Data Residency

• Database & Auth (Supabase Postgres): Singapore — ap-southeast-1. Project ref xefnemdcbxhbrcarxqiy.
• Application hosting (Vercel): primary edge region sin1 (Singapore). Vercel may serve static assets from other points of presence; dynamic API routes execute in Singapore unless an outage forces failover.
• File storage (Supabase Storage): co-located with the database in Singapore.
• Email routing (Cloudflare Email Routing + Resend): inbound forwarded leads are processed at the closest Cloudflare edge, then handed to Relay over HTTPS. Outbound transactional email is sent via Resend (US) — no customer lead data is sent through Resend; only operational notifications to agents (account, billing, security alerts).
• AI inference (Anthropic Claude API): US-hosted. Requests carry only the lead text + voice profile needed to draft a reply. Anthropic does not retain content for training under their commercial API terms.
• Payments (Stripe): Stripe Singapore Pte Ltd processes card payments. Card numbers never reach Relay infrastructure.

No other region holds production customer data.

• Customer agents: read/write only to their own rows via Supabase Row-Level Security (RLS) policies. Solo agents cannot see another agent's leads. Agency members can read agency-wide data only when their agency_role permits it.
• Relay operator (founder): service-role access for incident response, migrations, and customer support. All such access is logged. No marketing or analytics teams have access — Relay does not have those teams.
• Sub-processors: Supabase, Vercel, Cloudflare, Anthropic, Stripe, Resend — each under their own data-protection commitments. See the DPA for the full list with addresses and roles.
• No third-party analytics in production. No Google Analytics, no Segment, no Mixpanel, no Hotjar.

• In transit: TLS 1.2+ (HTTPS) on every external connection. HSTS preload eligible. WebSockets for realtime tables also TLS-encrypted.
• At rest: Supabase Postgres uses AES-256 at the storage layer (managed by AWS for the underlying RDS-style infrastructure). Storage buckets are encrypted at rest by Supabase Storage.
• Sensitive tokens: WhatsApp Cloud API access tokens and Gmail OAuth refresh tokens are encrypted at the application layer with AES-256-GCM (lib/crypto.ts) before being written to the database. Decryption happens only inside server routes.
• Passwords: hashed by Supabase Auth using bcrypt-style derivation. Plaintext passwords are never stored or logged.
• Backups: Supabase daily backups are encrypted at rest and live in the same Singapore region.

• Active customer data — kept for the lifetime of the account.
• Forwarded lead emails, drafts, conversation history — kept until the agent deletes the lead, or until account closure.
• Account closure — personal data and lead data purged within 30 days.
• Billing and tax records — retained for 5 years to meet Singapore IRAS and accounting requirements.
• Audit log (audit_log table) — retained for 5 years per CEA Practice Circulars 02/2024 and 03/2024.
• System health checks — retained for 30 days, used to compute the public uptime number on the /status page.

Where data must leave Singapore — primarily for AI inference (Anthropic, US) and outbound transactional email (Resend, US) — Relay relies on the recipient's contractual safeguards equivalent to the PDPA Transfer Limitation Obligation under section 26 of the PDPA. We do not transfer customer lead text outside Singapore for marketing, analytics, or model training.

• Data export: agents can export leads + drafts as CSV from the dashboard at any time.
• Data deletion: email [email protected]. We respond within 30 calendar days as required by PDPA.
• Sub-processor list updates: material changes are communicated by email at least 14 days before they take effect.

• We do not sell personal data.
• We do not share data with marketing partners.
• We do not use forwarded lead text or voice samples to train third-party AI models.
• We do not deploy advertising or tracking cookies.
• We do not store payment card numbers — Stripe holds those under PCI-DSS Level 1.

If you are a procurement officer evaluating Relay for an agency rollout, you can:

• Request a current sub-processor list and DPA via [email protected].
• Pull live system status and 30-day uptime from tryrelay.pro/status.
• Review SOC 2 readiness gaps with us before signing — we maintain an internal control ledger and will share the current state under NDA. We do not claim certification we have not earned.