Security and compliance at Ably

As a provider of serious, serverless realtime messaging infrastructure, security is baked into everything we do. From network-level attack mitigation to individual message-level encryption, you never need to worry about security and compliance.



  • SSL/TLS encryption available for every customer.
  • 256-bit AES encryption available using your private key, meaning no one, even Ably, can read your messages without your private key.
  • All client-to-server communication is secured by SSL/TLS ensuring server-to-server communication is always secure.
Developer apis illustration


DoS protection

  • We can detect and deny invalid connection attempts at the edge of our network ensuring our core infrastructure is unaffected.
  • Our near-limitless scale means we can mitigate huge increases in traffic and defend against DDoS attacks - so you benefit from our scale as attacks have no effect on your own servers.
  • Low TTLs on DNS routing means we can route real users away from data centres under attack.
  • We rate limit requests by account, app, token, key and IP address.
Developer apis illustration



  • Token-based authentication, including JWT support, ensures API keys remain private, and compromised tokens have limited value because of their expiration.
  • Support for basic authentication over SSL/TLS connections for authentication convenience.
Developer apis illustration


Privilege-based access

Developer apis illustration



  • SOC 2 Type II logo

    SOC 2 Type II

    Ably is in the process of completing formal third-party SOC 2 Type II audit of our product, infrastructure, and policies. Formal certification is scheduled for 2021.

  • HIPAA logo


    Ably offers HIPAA BAA agreements to companies in the healthcare industry that must comply with regulations for safeguarding.

  • ISO 27001 logo

    ISO 27001

    Ably's info-sec systems are designed and implemented to provide a robust monitoring framework. ISO27001 requires completing a formal third-party audit for certification. For more information please get in touch.

gdpr logo

EU GDPR-compliant

  • Any usage of personal data is communicated with the proper consent.
  • Personal data is properly collected, stored, and documented.
  • Relevant processes are followed for transfers of personal data outside the European Union.
  • For more information, see our data protection and privacy policies.
flag EU + flag US

EU and US-only data storage

  • Control routing of your data streams.
  • Store data and realtime messages solely within the EU or US.
With approximately 290,000 passenger trips a day it is vital that Metra deliver real-time updates for train arrival information. With the tools made available by Ably, Metra is able to deliver real-time data to customers quickly, dependably, and cost effectively, which prove beneficial for both Metra and Metra passengers.

Cherie Kizer

CIO / Metra