Security & Privacy

Replay.io continuously monitors and reports primarily using System and Organization Controls (SOC) 2 Type 2. To receive a copy of the report please contact Support.

Replay employs a secure Software Development Lifecycle ("SDLC") to manage updates to the infrastructure and application. Key features of our SDLC include:

• Code reviews
• Source control access restrictions
• Source code dependency scanning
• Comprehensive audit & deployment logging
• Separated testing and production environments

We maintain strict encryption standards and you can rest assured that your data is encrypted both in transit and at rest. Highlights of our encryption program includes:

• A+ Rating from SSL Labs around the SSL configuration of the application.
• Minimum requirement of TLS v1.2 for encryption in transit.
• AES 256 encryption used for data at rest.

We support single sign-on via Google SAML 2.0, which includes Multi Factor Authentication, automated account provisioning/revocation and other features. We leave the controls in the hands of our users.

Replay follows the principle of least privilege to all access granted within the organization. Access to key systems is also reviewed at least annually to ensure that access and permissions remain appropriate. In addition, multi-factor authentication is enabled for users to further protect the application and infrastructure.

Replay takes network security very seriously and has worked hard to ensure the network is configured to protect our customer's data. Our controls include:

• Security team reviews of the firewall rules.
• Intelligent Threat Detection Tools constantly monitoring the environment.

The privacy of everyone who uses our software must be respected. Replay has the power to see everything that happens in a program, and with that comes an immense responsibility to keep customer's data safe. We will maintain user privacy even if it prevents certain features from being built. Replay does the following to ensure privacy is maintained:

• Minimize data collection
• Replay does not sell customer data
• Customer data is not accessed through Replay's normal course of business
• Replay does not view or analyze your Replay's without your explicit permission

Replay uses LogRocket to record user sessions in order to diagnose issues after the fact and better understand how improve the product.

• LogRocket can be disabled in Preferences
• Sensitive user information is redacted
• Intellectual property such as source code, filenames, and runtime data is redacted
• Replay's DevTools are publicly available and we appreciate feedback on fields that should be redacted

This Security Overview is a summary of our information security framework. Please don't hesitate to reach out with questions at security@replay.io.