Last updated: 1 May 2026 · An honest description of what we have in place, what is in progress, and what is still planned. We do not claim certifications we have not earned.
HTTPS on every external connection. HSTS preload eligible.
Supabase managed Postgres + Storage encryption at rest.
WhatsApp + Gmail OAuth tokens encrypted with AES-256-GCM before write.
Email/password with bcrypt-style hashing. Magic link supported.
Required on Supabase, Vercel, Stripe, GitHub, Cloudflare, Resend admin consoles.
No agent can read another agent's data. Agency RLS is opt-in and gated by role.
KEO > Admin > Agent. KEO-only routes for compliance and SSO config.
Behind RELAY_SSO_ENABLED feature flag. Per-agency provider id, domain match in /login.
Formal review cadence + signoff. Currently ad-hoc.
Every AI draft, send, score, stage change, lead create/delete recorded with 5-year retention.
Per-service ping log feeds the public 30-day uptime number on /status.
Currently spot-checked. Routine weekly review cadence not yet formalised.
Supabase daily backup, same Singapore region. Tested restore once per quarter.
Internal doc covering breach notification timeline (PDPA: within 3 days of assessing notifiability).
Sub-processor list maintained. Formal annual vendor review not yet scheduled.
Server-only env vars on Vercel + a secrets vault for shared credentials.
Scheduled Q3 2026 with an external CREST-accredited testing firm. Not yet performed.
Internal gap analysis live (KEO-only inside the app). Engagement with an auditor planned for H2 2026. Relay is NOT SOC 2 certified.
Not pursued. We will say so honestly until that changes.
Email [email protected]. We acknowledge within 1 business day. We do not have a paid bug bounty programme yet — but we credit responsible disclosures publicly with the reporter's permission.
This document was prepared by Relay's product team and is not a substitute for legal advice.