Security & Compliance
Firefly is built with a strong security model and compliance in mind. This section provides an overview of how Firefly handles data security and what compliance standards it adheres to.
Data Encryption & Handling
Firefly protects customer data both in transit and at rest. All data in transit between Firefly and your environment is encrypted using SSL/TLS (HTTPS), ensuring secure communication. Within the Firefly platform, sensitive data is stored securely: for example, secrets are kept in HashiCorp Vault, and databases use encryption (AES-256 for data at rest) with managed keys. The Firefly service operates inside a private cloud network (VPC), and access to backend systems is tightly controlled (restricted via bastion hosts and internal networks). In summary, Firefly's architecture follows industry best practices to prevent unauthorized access and protect your configuration data.
Firefly does not access or store your cloud workload data (e.g., the contents of S3 buckets or VM file systems). It only scans metadata and configurations. Per Firefly's data handling policy, no personal identifiable information (PII) or customer customer-data is collected during scanning. This principle of least access ensures Firefly only gathers the information needed for infrastructure management (like resource settings and state) and nothing more.
Data Privacy & AI Usage
At Firefly, we prioritize your data privacy and security. When using our AI-powered features, we do not use customer information to train any AI models. Your data remains under your control and is only used to enhance your experience with the platform. We adhere to strict privacy standards to ensure that your information is not exposed or utilized for purposes outside of delivering our services.
Compliance Standards
Firefly meets several compliance standards to give you confidence in using the platform. Firefly is SOC 2 Type II certified, demonstrating that it has strict controls for security, availability, and confidentiality of customer data. Additionally, Firefly aligns with other industry standards and regulations such as ISO 27001 (information security management) and GDPR (data protection requirements). HIPAA and other frameworks are also considered in Firefly's practices, and the platform is designed to help customers maintain compliance by providing audit trails and proper security guardrails.
All compliance certifications and attestations are documented on Firefly's Trust & Security portal. Firefly undergoes regular third-party audits and assessments (for example, annual SOC2 audits and penetration testing) to validate its security controls. Customers can request access to Firefly's SOC2 report or other compliance documentation if needed for their vendor security reviews.
IP Whitelisting (Network Access)
Firefly is a cloud service that needs access to your cloud configurations (via cloud provider APIs and state files). In most cases, integration is done via cloud IAM roles or read-only access keys, so allowing Firefly by IP is not necessary. However, if your environment has strict firewall rules or IP allowlists, you should ensure that Firefly's services can communicate with your infrastructure and vice versa. This may include whitelisting Firefly's service domain (e.g. app.firefly.ai) or specific static IP ranges that Firefly uses for outbound scanning.
For example, if you restrict access to your Terraform state storage (such as an AWS S3 bucket with IP-based policies) or API endpoints, you will need to add Firefly to the allowlist. The current Firefly IP addresses to whitelist are:
3.224.145.192
54.83.245.177
3.213.167.195
54.146.252.237
34.226.97.113
Ensuring these addresses are permitted will allow Firefly's platform to fetch state files and listen to cloud events without interruption.
Additional Resources
For more details on Firefly's security and compliance practices, refer to the Firefly Trust Center. It contains up-to-date information on certifications, policies, and security FAQs. You can also review Firefly's Data Protection Policy and other documents (available upon request or via the Trust Center) for a deeper dive into how Firefly safeguards customer data and meets regulatory requirements.
Last updated
Was this helpful?