Trust & security

Security isn't a feature. It's the foundation.

The Remmy exists because some apps simply don't belong on the public internet. Everything we build starts from a single idea: your apps and your data should be private by default, opened only by the people you trust.

Compliance & posture

Updated June 2, 2026

SOC 2 Type II

Actively working toward our report with a third-party auditor.

In progress

Encryption in transit & at rest

TLS everywhere, encrypted storage by default.

Live

Single sign-on (SSO)

Your company identity provider gates every app.

Live

Audit logging

A clear, exportable record of setup and changes.

Live

Our SOC 2 Type II examination is underway. Building in your own cloud means much of the heavy lifting — encryption, access control, and isolation — already lives in infrastructure you control and audit. Ask for our current status or security overview.

Built by people who've done this before

The Remmy is developed by engineers who have shipped financial applications and built enterprise-grade software in highly regulated environments — where access control, auditability, and data handling aren't afterthoughts. We brought those same standards to a product small teams can actually use, without a security team of their own.

How we keep things safe

Private by default

Your apps run in a private space in your own cloud — not on a shared public URL strangers can discover or probe. Private isn't an upsell; it's the only mode.

Company login, every time

Access is gated by your company's single sign-on. You decide who gets in — by team, role, or individual — and there's no anonymous public entry point for internal tools.

Your cloud, your keys

Sensitive data and credentials stay in accounts you own. We request only the limited, secure access needed to deploy and operate your apps — we never hold the master keys.

Checks before every launch

Before an app goes live, The Remmy runs security checks as part of the launch flow — so risky configuration is caught early, not after something is already exposed.

Auditable by design

Every setup and change is written down in a plain, exportable history. You always know what happened, when, and by whom — ready to hand to any reviewer.

No lock-in

You retain ownership of your apps and infrastructure. If you move on, everything hands over cleanly — no proprietary hosting or opaque configuration holding you hostage.

Found something? Tell us.

We welcome responsible disclosure. If you believe you've found a vulnerability, email security@theremmy.com and we'll respond as promptly as we can. Please give us a reasonable window to investigate and fix before any public disclosure.