Security Overview
Effective date: 19 July 2026
1. Overview
This page describes the technical and organisational measures Ratelimitly Technologies - FZCO applies to the Service. It is incorporated into the Terms of Service and the Data Protection Addendum. We describe what we actually do — as an early-access product we do not yet hold formal certifications, and we say so rather than imply otherwise.
2. Architecture and data minimisation
- The data plane operates on rate-limit check metadata — tenant keys, counters, timing. It is designed not to receive your application's request or response payloads.
- The control plane (dashboard, billing, API key management) is hosted separately from the data plane.
- Tenant traffic is segregated by tenant key throughout.
3. Encryption and authentication
- Web and API traffic to the control plane is encrypted in transit with TLS.
- Customer sign-in uses short-lived magic links (valid 15 minutes, single use) rather than long-lived passwords; where passwords exist they are stored only as salted hashes.
- Sessions use signed cookies with a 14-day lifetime.
- Payment credentials are handled by Stripe; full card numbers never reach our systems.
4. Access control and operations
- Production access is restricted to authorised personnel and uses scoped, least-privilege credentials per system.
- Infrastructure credentials are separated by function (deployment, DNS, fleet control).
- Operational logging supports investigation of abuse and incidents.
5. Hosting
The Service runs on the infrastructure providers listed at /legal/sub-processors, who operate physically secured, industry-certified data centres.
6. Incident response
We investigate suspected incidents promptly. If we become aware of a personal data breach affecting customer data, we notify affected customers without undue delay, as described in the DPA.
7. Reporting a vulnerability
We welcome good-faith security research conducted without harming the Service or its users. Report vulnerabilities to contact@ratelimitly.com with enough detail to reproduce the issue. Do not access data that is not yours, degrade the Service, or disclose publicly before we have had a reasonable opportunity to fix the issue. We will acknowledge reports promptly and keep you informed.