// Trust & Security Report

    Fly.io, Inc. logo

    Fly.io, Inc.

    Cloud application platform: Fly Machines (hardware-isolated VMs for apps and agents), Fly Sprites (isolated sandboxes for AI-generated code execution), Managed Postgres, Tigris Object Storage (S3-compatible), Fly Kubernetes, and Phoenix.new (AI coding environment)

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Yeah, We're SOC 2 Type 2 — We're certified, our hardware runs in ISO 27001 datacenters, we do BAAs, and we answer security questionnaires.

    Verify on fly.io
    HIPAA (BAA available)
    HELD

    Business Associate Agreement — When you're ready to start deploying HIPAA apps, you'll need a BAA. Ours is pre-signed by Fly.io and will become active when you sign it.

    Verify on fly.io
    GDPR (DPA available)
    HELD

    Data Processing Agreement — Users who need to comply with the EU's General Data Privacy Regulation (GDPR) will need a Data Processing Agreement. Ours is pre-signed by Fly.io and will become active when you sign it.

    Verify on fly.io
    EU-U.S. Data Privacy Framework (DPF)
    HELD

    Fly.io complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, 'DPF').

    Verify on fly.io
    > Show 9 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Fly.io does NOT hold its own ISO 27001 certification. The vendor states 'our hardware runs in ISO 27001 datacenters' — the ISO 27001 cert belongs to the datacenter operators (Equinix), not to Fly.io. This is a host-cert, not a vendor-cert.

    source: fly.io
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance or certification found on any vendor-domain page.

    source: fly.io
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found on any vendor-domain page.

    source: fly.io
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found on any vendor-domain page.

    source: fly.io
    ISO 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on any vendor-domain page.

    source: fly.io
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 or any AI governance certification found. Fly.io is a PaaS/infrastructure provider, not primarily an AI service vendor.

    source: fly.io
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification found on any vendor-domain page.

    source: fly.io
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on any vendor-domain page.

    source: fly.io
    HITRUST CSF
    NOT CONFIRMED

    Healthcare docs mention HITRUST CSF alignment in context of HIPAA-capable infrastructure, but no HITRUST certification is claimed by Fly.io.

    source: fly.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Global: 18+ regions including EU regions (Amsterdam/ams, Frankfurt/fra, Paris/cdg). Users choose deployment region but Fly.io Inc. is a US legal entity subject to US CLOUD Act regardless of data geography. No formal data sovereignty guarantees.

    No explicit AI training policy published. The Terms of Service grants Fly.io a license to use Customer Data 'as necessary for purposes of providing the Fly.io Services to Customer and improving the Fly.io Services' — the 'improving' language is broad and unqualified. The Privacy Policy states Fly.io does not access application content stored by users except for security, maintenance, or support with consent. Fly.io is a PaaS infrastructure provider with no known AI model training product, but the ToS 'improving services' clause has not been expressly narrowed to exclude ML/AI use. No opt-out for this use is provided.

    // Security controls

    Encryption in transit

    WireGuard mesh (ChaCha20-Poly1305) for all internal traffic. TLS via LetsEncrypt (Rustls crate) for app-facing endpoints. Every hop on the internal network path is encrypted.

    fly.io

    Encryption at rest

    Fly Volumes encrypted with Linux LUKS (AES-XTS) block storage encryption. Keys stored in redundant industry-proven secret storage systems.

    fly.io

    Compute isolation

    Containers converted to lightweight VMs using Firecracker (memory-safe KVM hypervisor). Tenants never share kernels. KVM hardware-isolated on Fly.io-owned bare-metal servers.

    fly.io

    Network isolation

    Private WireGuard mesh per organization. Default-deny public networking. IPv6 routable addresses and shared IPv4; nothing exposed unless explicitly requested.

    fly.io

    Identity and access

    SSO via Google and GitHub. Phishing-resistant 2FA required for all Fly.io team members. IdP-backed WireGuard with role-based, default-deny access controls. Organization-level RBAC and access tokens.

    fly.io

    Security team

    Dedicated security engineering is described as the largest single team in Fly.io's product engineering organization. Employs vulnerability researchers from well-known security firms.

    fly.io

    Penetration testing

    Regular third-party pentests from Atredis Partners, Doyensec, and Tetrel.

    fly.io

    Vulnerability remediation SLA

    Critical: 24 hours. High: 1 week. Medium: 1 month. Low: 3 months.

    fly.io

    Software supply chain

    Platform software built in memory-safe languages (Rust and Go). Internal code reviews with PR-based workflow. External security assessments.

    fly.io

    DDoS mitigation

    DDoS mitigation provided through upstream traffic providers. Fly.io explicitly notes it is not a dedicated DDoS protection provider.

    fly.io

    Infrastructure

    Fly.io owns its own bare-metal servers deployed in Equinix data centers (ISO 27001 certified datacenters, not Fly.io's own ISO 27001 cert). Operates globally across 18+ regions.

    fly.io

    // Products & data scope

    Fly MachinesCloud compute / PaaS

    data: Customer application code, secrets, environment variables, volumes (encrypted at rest). Customer controls what data runs in their VMs.

    Core compute product. Hardware-isolated via Firecracker/KVM. Covered by SOC 2 Type 2 audit scope. BAA and DPA apply when signed.

    Fly SpritesIsolated sandbox compute (AI code execution)

    data: Ephemeral sandbox environments for running AI-generated or untrusted code. Checkpoint/restore capability. Pay per CPU/memory second.

    New product for AI code sandboxing. Same hardware isolation as Machines. No separate compliance documentation found specifically for Sprites.

    Managed PostgresManaged database

    data: Customer database contents. Encrypted at rest (LUKS). Private networking via WireGuard.

    Runs on Fly Machines infrastructure. Subject to same compliance posture as platform.

    Tigris Object StorageS3-compatible global object storage

    data: Customer file/object data. Global distribution, intelligent routing.

    Separate BAA available for Tigris Data directly per the compliance page. Treat as a distinct data scope for healthcare customers.

    Fly Kubernetes (FKS)Managed Kubernetes

    data: Customer containerized workloads. Inherits platform encryption and network isolation.

    Runs on Fly Machines infrastructure. No separate compliance documentation.

    Phoenix.newAI coding environment (Elixir/Phoenix)

    data: User code projects and sessions.

    AI-assisted development environment. No separate security or compliance documentation found.

    // What to watch

    • ISO 27001 OVER-CLAIM RISK: Vendor marketing states 'our hardware runs in ISO 27001 datacenters' which can be misread as Fly.io holding ISO 27001. Fly.io does NOT hold its own ISO 27001 certificate — the cert belongs to their datacenter operators (Equinix). AIFOXX must NOT list ISO 27001 as a Fly.io certification.
    • ToS BROAD LICENSE CLAUSE: Section 2 of the Terms of Service grants Fly.io a license to use Customer Data for 'improving the Fly.io Services' without qualifying that this excludes ML/AI training. No explicit AI training prohibition or opt-out mechanism is published. For AI-sensitive customers, this warrants review of the DPA.
    • EU DATA RESIDENCY LIMITATION: Despite EU regions being available and EU-U.S. DPF certification, Fly.io Inc. is a US entity subject to the CLOUD Act. EU data stored in Fly.io EU regions is not fully protected from US government compulsion. Relevant for GDPR customers requiring strict data sovereignty.
    • HIPAA BAA SCOPE: Tigris Data has a separate BAA from the main Fly.io platform BAA. Healthcare customers deploying with object storage must ensure the correct BAA is in place for Tigris separately.

    // At a glance

    Pricing model

    Usage-based: pay per CPU second and memory second for Machines and Sprites. Flat monthly plans available for higher tiers with support SLAs.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Fly.io, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    fly.io

    > Browse all vendor trust reports