Security is the foundation

Not a feature, not an add-on. Every layer of Apployd is built with security as the default.

🔐

AES-256-GCM Encryption

Every secret is encrypted at rest with AES-256-GCM and a unique IV. Decryption happens only at container injection time.

🛡

Read-Only Containers

All application containers run with read-only root filesystems by default, preventing runtime tampering and persistence attacks.

👥

Role-Based Access Control

Granular RBAC with owner, admin, developer, and viewer roles. Scope permissions per project, per team.

📋

Audit Logging

Every action — deploys, secret changes, team modifications — is logged with actor, timestamp, and IP for full traceability.

🌐

Network Isolation

Each project runs in its own Docker network. Inter-project communication is blocked by default with strict iptables rules.

📦

Minimal Base Images

Build artifacts run on distroless or Alpine-based images with no shell, no package manager, minimal attack surface.

Practices

Defense in depth

Secret Injection

Secrets never written to disk or build layers
Injected as environment variables at container start
Per-environment secret scoping (dev / staging / prod)
Automatic secret rotation support

Build Security

Isolated build environments per project
No root access during builds
Build cache separated per project
Automatic vulnerability scanning of base images

Runtime Security

Read-only filesystems enforced
No privileged containers
Resource limits (CPU, memory) per container
Health-check-driven restarts

Infrastructure

TLS everywhere — API, dashboard, inter-service
SSH key-based server authentication
Automatic certificate provisioning via Let's Encrypt
Reverse proxy with rate limiting and DDoS mitigation

Compliance

Compliance & certifications

SOC 2 Type IIIn Progress

GDPRActive

HIPAANot Supported

ISO 27001In Progress

Data ResidencyActive

Encryption at RestActive

Encryption in TransitActive

Audit TrailActive

Apployd is not currently HIPAA-compliant and does not provide a default Business Associate Agreement (BAA). Do not use the platform for PHI/HIPAA-regulated workloads unless a separate written agreement explicitly states support.

Architecture

Security architecture overview

┌─────────────────────────────────────────────────┐
│                  HTTPS / TLS                     │
│  ┌─────────┐   ┌──────────┐   ┌──────────────┐  │
│  │ Dashboard│──▶│ API (mTLS)│──▶│  PostgreSQL   │  │
│  │  (Next)  │   │ (Fastify) │   │  (encrypted)  │  │
│  └─────────┘   └─────┬────┘   └──────────────┘  │
│                       │                           │
│               ┌───────▼───────┐                   │
│               │  Deploy Engine │                   │
│               │  (isolated)    │                   │
│               └───────┬───────┘                   │
│                       │                           │
│         ┌─────────────▼──────────────┐            │
│         │   Docker Network (per-proj) │            │
│         │  ┌──────┐ ┌──────┐ ┌─────┐ │            │
│         │  │ app  │ │ app  │ │ app │ │            │
│         │  │ (ro) │ │ (ro) │ │(ro) │ │            │
│         │  └──────┘ └──────┘ └─────┘ │            │
│         └────────────────────────────┘            │
└─────────────────────────────────────────────────┘

Responsible disclosure

Found a vulnerability? We take security reports seriously. Please email security@apployd.com and we'll respond within 24 hours.

Report a Vulnerability