Security and Privacy

Securing your customer’s data is core to Rally’s DNA and has been our top priority from day one. Check out all the security and privacy measures that we’ve put in place to protect your data and keep your research process compliant.

SOC 2 Type II

Rally is SOC 2 Type II certified, demonstrating we have the appropriate controls in place to mitigate risks related to security, privacy, confidentiality, availability, and processing integrity.

To request a copy of our SOC 2 Type II report, email us at

GDPR + CCPA Compliant

Rally is GDPR and CCPA compliant and is committed to helping our customers comply with GDPR and CCPA for their research. We enable our customers to fulfill all the data subject rights requirements under the GDPR.

HIPAA Compliance

HIPAA (Health Insurance Portability and Accountability Act) compliance signifies that Rally adheres to strict security and privacy standards set by the U.S. Department of Health and Human Services. This compliance ensures that protected health information (PHI) is handled and stored securely, safeguarding participant confidentiality and privacy.

Read more about Rally's HIPAA Compliance here

Consent and Opt-Out

Rally enables consent forms as part of the research recruitment process. We also provide unsubscribe and opt-out links for participants to remove themselves from panels or studies.

Right to be forgotten

Rally is committed to supporting users’ right to be forgotten. When removing user data within Rally, we ensure all data is removed from our system and our sub-processors. Users can request data deletion directly from Rally by emailing

Data portability

Within Rally, you can view all data associated with your user. For an export of this data, you can email

We never sell any data

Rally is focused on improving your research process, not selling your data. We will never sell any data.

Rally has a DPA for our customers in the EEA. Contact to receive a copy. Read more about commitments to GDPR and CCPA.


Application Security

Recurring penetration testing

Rally uses a third-party to perform annual penetration tests to ensure there are no vulnerabilities in our application. To request a copy of our annual pentest, email

Data encryption at rest

All databases and backups are encrypted at rest with AES-256, block-level storage encryption.

Secure development process

Following OWASP Top 10 security risks.

Passwordless login

Rally uses passwordless login for greater security and convenience for all our users. This means Rally will never store passwords.

Audit trail and logging

All access to user data is logged, whether by your own team members or Rally employees.

Data Networking & Security

Secure infrastructure

Rally uses top-tier cloud service providers to run all of our core infrastructure and databases. All of Rally's data stored in data centers are SOC 1, SOC 2, SOC 3, and ISO 27001 certified.

Monitoring & alerting

We’ve configured monitoring and alerting to detect for anomalies in our network and help detect against any potential threats.

Continuous backups

Rally uses AWS's continuous backup system to let us restore our databases back to any point within the past 7 days.

Data encrypted in transit

All data in-transit is secured using SSL/TLS 1.2+ only. Rally uses HTTPS for our web app to protect sensitive data transmitted to and from our application.

Company Security

Mandatory training

Rally requires all new employees to complete security awareness training within the first thirty days of hire.

Employee background checks

Rally verifies that all new employees have a background check on file before their first day of work.

Bug Bounty Program

Rally Security Bounty

Rally takes security and privacy very seriously. Rally offers safe harbor to good-faith security researchers through a private bug bounty program with Federacy. If you would like to participate in the bug bounty program, please contact for an invitation to Federacy.