Security & Privacy
Effective date: 28 MAR 2023Last reviewed: 2 Apr 2024Compliance reporting
Replay.io continuously monitors and reports primarily using System and Organization Controls (SOC) 2 Type 2. To receive a copy of the report please contact Support.
Our Approach to Secure Development
Replay employs a secure Software Development Lifecycle ("SDLC") to manage updates to the infrastructure and application. Key features of our SDLC include:
- Code reviews
- Source control access restrictions
- Source code dependency scanning
- Comprehensive audit & deployment logging
- Separated testing and production environments
Our Approach to Encryption
We maintain strict encryption standards and you can rest assured that your data is encrypted both in transit and at rest. Highlights of our encryption program includes:
- A+ Rating from SSL Labs around the SSL configuration of the application.
- Minimum requirement of TLS v1.2 for encryption in transit.
- AES 256 encryption used for data at rest.
Our Approach to Authentication
We support single sign-on via Google SAML 2.0, which includes Multi Factor Authentication, automated account provisioning/revocation and other features. We leave the controls in the hands of our users.
Our Approach to Access Control
Replay follows the principle of least privilege to all access granted within the organization. Access to key systems is also reviewed at least annually to ensure that access and permissions remain appropriate. In addition, multi-factor authentication is enabled for users to further protect the application and infrastructure.
Our Approach to Network Security
Replay takes network security very seriously and has worked hard to ensure the network is configured to protect our customer's data. Our controls include:
- Security team reviews of the firewall rules.
- Intelligent Threat Detection Tools constantly monitoring the environment.
Our Approach to Privacy
The privacy of everyone who uses our software must be respected. Replay has the power to see everything that happens in a program, and with that comes an immense responsibility to keep customer's data safe. We will maintain user privacy even if it prevents certain features from being built. Replay does the following to ensure privacy is maintained:
- Minimize data collection
- Replay does not sell customer data
- Customer data is not accessed through Replay's normal course of business
- Replay does not view or analyze your Replay's without your explicit permission
Our Approach to Session Replay
Replay uses LogRocket to record user sessions in order to diagnose issues after the fact and better understand how improve the product.
- LogRocket can be disabled in Preferences
- Sensitive user information is redacted
- Intellectual property such as source code, filenames, and runtime data is redacted
- Replay's DevTools are publicly available and we appreciate feedback on fields that should be redacted
Additional Information
This Security Overview is a summary of our information security framework. Please don't hesitate to reach out with questions at security@replay.io.