clauses (EU and UK GDPR compliant)
ably.com// Products & data scope
data: Message payloads and metadata; data retained momentarily (2-24 hours)
Core product for pub/sub messaging. AES-256 encryption support, global distribution, per-minute billing model
data: Chat messages, user presence, message history
Purpose-built chat APIs optimized for high-scale user loads. Available as part of enterprise offerings
data: AI agent sessions, agentic interactions, state synchronization
New product (2024+) for building resilient, multi-device AI experiences. Drop-in infrastructure for stateful AI sessions
data: Application state objects across users and devices
Real-time sync for application state at any scale. Supports multi-user collaboration
data: Collaborative workspace state, user presence, permissions
Purpose-built APIs for collaborative environments. Includes presence, locks, and permissions management
data: Database change events, frontend client updates
Seamlessly sync database changes with frontend, publishing changes to millions of clients reliably
// What to watch
- HIPAA BAA note: Ably is NOT a covered entity under HIPAA Security Rule, but offers BAA agreements for customers who require them. BAA available for Committed Use customers only.
- No public evidence of FedRAMP, PCI DSS, ISO 27017/27018/27701, ISO/IEC 42001, or CSA STAR AI certifications.
- AI training is explicitly NOT performed on customer data per privacy policy.
- Data residency options limit to 3 regions (EU, US, Australia) - no other options listed.
// At a glance
Pricing model
Usage-based: per-minute billing or MAU (monthly active users). Volume discounts as consumption increases. Enterprise customers available.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Ably Realtime (UK Limited)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.ably.com