Public traffic
TLS at the edge
Adios manages certificates for platform routes and custom domains.
Security & Trust
How Adios protects your apps in production.
Adios runs apps behind managed gateways, keeps secrets out of source, and isolates workloads with Linux runtime controls. This page explains what we handle, what you control, and where our certification work stands.
Application secrets
Out of source
Use secret:// references so credentials stay out of your repo.
Runtime execution
Isolated
Linux namespaces and cgroups help keep workloads separated.
Adios audits
In progress
SOC 2 and ISO 27001 work is underway. Reports are not final yet.
Security Controls
Platform features that help keep apps and users safe.
These are the parts of Adios users rely on day to day: safe public routes, secure runtimes, private internal networking, secrets outside source, tenant boundaries, and deploy records you can inspect.
01
TLS and encryption
Adios manages TLS for platform routes and verified custom domains, then sends traffic through the gateway before it reaches your app.
02
Secure runtime
Apps run in restricted runtime sandboxes with Linux namespace support and resource limits where the selected runtime supports them.
03
Private internal networking
Gateway, worker, and platform traffic can use WireGuard-backed private paths so internal services do not need to be exposed publicly.
04
Secrets outside source
Use secret:// references for credentials, API keys, and private tokens. Adios resolves them only for the build or runtime path that needs them.
05
Tenant boundaries
Teams, apps, routes, databases, workflows, and runtime records are scoped through platform APIs so one tenant's resources stay separate from another's.
06
Deploys you can inspect
Adios keeps source artifacts, build records, route state, replica health, runtime logs, and workflow runs visible from the platform.
Who Owns What
Security works best when the lines are clear.
You control your code and dependencies. Adios manages the platform and runtime. Infrastructure providers handle the physical facilities they operate.
1
Application layer
Customer controlledCode, framework configuration, adios.yaml, and secret references
You own your application code, dependencies, framework settings, routes, and how your code reads secrets.
2
Control plane
Adios managedAuthenticated APIs, teams, build records, and domain routing
Adios manages the APIs for workspaces, source artifacts, builds, user permissions, domains, routes, and deploy state.
3
Runtime layer
Adios managedRuntime sandboxes, private networking, and resource limits
Adios operates the runtime hosts, manages private networking, and enforces CPU, memory, process, and network limits.
4
Provider layer
Facility providersPhysical servers, power, networks, and facility controls
Adios uses established infrastructure providers, including Vultr, for parts of the platform. Physical security and facility certifications remain with those providers.
Certification Status
SOC 2 and ISO 27001 are in progress.
Adios-owned certifications are not complete yet. Provider reports can support the infrastructure layer, but they do not replace Adios product audits.
Adios SOC 2
In progress
SOC 2 work is in progress. We will publish updates when reports are available.
Adios ISO 27001
In progress
ISO 27001 work is in progress. Controls are being built with this path in mind.
Infrastructure providers
Provider layer
Provider reports may cover the facilities and infrastructure services they operate. They do not replace Adios-owned certifications.
Responsible Disclosure
Found a security issue? Tell us.
Email us with enough detail to reproduce the issue. Please avoid testing that disrupts service or touches another tenant's data.
[email protected]1
Send enough detail
Include affected URLs, request IDs, reproduction steps, a small proof of concept, and the impact you expect.
2
Avoid destructive testing
Do not access other tenants' data, modify production code, run denial-of-service tests, or try to stay inside host systems.
3
Work with us on timing
We review valid reports, prioritize fixes, and coordinate public credit after the issue is resolved when appropriate.