// Trust & Security Report
Railway Corporation
Railway (Cloud PaaS / Application Deployment Platform)
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on railway.com“Railway is now SOC 2 Type II compliant, which means our systems, processes, and controls meet a high, generally accepted security posture bar.”
Verify on docs.railway.com“Railway follows a shared responsibility model for HIPAA compliance and PHI. BAAs and penetration test reports are available upon request.”
Verify on docs.railway.com“Railway provides a Data Processing Agreement (DPA) to help customers comply with GDPR requirements.”
Verify on railway.com“Company may transfer Personal Data processed under this DPA outside the EEA... pursuant to (i) the Data Privacy Framework to the extent the recipient of the ex-EEA Transfer is certified accordingly.”
Verify on railway.com“Data Privacy Framework means, as applicable, EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework.”
> Show 1 unconfirmed / not-held certifications
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US-primary (Google Cloud Platform). DPA states: 'Customer acknowledges that Company's primary processing operations take place in the United States.' Some local data storage options available for paid-tier customers.
Railway's DPA explicitly states: 'Company shall not: (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data outside of Company's direct business relationship with Customer or for any purpose other than as necessary to perform the Services.' Railway is a cloud infrastructure platform (PaaS); customer workloads and application data run on Railway's infrastructure but no clause or policy indicates Railway trains AI or ML models on customer deployment data or application code.
// Security controls
Infrastructure provider
Google Cloud Platform (GCP); separate production environment
trust.railway.comEncryption in transit
SSL/TLS enforced; 100 Gbps internal networking with private, encrypted connections
Penetration testing
Independent penetration test conducted; report available on request via trust.railway.com
trust.railway.comBug bounty program
Self-managed (not HackerOne or Bugcrowd). Submit to bugbounty@railway.com; rewards calculated by CVSS 3.1; paid within 30 days of acceptance. Program policy: https://railway.com/bug-bounty-program.pdf
railway.comNetwork security
Firewall, DNS filtering, traffic filtering, DDoS protection, spoofing protection, endpoint detection and response (EDR)
trust.railway.comAccess controls
Role-based access control (RBAC), SSO (enterprise tier), audit logging, restricted data access level
railway.comSubprocessors
Five documented subprocessors: Fathom Analytics, Cloudflare, Causal, Customer.io, Stripe. Full list at trust.railway.com/item/subprocessors. 10-day advance notice required before adding new subprocessors.
railway.comAudit logging
All data interactions logged; audit logs available on enterprise tier
// Products & data scope
data: $5/month for solo developers and side projects. No compliance add-ons. Basic deploy, network, and monitoring features.
Not suitable for regulated workloads or enterprise compliance requirements.
data: $20/month per seat for production teams. Includes team collaboration, multiple environments, and usage-based scaling.
DPA available; SOC 2 report accessible via Trust Center. HIPAA BAA and SSO require Enterprise upgrade.
data: Custom pricing. Includes HIPAA BAA (minimum ~$1,000/month commitment), SSO, RBAC, audit logs, contractual SLAs, dedicated support, private networking.
Designed for regulated industries (healthcare, finance). HIPAA is shared-responsibility: Railway provides BAA and infrastructure controls; customer is responsible for application-layer PHI safeguards.
// What to watch
- HIPAA BAA is a paid add-on requiring Enterprise tier (minimum ~$1,000/month); shared responsibility model applies.
- Bug bounty is self-managed (not on HackerOne/Bugcrowd), which offers less researcher visibility but is still a formal program.
- No ISO 27001 certification found as of 2026-06-27.
- SOC 2 Type II achieved August 2025 - relatively recent certification; Type I had been achieved in July 2024.
- AI features (Railway Agent, MCP Server) do not include an explicit AI-training-on-customer-data opt-out clause, but Railway's core DPA prohibits using customer data outside service delivery.
// At a glance
Pricing model
Usage-based with tier minimums: Hobby $5/mo, Pro $20/seat/mo, Enterprise custom (minimum ~$1,000/mo for HIPAA BAA)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Railway Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.railway.com