Security Overview
Last updated
Rally10 is built for business-critical data. This page describes the security measures currently in place. For questions, email security@rally10.com.
Infrastructure
- Hosted on Vercel’s global edge network (Vercel holds SOC 2 Type II and ISO 27001).
- Managed Postgres via Neon in Australia (Sydney, AWS AP-Southeast-2), with automated backups and point-in-time recovery.
- Authentication via Clerk (SOC 2 Type II).
- Payments via Stripe (PCI-DSS Level 1). We never see or store card data.
Encryption
- TLS 1.2+ for all data in transit, terminated at Vercel’s edge.
- Encryption at rest is provided by Neon for the database and backups.
Multi-tenant isolation
Every record in the database is scoped to an Organization. Our server-side requireOrg(slug) helper validates the signed-in user’s membership before any query runs, and every query filters by organizationId.
Access control
- Role-based access within each organization: Owner, Admin, Member, Viewer.
- API access (for integrations) uses scoped API keys with per-key permissions.
AI data handling
AI features route through the Vercel AI Gateway to Anthropic (and optionally OpenAI or Google). Under Vercel’s contract with these providers, your content is not retained for model training. We send only the portions of your organization’s data needed to generate the requested AI output.
Breach notification
On confirming a Personal Data breach affecting Customer data, we will notify affected Customers without undue delay and within 72 hours, consistent with our DPA.
Enterprise features on request
SSO (SAML), SCIM provisioning, formal compliance certifications (SOC 2, ISO 27001), custom data-residency arrangements, and external security audits are not currently available. If your procurement team requires any of these, contact security@rally10.com — we’ll prioritise based on customer demand.
Report a vulnerability
Email security@rally10.com. We welcome responsible disclosure and will not pursue good-faith security research.