LogoLogo
  • Welcome to Firefly Documentation
  • Introduction
    • What is Firefly?
    • Who is Firefly for?
    • Why use Firefly?
    • Terminology (Glossary)
  • Key Features
    • Infrastructure-as-Code Automation
    • Cloud Asset Inventory
    • Drift Detection & Remediation
    • Policy-as-Code for Compliance & Governance
    • Cost Visibility & Optimization
    • AI Assistant
    • ChatOps Integration
  • Getting Started
    • Account Setup & Onboarding
    • Connecting Cloud Accounts
    • UI Walkthrough & Navigation
    • First Steps in Firefly
  • Detailed Guides
    • Dashboard Overview
    • Cloud Asset Inventory
      • Remediating Drifts
      • Deleting Assets
      • Creating IaC-Ignore Rules
      • Creating Exclude-Drift Rules
    • Policy & Governance
      • Creating Policy-as-Code Governance Rules
      • Remediating Policy Violations
    • Workflows & Guardrails
      • Creating Workflows
      • Creating Guardrail Rules
    • Codification
    • Self-Service
    • IaC Explorer
    • Event Center
    • Backup and Disaster Recovery
    • Notifications
    • User Management
    • SSO Configuration
  • Integrations
    • Integrations Overview
    • Integrating Data Sources
      • AWS
      • Azure
      • Google Cloud
      • Kubernetes
      • Akamai
      • Datadog
      • New Relic
      • Okta
      • GitHub
      • Cloudflare
      • NS1
      • PagerDuty
      • MongoDB Atlas
      • HashiCorp Vault
    • Integrating IaC Remote State
      • Terraform Cloud
      • Google Cloud Storage
      • env0
      • HashiCorp Consul
    • Integrating Version Control
      • GitHub
      • GitLab
      • Azure DevOps
      • CodeCommit
      • Bitbucket
    • Integrating Notifications
      • Slack
      • Microsoft Teams
      • PagerDuty
      • Opsgenie
      • Torq
      • Webex
      • Google Chat
      • Webhook
    • Integrating Project Management
      • Jira
      • ServiceNow
    • Integrating Workflows with CI/CD
    • Integrating Backstage
    • Integrating MCP
  • Use Cases & Best Practices
    • Cloud Governance & Visibility
    • Cost Optimization Strategies
    • Compliance and Security Best Practices
    • Infrastructure Automation & Self-Service
    • Best Practices and Implementation Tips
  • Analytics & Reporting
    • Analytics Dashboard Overview
    • Using Analytics for Improvement
    • Exporting and Sharing Reports
    • Analytics Security and Privacy
  • Code Snippets & Examples
    • Terraform Snippet for an AWS EC2 Instance (Codified via Firefly)
    • Example Rego Policy (OPA) for a Custom Rule
    • GitHub Actions Workflow YAML for Firefly Integration
    • JSON Output Example: Exporting Inventory
  • Troubleshooting & FAQs
    • Common Issues and Solutions
    • FAQs
  • General Information
    • Firefly API
      • Authentication
      • Inventory
      • Codification
      • Workflows
      • Self-Service
      • Policy & Governance
      • IaC Explorer
      • Event Center
      • Backup & Disaster Recovery
      • Notifications
      • Integrations
      • Identity & Access Management
    • Security & Compliance
    • Pricing Tiers & Add-ons
    • Contacting Support
Powered by GitBook
On this page
  • Data Encryption & Handling
  • Data Privacy & AI Usage
  • Compliance Standards
  • IP Whitelisting (Network Access)
  • Additional Resources

Was this helpful?

  1. General Information

Security & Compliance

Firefly is built with a strong security model and compliance in mind. This section provides an overview of how Firefly handles data security and what compliance standards it adheres to.

Data Encryption & Handling

Firefly protects customer data both in transit and at rest. All data in transit between Firefly and your environment is encrypted using SSL/TLS (HTTPS), ensuring secure communication. Within the Firefly platform, sensitive data is stored securely: for example, secrets are kept in HashiCorp Vault, and databases use encryption (AES-256 for data at rest) with managed keys. The Firefly service operates inside a private cloud network (VPC), and access to backend systems is tightly controlled (restricted via bastion hosts and internal networks). In summary, Firefly's architecture follows industry best practices to prevent unauthorized access and protect your configuration data.

Firefly does not access or store your cloud workload data (e.g., the contents of S3 buckets or VM file systems). It only scans metadata and configurations. Per Firefly's data handling policy, no personal identifiable information (PII) or customer customer-data is collected during scanning. This principle of least access ensures Firefly only gathers the information needed for infrastructure management (like resource settings and state) and nothing more.

Data Privacy & AI Usage

At Firefly, we prioritize your data privacy and security. When using our AI-powered features, we do not use customer information to train any AI models. Your data remains under your control and is only used to enhance your experience with the platform. We adhere to strict privacy standards to ensure that your information is not exposed or utilized for purposes outside of delivering our services.

Compliance Standards

Firefly meets several compliance standards to give you confidence in using the platform. Firefly is SOC 2 Type II certified, demonstrating that it has strict controls for security, availability, and confidentiality of customer data. Additionally, Firefly aligns with other industry standards and regulations such as ISO 27001 (information security management) and GDPR (data protection requirements). HIPAA and other frameworks are also considered in Firefly's practices, and the platform is designed to help customers maintain compliance by providing audit trails and proper security guardrails.

All compliance certifications and attestations are documented on Firefly's Trust & Security portal. Firefly undergoes regular third-party audits and assessments (for example, annual SOC2 audits and penetration testing) to validate its security controls. Customers can request access to Firefly's SOC2 report or other compliance documentation if needed for their vendor security reviews.

IP Whitelisting (Network Access)

Firefly is a cloud service that needs access to your cloud configurations (via cloud provider APIs and state files). In most cases, integration is done via cloud IAM roles or read-only access keys, so allowing Firefly by IP is not necessary. However, if your environment has strict firewall rules or IP allowlists, you should ensure that Firefly's services can communicate with your infrastructure and vice versa. This may include whitelisting Firefly's service domain (e.g. app.firefly.ai) or specific static IP ranges that Firefly uses for outbound scanning.

For example, if you restrict access to your Terraform state storage (such as an AWS S3 bucket with IP-based policies) or API endpoints, you will need to add Firefly to the allowlist. The current Firefly IP addresses to whitelist are:

  • 3.224.145.192

  • 54.83.245.177

  • 3.213.167.195

  • 54.146.252.237

  • 34.226.97.113

Ensuring these addresses are permitted will allow Firefly's platform to fetch state files and listen to cloud events without interruption.

Additional Resources

PreviousIdentity & Access ManagementNextPricing Tiers & Add-ons

Last updated 1 month ago

Was this helpful?

For more details on Firefly's security and compliance practices, refer to the . It contains up-to-date information on certifications, policies, and security FAQs. You can also review Firefly's Data Protection Policy and other documents (available upon request or via the Trust Center) for a deeper dive into how Firefly safeguards customer data and meets regulatory requirements.

Firefly Trust Center