A Public Cloud for
Security Nerds

They finally did it: they gave a bunch of vulnerability researchers final cut on the design of a whole cloud platform. It's called Fly.io, and it's no-footguns secure. Here's how we did it.

It All Starts With Hardware Isolation

Our tenants never share kernels. Fly.io runs containers by transmogrifying them into lightweight virtual machines running, under memory-safe hypervisors, on our own hardware around the world.

Add a Full-Time Security Team

Dedicated security engineering is the largest single team in our product engineering organization. We hire vulnerability researchers, hailing from some of the best known firms in the field, and set them loose — to build and break.

An illustrated globe littered with hot air balloons flying above.

Then Encrypt All the Things!

Our network dial-tone is Jason Donenfeld's WireGuard protocol: once traffic hits our network, every hop on the path to its destination is encrypted. Apps on Fly.io get A-grade TLS with LetsEncrypt out of the box, built on the impeccable Rustls crate.

Yeah, We’re SOC 2 Type 2

We're certified, our hardware runs in ISO 270001 datacenters, we do BAAs, and we answer security questionnaires.

An illustrated globe littered with hot air balloons flying above.

And Aggressively Pentested

Our third party pentests are delivered by the best and smartest firms in the business. Need an assessment yourself? These are the people you want to work with. We're happy to make introductions.

We're Happy To Jump On A Call

We've been doing this work for a long time. We like talking to security teams. If yours is going to have questions about running apps on Fly.io, put us in touch with them!

Set up a Meet
  • Secure-by-Default Private Networks

    No Terraform, no VPC configurations, no IAM: apps talk directly to each other on private networks with zero configuration.

  • Automatic Volume Encryption

    Fly Volumes are encrypted with keys stored in redundant industry-proven secret storage systems. Automatic encrypt storage with zero effort.

  • Global ActiveStorage Without the CDN

    Tigris Data is an S3-compatible object store with automatic global reach. It intelligently routes data to fit read patterns, minimizing latency. It's the only ActiveStorage backend that keeps files close to your users.

  • Managed Databases & Services

    Supabase for Postgres. LiteFS for SQLite. Upstash for a popular key/value store 😉. Fly.io's Omakase menu of fully managed services run on our infrastructure right next to your app keeping latency low and you productive.