Relay

Security

Security and Privacy at Relay

We believe that security isn't a feature—it's a foundation. In the sections below, we detail how we implement comprehensive protection across our product, data, infrastructure, and organizational practices.

Security Principles

Our security posture is built on four foundational principles that guide every decision we make. They shape our product development, infrastructure design, and organizational practices, ensuring security is embedded at every level.

Shifting Left

Security is built into every stage of development, not bolted on at the end. We catch and address vulnerabilities early — when they're fastest and cheapest to fix.

Principle of Least Privilege

Every system, service, and person gets only the access they need — nothing more. Limiting access at every layer limits the blast radius of any incident.

Defense in Depth

No single control is relied upon. We layer multiple independent security controls so that if one fails, others remain in place to protect your data.

Trust But Verify

Even trusted systems and people are subject to logging, monitoring, and periodic review. We assume nothing and verify continuously.

Our Security Framework

We organize our security across four interconnected areas, each essential to protecting your data and ensuring platform reliability. These areas work together to create comprehensive protection—no single pillar stands alone. Together, they ensure security is embedded across every dimension of our platform.

Data Security

  • All data encrypted at rest using AES-256
  • All data encrypted in transit via TLS 1.2+
  • Regular encrypted backups with tested restore procedures

Infrastructure Security

  • Hosted on Google Cloud with industry-standard security configurations
  • Regular patching and security updates
  • DDoS protection and network-level threat mitigation

Product Security

  • Code reviews and automated static analysis on every change
  • Package dependency and supply chain security monitoring
  • Regular vulnerability scanning

Organizational Security

  • Security awareness training for all employees
  • Third-party vendor security reviews
  • Periodic access reviews and offboarding procedures

Responsible Disclosure

If you discover a security vulnerability in Relay, we ask that you report it to us responsibly. Please email security@relay.us with a description of the vulnerability and steps to reproduce it.

We commit to acknowledging your report within 72 hours and working with you to understand and address the issue promptly. We appreciate the work of security researchers in keeping our platform safe.