Skip to main content

Security Overview

Effective date: 19 July 2026

1. Overview

This page describes the technical and organisational measures Ratelimitly Technologies - FZCO applies to the Service. It is incorporated into the Terms of Service and the Data Protection Addendum. We describe what we actually do — as an early-access product we do not yet hold formal certifications, and we say so rather than imply otherwise.

2. Architecture and data minimisation

  • The data plane operates on rate-limit check metadata — tenant keys, counters, timing. It is designed not to receive your application's request or response payloads.
  • The control plane (dashboard, billing, API key management) is hosted separately from the data plane.
  • Tenant traffic is segregated by tenant key throughout.

3. Encryption and authentication

  • Web and API traffic to the control plane is encrypted in transit with TLS.
  • Customer sign-in uses short-lived magic links (valid 15 minutes, single use) rather than long-lived passwords; where passwords exist they are stored only as salted hashes.
  • Sessions use signed cookies with a 14-day lifetime.
  • Payment credentials are handled by Stripe; full card numbers never reach our systems.

4. Access control and operations

  • Production access is restricted to authorised personnel and uses scoped, least-privilege credentials per system.
  • Infrastructure credentials are separated by function (deployment, DNS, fleet control).
  • Operational logging supports investigation of abuse and incidents.

5. Hosting

The Service runs on the infrastructure providers listed at /legal/sub-processors, who operate physically secured, industry-certified data centres.

6. Incident response

We investigate suspected incidents promptly. If we become aware of a personal data breach affecting customer data, we notify affected customers without undue delay, as described in the DPA.

7. Reporting a vulnerability

We welcome good-faith security research conducted without harming the Service or its users. Report vulnerabilities to contact@ratelimitly.com with enough detail to reproduce the issue. Do not access data that is not yours, degrade the Service, or disclose publicly before we have had a reasonable opportunity to fix the issue. We will acknowledge reports promptly and keep you informed.