Ruly maintains, according to industry best practices, reasonable and appropriate administrative, technical and physical security controls to ensure the confidentiality, integrity and availability of Customer Data.
Ruly does not share Customer Data with any other entity, or use Customer Data for its own purposes.
Data remains under the control and ownership of the customer indefinitely. In the event that a customer leaves the platform, they may export or download a full copy of their database.
Ruly is a self-contained, Microsoft Azure cloud-hosted platform for developing multi-user, scalable, database/web software applications. The platform consists of three primary components:
Each customer has a separate, self-contained database with that customer’s individual application data and metadata.
The interface to data is solely through the REST API. It is divided into an Administrator component that is used to build applications and a Data component used by customer applications to retrieve and update data.
Users authenticate to the API using Oauth/OpenID and are granted tokens/refresh tokens used to make subsequent requests to the API.
The Business Rule Engine enforces complex data integrity constraints, and executes actions when a record is updated.
The API Endpoints filter the data returned according to the Security Roles granted to the authenticated user.
The front end is a single-page architecture application built using React. It is used both to build and execute applications.
Applications and application logic are stored as metadata in the customer databases.
There is no caching of data by the front-end.
The OWASP Top 10 and OWASP Low Code Top 10 represent a broad consensus about the most critical security risks to web applications.
Ruly software is designed and developed following the principles of the OWASP Top 10 to minimize the risk to customers’ data and the applications developed on its platform.
Data access is controlled by the application administrator using the Admin Console Application.
Requests for data are filtered using the Security layer of the back-end API, based on the privileges granted to the user. There is no security filtering by the application front-end. It is controlled 100% by the back-end API.
There are no application back doors or hidden accounts that can access data.
The customer Administrator controls access to data using the following security features:
Users/Roles. Users are granted roles (Security Groups) and roles are then granted access to tables or other privileges.
Table Security. Rights to data tables are configurable for all CRUD operations and assigned to roles.
Row-level Security. Individual rows within tables can be secured using filter criteria or by using a query.
Field Security. Secure fields (columns) within tables.
Tree Security. Tree tables (defined with a hierarhical structure) can be secured by tree node. Roles that are assigned to a node can only see records from that tree node or a lower position in the tree hierachy.
Operation Security. Administrators create operations that may have the ability to update, create or delete data. These operations are executed by Buttons and by Rules.
Using redundant fault-tolerant architecture, and its highly stable platform, Ruly was able to achieve 99.97% uptime in the most recent 18-month period.
* Jan 2023 – Jun 2024
Data is backed up to Point-In-Time-Recovery for 7 days in zone-redundant storage using Azure vaults. After this period, weekly and monthly backups are retained for up to 1 year.
