Security and Privacy
SOC 2 Type II
Rally is SOC 2 Type II certified, demonstrating we have the appropriate controls in place to mitigate risks related to security, privacy, confidentiality, availability, and processing integrity.
To request a copy of our SOC 2 Type II report, email us at [email protected].
GDPR + CCPA Compliant
Rally is GDPR and CCPA compliant and is committed to helping our customers comply with GDPR and CCPA for their research. We enable our customers to fulfill all the data subject rights requirements under the GDPR.
HIPAA Compliance
HIPAA (Health Insurance Portability and Accountability Act) compliance signifies that Rally adheres to strict security and privacy standards set by the U.S. Department of Health and Human Services. This compliance ensures that protected health information (PHI) is handled and stored securely, safeguarding participant confidentiality and privacy.
Consent and Opt-Out
Rally enables consent forms as part of the research recruitment process. We also provide unsubscribe and opt-out links for participants to remove themselves from panels or studies.
Right to be forgotten
Rally is committed to supporting users’ right to be forgotten. When removing user data within Rally, we ensure all data is removed from our system and our sub-processors. Users can request data deletion directly from Rally by emailing [email protected].
Data portability
Within Rally, you can view all data associated with your user. For an export of this data, you can email [email protected].
We never sell any data
Rally is focused on improving your research process, not selling your data. We will never sell any data.
Rally has a DPA for our customers in the EEA. Contact [email protected] to receive a copy. Read more about commitments to GDPR and CCPA.
Application Security
Recurring penetration testing
Rally uses a third-party to perform annual penetration tests to ensure there are no vulnerabilities in our application. To request a copy of our annual pentest, email [email protected].
Data encryption at rest
All databases and backups are encrypted at rest with AES-256, block-level storage encryption.
Secure development process
Following OWASP Top 10 security risks.
Passwordless login
Rally uses passwordless login for greater security and convenience for all our users. This means Rally will never store passwords.
Audit trail and logging
All access to user data is logged, whether by your own team members or Rally employees.
Data Networking & Security
Secure infrastructure
Rally uses top-tier cloud service providers to run all of our core infrastructure and databases. All of Rally's data stored in data centers are SOC 1, SOC 2, SOC 3, and ISO 27001 certified.
Monitoring & alerting
We’ve configured monitoring and alerting to detect for anomalies in our network and help detect against any potential threats.
Continuous backups
Rally uses AWS's continuous backup system to let us restore our databases back to any point within the past 7 days.
Data encrypted in transit
All data in-transit is secured using SSL/TLS 1.2+ only. Rally uses HTTPS for our web app to protect sensitive data transmitted to and from our application.
Company Security
Mandatory training
Rally requires all new employees to complete security awareness training within the first thirty days of hire.
Employee background checks
Rally verifies that all new employees have a background check on file before their first day of work.
Rally Security Bounty
Rally takes security and privacy very seriously. Rally offers safe harbor to good-faith security researchers through a private bug bounty program with Federacy. If you would like to participate in the bug bounty program, please contact [email protected] for an invitation to Federacy.