Security isn't just a featureβit's the foundation of trust. Modly implements industry-leading encryption, rigorous access controls, and SOC 2 Type II compliance to keep your modules and data safe.
We adhere to the strictest regulatory standards to ensure your data sovereignty and legal peace of mind.
We undergo an annual, independent audit of our controls surrounding security, availability, and confidentiality. Our SOC 2 report is available upon request for all Enterprise customers.
We are fully GDPR-ready with Data Processing Agreements (DPA) and a Right to Erasure framework in place. Your user data and design tokens are handled according to strict EU regulations.
We respect user privacy rights under the California Consumer Privacy Act. Our platform provides clear consent management and data export capabilities.
Our infrastructure is designed to facilitate compliant data transfers. We utilize Standard Contractual Clauses (SCCs) to ensure GDPR standards are met across all global regions.
From the moment data leaves your design file to when it's rendered in production, it is protected by multiple layers of security.
All data stored in Modly is encrypted at rest using AES-256 standards. This applies to design tokens, module definitions, user files, and audit logs.
We enforce TLS 1.3 for all data in transit between your browser, our API, and external integrations like Figma. We never transit data unencrypted.
For Enterprise customers, we offer Bring Your Own Key (BYOK) integration with AWS KMS, allowing you to manage your encryption keys and maintain full control over your data.
Secure your workspace with Single Sign-On (SSO) support for SAML 2.0 and OIDC. Integrate seamlessly with Okta, Azure AD, Google Workspace, and more.
Define roles with RBAC policies. Assign permissions for viewing, editing, publishing, or managing team settings with surgical precision.
Every action is logged. Track who changed a component, when a module was published, and who accessed sensitive settings with immutable audit trails.
Modly runs on a highly distributed AWS architecture across multiple Availability Zones (AZs). We use a multi-region deployment strategy to ensure high availability and disaster recovery.
Regions: US East (N. Virginia), US West (Oregon), EU (Frankfurt), Asia Pacific (Singapore).
Uptime SLA: 99.9% (Enterprise)
Disaster Recovery (DR): Automated daily backups with point-in-time recovery (RPO: < 15 mins, RTO: < 1 hour).
Our security posture is verified by leading penetration testing firms. We publish our audit results (excluding sensitive PII) to demonstrate our commitment to transparency.
Continuous integration pipelines run static and dynamic application security testing (SAST/DAST) on every deploy. We scan for OWASP Top 10 vulnerabilities before anything goes live.
You own your data. Modly is a platform service, not a data storage provider. You retain full rights to your design systems, tokens, and module definitions. We provide export functionality for all data at any time.
Yes, for Enterprise customers, we offer a self-hosted deployment on AWS. This allows you to host Modly within your own VPC or on-premise infrastructure for maximum control over data residency.
We have a formal Incident Response Plan (IRP) in place. In the unlikely event of a breach, we will notify affected customers within 72 hours (as required by law) and provide a full forensic report and remediation steps.
Modly has a vetted marketplace of integrations (e.g., Figma, GitHub, Jira). Each integration requires OAuth 2.0 or API tokens with scoped permissions. We do not sell or share your data with third-party advertisers.
We use industry-standard open-source components for our infrastructure stack. We maintain a Software Bill of Materials (SBOM) and scan our dependencies for known vulnerabilities using tools like Snyk.
Absolutely. We welcome and encourage security audits of our platform. For Enterprise clients, we can facilitate a white-box testing engagement to validate your specific security architecture.
Whether you need a formal audit report, a demo of our access controls, or want to discuss a custom data residency solution, we're ready to talk.
We treat security as a shared responsibility. We secure the platform; you secure your data.