Redis’s hosted and self-managed products are engineered to help customers meet their security and compliance standards in a way that is appropriate for their use case in order to keep their information safe. The information on this page is intended to help customers better understand the security features and configurations of Redis Enterprise products as well as Redis’ commitment to security and privacy.
SOC 2
Redis maintains a SOC2 Type II for security, confidentiality, availability for Redis Enterprise Cloud and Support services.
ISO/IEC 27001
The ISO/IEC 27001:2013 certification demonstrates Redis’ approach for implementing, maintaining and improving our entire information security management system (ISMS).
ISO 9001
Redis implements the ISO 9001 standard to demonstrate our ability to consistently provide products and services that meet our customer and regulatory requirements.
STIG
Redis has worked with DISA to produce a STIG for Redis Enterprise 6.X for guidelines about how to implement Redis in a secure manner.
HIPAA
Redis offers a HIPAA-compliant business associate agreement (BAA) for our HIPAA-secure Redis Enterprise Cloud services.
VPAT
Redis maintains a VPAT for Redis Enterprise 6.X to ensure that the needs of all consumers can be met and addressed. VPAT will be provided upon request.
PRIVACY
Redis prioritizes data protection, control, and compliance with applicable Privacy regulations.
Redis is fully committed to being transparent about how we collect, use, and protect data received by Redis. Please see the Redis Privacy Policy for more information. View our up to date list of sub-processors from the Redis Legal Notices page.
Redis operates in compliance with internationally recognized information security standards and regulations. Redis undergoes independent verification of platform security, privacy, and compliance controls.
Redis takes the security of our customers and our software seriously. We strive for a layered, defense-in-depth approach to defending our systems, and strive for as much transparency as possible in articulating our security posture to our customers. Below is a summary overview of our security and privacy programs.
Our security team is alerted for any abnormal activity and continually ensures the security of your data. We have incident response processes in place and we routinely test ourselves against them to ensure we’re ready for an event if the need arises. If we do experience a confirmed security incident we will notify affected customers promptly, but no later than 72 hours from the time Redis is able to reasonably identify and investigate the security breach, or 72 hours from the time that Redis is notified that the security breach has directly affected your data. Redis will work with you to provide applicable information regarding the outcome of its investigation, and such other information as you may reasonably request.
Redis provides updates regarding known outages pertaining to the Cloud Services. For high level availability information of the Redis Cloud, please visit our Redis Operations Status page.
For Redis Cloud Customers, logical separation keeps data isolated and safe. Transport layer security (TLS) uses encryption to protect data from unauthorized access while in transit. Customers are strongly encouraged to enable TLS on all their databases. Additionally, Redis supports encryption at rest for all cloud providers, with persistence enabled. Redis leverages industry-standard encryption and native encryption key management service provided by the major cloud providers.
Different types of security testing are engaged to achieve different results. Our approach is to use the most suitable method to achieve the right result. We conduct a number of different activities including penetration tests, red team tests, code reviews, vulnerability scanning, and anything else we can think of!
We believe that active collaboration with the security research community is a vital part of securing the software and infrastructure that powers our global community of Redis Geeks. We strive for excellence in our security posture, and research by the community plays a vital role in helping us spot unanticipated attack vectors or potential blind spots. Visit our vulnerability disclosure program on HackerOne and become an active participant!
Redis manages information systems using industry standard Software Development Life Cycle (“SDLC”) that incorporates information security considerations, defines and documents information security roles and responsibilities throughout the SDLC, identifies individuals having such roles or responsibilities, and integrates Redis’ information security risk management process into SDLC activities. The Redis SDLC policy includes internal security testing, third party penetration testing, and processes for prioritizing identified issues found during testing based on the criticality of the risk, mitigation efforts, and likelihood of exploitation.
Our infrastructure and supporting systems are built for resiliency. Redis Enterprise Cloud was built to withstand system or hardware failures with the intent to have very little or no customer impact. Redis is deployed across multiple availability zones within the same region so that your Redis deployment can withstand an availability-zone failure.
We recognize supply chain risk is a threat and we have appropriate processes in place to ensure they meet the security standards we’re committed to. Each of our third-party providers undergoes thorough reviews to ensure the security of the services being provided.
Access to Cloud infrastructure is tightly controlled and periodically audited. Only authorized Redis team members have access to Cloud infrastructure on an as-needed basis, and access is controlled by multiple factors. Redis leverages industry standard measures such as logical and physical security access controls, role-based, least privilege, and strong authentication mechanisms designed to protect data and against unauthorized access.
Some aspects of the Cloud Services must be configured by you based on your organization’s needs. Customers are responsible for the security configurations in your Redis databases and the Cloud Services admin console. Visit our Cloud Services shared responsibility model to learn more.
By using the Cloud Services, you agree to follow best practices when configuring and deploying the Cloud Services and to follow the Cloud Services security best practices.
If you are using another product, such as Redis Enterprise Software that you have deployed yourself, please consult with the applicable Redis Enterprise Software – Security Documentation, as the Measures contained in this document may not apply unless your organization also follows them, and you have enabled the proper security configuration(s) when deploying your Redis Enterprise Software.
