Security Policy

Effective Date: January 1, 2026

At Relay Vault, security is not an afterthought—it's foundational to everything we build. This Security Policy outlines our commitment to protecting your data and the measures we implement to maintain the highest security standards.

1. Security Certifications

Relay Vault maintains industry-recognized security certifications:

• SOC 2 Type II – Annual audits verify our security controls for data protection, availability, and confidentiality
• HIPAA Compliance – Full compliance with the Health Insurance Portability and Accountability Act
• ISO 27001 – Information security management system certification (in progress)

2. Data Encryption

All data is encrypted using industry-standard protocols:

• In Transit: TLS 1.3 encryption for all data transmitted between systems
• At Rest: AES-256 encryption for all stored data
• Key Management: Hardware Security Modules (HSMs) for cryptographic key storage and rotation

3. Infrastructure Security

Our infrastructure is designed with security at every layer:

• Hosted on SOC 2 certified cloud infrastructure with redundant data centers
• Network segmentation and firewalls to isolate sensitive systems
• DDoS protection and Web Application Firewall (WAF) for all public-facing services
• Regular vulnerability scanning and penetration testing
• Immutable infrastructure with automated security patching

4. Access Control

We implement strict access controls to protect your data:

• Role-Based Access Control (RBAC): Users only have access to the resources they need
• Multi-Factor Authentication (MFA): Required for all employee access to production systems
• Single Sign-On (SSO): Support for SAML and OIDC integration with your identity provider
• Audit Logging: Comprehensive logging of all access and actions
• Principle of Least Privilege: Employees have minimal access necessary for their role

5. Application Security

Security is integrated throughout our development lifecycle:

• Secure coding practices and code review requirements
• Static Application Security Testing (SAST) on all code changes
• Dynamic Application Security Testing (DAST) in staging environments
• Dependency scanning for known vulnerabilities
• Regular third-party security assessments and penetration tests

6. Incident Response

We maintain a comprehensive incident response program:

• 24/7 security monitoring and alerting
• Documented incident response procedures with defined escalation paths
• Regular incident response drills and tabletop exercises
• Commitment to notify affected customers within 72 hours of confirming a security incident
• Post-incident review and remediation processes

7. Business Continuity

We ensure continuity of service through:

• Multi-region data replication and failover capabilities
• Regular backup testing and disaster recovery drills
• Recovery Time Objective (RTO) of 4 hours for critical systems
• Recovery Point Objective (RPO) of 1 hour for transactional data
• Documented business continuity and disaster recovery plans

8. Employee Security

Our team is trained and vetted:

• Background checks for all employees with access to customer data
• Mandatory security awareness training upon hire and annually
• Phishing simulations and ongoing security education
• Clear security policies and acceptable use guidelines
• Immediate access revocation upon employee departure

9. Vendor Security

We hold our vendors to the same high standards:

• Security assessments for all vendors with access to customer data
• Contractual security and privacy requirements
• Regular review of vendor security posture
• Data Processing Agreements (DPAs) with all sub-processors

10. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:

security@relayvault.ai

We commit to acknowledging your report within 24 hours and will work with you to understand and resolve the issue promptly. We do not take legal action against researchers who follow responsible disclosure practices.

11. Contact Us

For questions about our security practices or to request our SOC 2 report, please contact us: