// Trust & Security Report
Fly.io, Inc.
Cloud application platform: Fly Machines (hardware-isolated VMs for apps and agents), Fly Sprites (isolated sandboxes for AI-generated code execution), Managed Postgres, Tigris Object Storage (S3-compatible), Fly Kubernetes, and Phoenix.new (AI coding environment)
Certifications held
4
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on fly.io“Yeah, We're SOC 2 Type 2 — We're certified, our hardware runs in ISO 27001 datacenters, we do BAAs, and we answer security questionnaires.”
Verify on fly.io“Business Associate Agreement — When you're ready to start deploying HIPAA apps, you'll need a BAA. Ours is pre-signed by Fly.io and will become active when you sign it.”
Verify on fly.io“Data Processing Agreement — Users who need to comply with the EU's General Data Privacy Regulation (GDPR) will need a Data Processing Agreement. Ours is pre-signed by Fly.io and will become active when you sign it.”
Verify on fly.io“Fly.io complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, 'DPF').”
> Show 9 unconfirmed / not-held certifications
source: fly.ioFly.io does NOT hold its own ISO 27001 certification. The vendor states 'our hardware runs in ISO 27001 datacenters' — the ISO 27001 cert belongs to the datacenter operators (Equinix), not to Fly.io. This is a host-cert, not a vendor-cert.
source: fly.ioNo public evidence of PCI DSS compliance or certification found on any vendor-domain page.
source: fly.ioNo public evidence of ISO 27017 certification found on any vendor-domain page.
source: fly.ioNo public evidence of ISO 27018 certification found on any vendor-domain page.
source: fly.ioNo public evidence of ISO 27701 certification found on any vendor-domain page.
source: fly.ioNo public evidence of ISO 42001 or any AI governance certification found. Fly.io is a PaaS/infrastructure provider, not primarily an AI service vendor.
source: fly.ioNo public evidence of CSA STAR registration or certification found on any vendor-domain page.
source: fly.ioNo public evidence of FedRAMP authorization found on any vendor-domain page.
source: fly.ioHealthcare docs mention HITRUST CSF alignment in context of HIPAA-capable infrastructure, but no HITRUST certification is claimed by Fly.io.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Global: 18+ regions including EU regions (Amsterdam/ams, Frankfurt/fra, Paris/cdg). Users choose deployment region but Fly.io Inc. is a US legal entity subject to US CLOUD Act regardless of data geography. No formal data sovereignty guarantees.
No explicit AI training policy published. The Terms of Service grants Fly.io a license to use Customer Data 'as necessary for purposes of providing the Fly.io Services to Customer and improving the Fly.io Services' — the 'improving' language is broad and unqualified. The Privacy Policy states Fly.io does not access application content stored by users except for security, maintenance, or support with consent. Fly.io is a PaaS infrastructure provider with no known AI model training product, but the ToS 'improving services' clause has not been expressly narrowed to exclude ML/AI use. No opt-out for this use is provided.
// Security controls
Encryption in transit
WireGuard mesh (ChaCha20-Poly1305) for all internal traffic. TLS via LetsEncrypt (Rustls crate) for app-facing endpoints. Every hop on the internal network path is encrypted.
fly.ioEncryption at rest
Fly Volumes encrypted with Linux LUKS (AES-XTS) block storage encryption. Keys stored in redundant industry-proven secret storage systems.
fly.ioCompute isolation
Containers converted to lightweight VMs using Firecracker (memory-safe KVM hypervisor). Tenants never share kernels. KVM hardware-isolated on Fly.io-owned bare-metal servers.
fly.ioNetwork isolation
Private WireGuard mesh per organization. Default-deny public networking. IPv6 routable addresses and shared IPv4; nothing exposed unless explicitly requested.
fly.ioIdentity and access
SSO via Google and GitHub. Phishing-resistant 2FA required for all Fly.io team members. IdP-backed WireGuard with role-based, default-deny access controls. Organization-level RBAC and access tokens.
fly.ioSecurity team
Dedicated security engineering is described as the largest single team in Fly.io's product engineering organization. Employs vulnerability researchers from well-known security firms.
fly.ioVulnerability remediation SLA
Critical: 24 hours. High: 1 week. Medium: 1 month. Low: 3 months.
fly.ioSoftware supply chain
Platform software built in memory-safe languages (Rust and Go). Internal code reviews with PR-based workflow. External security assessments.
fly.ioDDoS mitigation
DDoS mitigation provided through upstream traffic providers. Fly.io explicitly notes it is not a dedicated DDoS protection provider.
fly.ioInfrastructure
Fly.io owns its own bare-metal servers deployed in Equinix data centers (ISO 27001 certified datacenters, not Fly.io's own ISO 27001 cert). Operates globally across 18+ regions.
fly.io// Products & data scope
data: Customer application code, secrets, environment variables, volumes (encrypted at rest). Customer controls what data runs in their VMs.
Core compute product. Hardware-isolated via Firecracker/KVM. Covered by SOC 2 Type 2 audit scope. BAA and DPA apply when signed.
data: Ephemeral sandbox environments for running AI-generated or untrusted code. Checkpoint/restore capability. Pay per CPU/memory second.
New product for AI code sandboxing. Same hardware isolation as Machines. No separate compliance documentation found specifically for Sprites.
data: Customer database contents. Encrypted at rest (LUKS). Private networking via WireGuard.
Runs on Fly Machines infrastructure. Subject to same compliance posture as platform.
data: Customer file/object data. Global distribution, intelligent routing.
Separate BAA available for Tigris Data directly per the compliance page. Treat as a distinct data scope for healthcare customers.
data: Customer containerized workloads. Inherits platform encryption and network isolation.
Runs on Fly Machines infrastructure. No separate compliance documentation.
data: User code projects and sessions.
AI-assisted development environment. No separate security or compliance documentation found.
// What to watch
- ISO 27001 OVER-CLAIM RISK: Vendor marketing states 'our hardware runs in ISO 27001 datacenters' which can be misread as Fly.io holding ISO 27001. Fly.io does NOT hold its own ISO 27001 certificate — the cert belongs to their datacenter operators (Equinix). AIFOXX must NOT list ISO 27001 as a Fly.io certification.
- ToS BROAD LICENSE CLAUSE: Section 2 of the Terms of Service grants Fly.io a license to use Customer Data for 'improving the Fly.io Services' without qualifying that this excludes ML/AI training. No explicit AI training prohibition or opt-out mechanism is published. For AI-sensitive customers, this warrants review of the DPA.
- EU DATA RESIDENCY LIMITATION: Despite EU regions being available and EU-U.S. DPF certification, Fly.io Inc. is a US entity subject to the CLOUD Act. EU data stored in Fly.io EU regions is not fully protected from US government compulsion. Relevant for GDPR customers requiring strict data sovereignty.
- HIPAA BAA SCOPE: Tigris Data has a separate BAA from the main Fly.io platform BAA. Healthcare customers deploying with object storage must ensure the correct BAA is in place for Tigris separately.
// At a glance
Pricing model
Usage-based: pay per CPU second and memory second for Machines and Sprites. Flat monthly plans available for higher tiers with support SLAs.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Fly.io, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
fly.io