Skip to main content

Security

Learn more about Apify's security practices and data protection measures that are used to protect your Actors, their data, and the Apify platform in general.

SOC 2 type II compliance

The Apify platform is SOC 2 Type II compliant. This means that we have undergone an independent audit to ensure that our information security practices, policies, procedures, and operations comply with SOC 2 standards for security, availability, and confidentiality of customer data.

To learn more, read the announcement and visit our Trust Center for additional information or to request a copy of our SOC 2 Type II report.

Trust center

To learn more about Apify's security practices, data protection measures, and compliance certifications, please visit our Trust Center. The Trust Center includes:

  • List of our security certifications and compliance reports
  • Information about Apify's data protection controls
  • List of Apify's data subprocessors
  • An AI chatbot to answer your security-related questions

Security Whitepaper

At Apify, security is our top priority every day. Security best practices are reflected in our development, deployment, monitoring, and project management processes. Read the Apify Security Whitepaper for a comprehensive description of Apify's security measures and commitments:

Vulnerability disclosure policy

We invite security researchers, ethical hackers, and the broader community to help us keep Apify safe by reporting any potential security vulnerabilities or weaknesses. Your responsible disclosure helps protect our users and strengthen the Apify platform.

Scope: The following Apify services and domains are eligible for security research and responsible reporting:

Please use your personal account for research purposes. Free accounts are sufficient for most testing.

Out-of-scope:

  • Issues with third-party systems
  • Clickjacking on non-sensitive pages
  • SPF/DKIM/DMARC or other email configuration issues
  • Best practices or informational findings without impact
  • Denial of Service (DoS), brute-force attacks, and resource exhaustion
  • Social engineering, phishing, or physical attacks
  • Attacks requiring MITM or stolen credentials

We are especially interested in reports that demonstrate:

  • Unauthorized access to data
  • Elevation of privileges
  • Server-side vulnerabilities (e.g., SSRF, RCE)
  • Cross-site scripting (XSS) and injection attacks
  • Logic flaws impacting account integrity or billing
  • Authentication/authorization issues
  • Data leaks due to misconfiguration

Reporting process

If you notice or suspect a potential security issue, please report it to our security team at security@apify.com with as much detail as possible, including the following:

  • Clear description of the issue
  • Step-by-step reproduction instructions
  • PoC (screenshots or code snippets)
  • Impact analysis
  • Affected URL or endpoint

Rules of engagement

  • Only target accounts or data you control (test accounts)
  • Never disrupt our services or other users
  • Avoid privacy violations and do not destroy or alter data
  • Automated scanners are not permitted without prior approval
  • No spam, DoS, or social engineering
  • Submit one vulnerability per report (unless chaining is required)

If you follow these guidelines and act in good faith, we will not take legal action against you for responsibly reporting a security issue.

Crucial rules and legal obligations

Please adhere strictly to the following rules. Failure to do so may result in legal action:

  • Do not publicly disclose vulnerabilities until resolved. This ensures that the issue can be properly evaluated and mitigated before being exposed to potential exploitation.
  • Treat all related information as confidential. Any details about a vulnerability you are reporting are considered confidential information and cannot be disclosed unless explicitly approved by Apify in writing.
  • Comply with all legal terms. As per our Terms of Service, you must not take any action that might cause an overload, disruption, or denial of service, result in unauthorized access to another user's data, or have a similar adverse effect on Apify's services or other users.

Securing your data

The Apify platform provides you with multiple ways to secure your data, including encrypted environment variables for storing your configuration secrets and encrypted input for securing the input parameters of your Actors.