RedisDays Available Now On-Demand.

Customer Trust Center

Redis’s hosted and self-managed products are engineered to help customers meet their security and compliance standards in a way that is appropriate for their use case in order to keep their information safe. The information on this page is intended to help customers better understand the security features and configurations of Redis Enterprise products as well as Redis’ commitment to security and privacy.

HIPAA

Redis offers a HIPAA-compliant business associate agreement (BAA) for our HIPAA-secure Redis Enterprise Cloud services.

SOC 2

Redis maintains a SOC2 Type II for security, confidentiality, availability for Redis Enterprise Cloud and Support services.

PRIVACY

Redis prioritizes data protection, control, and compliance with applicable Privacy regulations.

Privacy

Redis is fully committed to being transparent about how we collect, use, and protect data received by Redis. Please see the Redis Privacy Policy for more information. View our up to date list of sub-processors from the Redis Legal Notices page.

Compliance

Redis maintains a written information security program that is compliant with applicable data protection law. This program takes into account the appropriate administrative, technical, and physical safeguards and is designed to provide a level of security appropriate to the risk presented by the processing and the nature of the data to be protected.

Redis operates in compliance with internationally recognized information security standards and regulations. Redis uses independent third-party firm(s) to conduct audits related to security controls. At least annually, an independent, reputable, third-party firm will investigate and prepare a SSAE 18 Type II, specifically a SOC 2 Type II, compliance report and certification based on such investigations (“SOC 2”). The scope of the SOC 2 will cover attestations of availability, security, privacy, processing integrity, disaster recovery, backup, and contingency plans and systems, and confidentiality, as appropriate.

Our approach to security

Redis takes the security of our customers and our software seriously. We strive for a layered, defense-in-depth approach to defending our systems, and strive for as much transparency as possible in articulating our security posture to our customers. Below is a summary overview of our security and privacy programs.

Monitoring and notification

Our security team is alerted for any abnormal activity and continually ensures the security of your data. We have incident response processes in place and we routinely test ourselves against them to ensure we’re ready for an event if the need arises. If we do experience a confirmed security incident we will notify affected customers promptly, but no later than 72 hours from the time Redis is able to reasonably identify and investigate the security breach, or 72 hours from the time that Redis is notified that the security breach has directly affected your data. Redis will work with you to provide applicable information regarding the outcome of its investigation, and such other information as you may reasonably request.

Redis provides updates regarding known outages pertaining to the Cloud Services. For high level availability information of the Redis Cloud, please visit our Redis Operations Status page.

Data integrity

For Redis Cloud Customers, logical separation keeps data isolated and safe. Transport layer security (TLS) uses encryption to protect data from unauthorized access while in transit. Customers are strongly encouraged to enable TLS on all their databases. Additionally, Redis supports encryption at rest for all cloud providers, with persistence enabled. Redis leverages industry-standard encryption and native encryption key management service provided by the major cloud providers.

Security testing

Different types of security testing are engaged to achieve different results. Our approach is to use the most suitable method to achieve the right result. We conduct a number of different activities including penetration tests, red team tests, code reviews, vulnerability scanning, and anything else we can think of!

We believe that active collaboration with the security research community is a vital part of securing the software and infrastructure that powers our global community of Redis Geeks. We strive for excellence in our security posture, and research by the community plays a vital role in helping us spot unanticipated attack vectors or potential blind spots. Visit our vulnerability disclosure program on HackerOne and become an active participant!

Software Development Life Cycle

Redis manages information systems using industry standard Software Development Life Cycle (“SDLC”) that incorporates information security considerations, defines and documents information security roles and responsibilities throughout the SDLC, identifies individuals having such roles or responsibilities, and integrates Redis’ information security risk management process into SDLC activities. The Redis SDLC policy includes internal security testing, third party penetration testing, and processes for prioritizing identified issues found during testing based on the criticality of the risk, mitigation efforts, and likelihood of exploitation.

Resiliency by default

Our infrastructure and supporting systems are built for resiliency. Redis Enterprise Cloud was built to withstand system or hardware failures with the intent to have very little or no customer impact. Redis is deployed across multiple availability zones within the same region so that your Redis deployment can withstand an availability-zone failure.

Supply chain trust

We recognize supply chain risk is a threat and we have appropriate processes in place to ensure they meet the security standards we’re committed to. Each of our third-party providers undergoes thorough reviews to ensure the security of the services being provided.

Access controls

Access to Cloud infrastructure is tightly controlled and periodically audited. Only authorized Redis team members have access to Cloud infrastructure on an as-needed basis, and access is controlled by multiple factors. Redis leverages industry standard measures such as logical and physical security access controls, role-based, least privilege, and strong authentication mechanisms designed to protect data and against unauthorized access.

Shared security responsibility

Some aspects of the Cloud Services must be configured by you based on your organization’s needs. Customers are responsible for the security configurations in your Redis databases and the Cloud Services admin console. Visit our Cloud Services shared responsibility model to learn more.

Security documentation

By using the Cloud Services, you agree to follow best practices when configuring and deploying the Cloud Services and to follow the Cloud Services security best practices.

If you are using another product, such as Redis Enterprise Software that you have deployed yourself, please consult with the applicable Redis Enterprise Software – Security Documentation, as the Measures contained in this document may not apply unless your organization also follows them, and you have enabled the proper security configuration(s) when deploying your Redis Enterprise Software.

Redis Cloud Security Whitepaper