Security Policy

Effective Date: January 1, 2026

Security is foundational to everything we build at Relay Vault. This policy outlines how we protect your data and maintain the highest security standards.

1. Security Certifications

We maintain industry-recognized certifications:

• SOC 2 Type II: Annual audits verify our security controls for data protection, availability, and confidentiality
• HIPAA Compliance: Full compliance with the Health Insurance Portability and Accountability Act
• ISO 27001: Information security management system certification (in progress)

2. Data Encryption

All data is encrypted at every layer:

• In Transit: TLS 1.3 encryption for all data transmitted between systems
• At Rest: AES-256 encryption for all stored data
• Key Management: Hardware Security Modules (HSMs) for cryptographic key storage and rotation

3. Infrastructure Security

Security is built into every layer of our infrastructure:

• Hosted on SOC 2 certified cloud infrastructure with redundant data centers
• Network segmentation and firewalls to isolate sensitive systems
• DDoS protection and Web Application Firewall (WAF) for all public-facing services
• Regular vulnerability scanning and penetration testing
• Immutable infrastructure with automated security patching

4. Access Control

Strict access controls protect your data at every level:

• Role-Based Access Control (RBAC): Users only have access to the resources they need
• Multi-Factor Authentication (MFA): Required for all employee access to production systems
• Single Sign-On (SSO): Support for SAML and OIDC integration with your identity provider
• Audit Logging: Comprehensive logging of all access and actions
• Principle of Least Privilege: Employees have minimal access necessary for their role

5. Application Security

Security is integrated throughout the development lifecycle:

• Secure coding practices and code review requirements
• Static Application Security Testing (SAST) on all code changes
• Dynamic Application Security Testing (DAST) in staging environments
• Dependency scanning for known vulnerabilities
• Regular third-party security assessments and penetration tests

6. Incident Response

Our incident response program includes:

• 24/7 security monitoring and alerting
• Documented incident response procedures with defined escalation paths
• Regular incident response drills and tabletop exercises
• Commitment to notify affected customers within 72 hours of confirming a security incident
• Post-incident review and remediation processes

7. Business Continuity

Continuity of service is ensured through:

• Multi-region data replication and failover capabilities
• Regular backup testing and disaster recovery drills
• Recovery Time Objective (RTO) of 4 hours for critical systems
• Recovery Point Objective (RPO) of 1 hour for transactional data
• Documented business continuity and disaster recovery plans

8. Employee Security

Every team member is trained and vetted:

• Background checks for all employees with access to customer data
• Mandatory security awareness training upon hire and annually
• Phishing simulations and ongoing security education
• Clear security policies and acceptable use guidelines
• Immediate access revocation upon employee departure

9. Vendor Security

Vendors are held to the same standards:

• Security assessments for all vendors with access to customer data
• Contractual security and privacy requirements
• Regular review of vendor security posture
• Data Processing Agreements (DPAs) with all sub-processors

10. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

security@relayvault.ai

We commit to acknowledging your report within 24 hours and will work with you to understand and resolve the issue promptly. We do not take legal action against researchers who follow responsible disclosure practices.

11. Contact Us

For questions about our security practices or to request our SOC 2 report, please contact us: