Security

Last updated: March 2026

This page describes the security practices currently in place at Relay, as well as areas where we plan to improve. We believe in being transparent about our security posture, especially as an early-stage project.

Relay is a pre-incorporation, beta-stage platform. We have not undergone formal security audits, do not hold SOC 2 or other compliance certifications, and have not completed third-party penetration testing. What follows is an honest account of what we have in place today and what we intend to build toward.

What We Have in Place

Encryption

  • In transit: All connections to the Relay API and website are encrypted using TLS. Audio uploads and downloads use HTTPS exclusively.
  • At rest: Audio files stored in AWS S3 use server-side encryption (AES-256). Database records in AWS RDS are encrypted at rest. Model artifacts and embedding files are stored in encrypted S3 buckets.

Authentication and Access Control

  • User authentication is handled by Clerk, a dedicated identity platform that supports email/password, Google, and GitHub authentication methods.
  • API access is controlled through scoped API keys tied to your account.
  • All API requests are authenticated and authorized against your tenant. You cannot access data belonging to other accounts.

Tenant Isolation

  • All data access is scoped to your tenant at the application layer. Database queries include tenant-level filtering on every request.
  • Audio files, embeddings, and model artifacts are stored with tenant-specific key prefixes in S3.
  • Custom ML models are trained exclusively on your data and are not shared across accounts.

Infrastructure

  • Hosted on AWS in the us-east-2 (Ohio) region.
  • Application and database servers run in private subnets within a Virtual Private Cloud (VPC), not directly accessible from the public internet.
  • Database credentials are stored in AWS Secrets Manager, not in application code or environment variables.
  • Infrastructure is defined as code using Terraform, providing a reviewable and repeatable deployment process.
  • Application services run on AWS ECS Fargate, which provides container-level isolation without managing underlying servers.

Data Handling

  • Audio uploads use presigned URLs, meaning files are transferred directly from your client to S3 without passing through our application servers.
  • Presigned URLs are short-lived and scoped to specific operations (upload or download).
  • Payment information is handled entirely by Stripe (PCI DSS Level 1 certified). We do not store, process, or have access to full card numbers.

What We Do Not Have (Yet)

In the interest of honesty, here is what is not currently in place. We list these so you can make an informed decision about whether Relay's current security posture meets your requirements.

  • No SOC 2 certification. We have not undergone a SOC 2 Type I or Type II audit.
  • No HIPAA compliance. Relay is not HIPAA-compliant. Do not upload audio containing protected health information (PHI).
  • No third-party penetration testing. We have not engaged a third-party firm to conduct penetration testing.
  • No formal incident response plan. We do not have a documented, tested incident response procedure at this time.
  • No SSO/SAML. Enterprise single sign-on is not yet available.
  • No bug bounty program. We do not currently operate a formal bug bounty program, though we welcome responsible disclosures.

Security Roadmap

The following are goals we intend to pursue as the project matures. These are not commitments or guarantees, but priorities we are working toward:

  • Engage a third-party firm for penetration testing.
  • Implement a formal incident response plan and runbook.
  • Begin SOC 2 Type I readiness assessment.
  • Add rate limiting and enhanced API abuse detection.
  • Introduce SSO/SAML support for enterprise accounts.
  • Implement audit logging for administrative actions.
  • Establish a formal vulnerability disclosure and bug bounty program.

Responsible Disclosure

If you discover a security vulnerability in Relay, we ask that you report it to us responsibly. Please email details of the vulnerability to sales@relayai.dev with the subject line "Security Vulnerability Report."

We ask that you:

  • Allow us reasonable time to investigate and address the issue before making it public.
  • Avoid accessing, modifying, or deleting data belonging to other users.
  • Act in good faith to avoid disruption to the Service.

We will acknowledge receipt of your report within 48 hours and keep you informed of our progress toward a fix.

Contact

For security-related inquiries, please contact us at sales@relayai.dev.