A public cloud for security nerds

They finally did it: they gave a bunch of vulnerability researchers final cut on the design of a whole cloud platform. It's called Fly.io, and it's no-footguns secure. Here's how we did it.

It all starts with hardware isolation

Our tenants never share kernels. Fly.io runs containers by transmogrifying them into lightweight virtual machines running, under memory-safe hypervisors, on our own hardware around the world.

Now add a full-time security team

Dedicated security engineering is the largest single team in our product engineering organization. We hire vulnerability researchers, hailing from some of the best known firms in the field, and set them loose — to build and break.

Then encrypt all the things!

Our network dial-tone is Jason Donenfeld's WireGuard protocol: once traffic hits our network, every hop on the path to its destination is encrypted. Apps on Fly.io get A-grade TLS with LetsEncrypt out of the box, built on the impeccable Rustls crate.

Yeah, we're SOC 2 Type 2

We're certified, our hardware runs in ISO 270001 datacenters, we do BAAs, and we answer security questionnaires.

And aggressively pentested

Our third party pentests are delivered by the best and smartest firms in the business. Need an assessment yourself? These are the people you want to work with. We're happy to make introductions.

Security Features

We had fun with these.

  • Secure-by-default private networks

    No Terraform, no VPC configurations, no IAM: apps talk directly to each other on private networks with zero configuration.

  • Least-privilege dynamic access tokens

    We use Macaroons, the cryptography hipster gold standard. Our tokens express complex IAM-style role-based access control directly, and can be scoped down per-request.

  • Flexible Single Sign On

    Mandate SSO logins for specific groups of users, or for everybody. We directly integrate SSO controls with our tokens. And we won't tax you to death for using them.

  • Automatic Volume Encryption

    Fly Volumes are encrypted with keys stored in redundant industry-proven secret storage systems. Automatic encrypt storage with zero effort.

We're Happy To Jump On A Call

We've been doing this work for a long time. We like talking to security teams. If yours is going to have questions about running apps on Fly.io, put us in touch with them!

Set up a meet

Trusted by teams at

Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide Supabase Tailscale Tigris Upstash Turso Mailgun Fanatics Cars.com Apollo SavvyCal Acast Glide

Run secure apps close to your users, effortlessly

All the security benefits of a modern, memory hardened, virtualization environment without the hassle.

Speedrun your app