Trust & Security
How Relay protects your data, who we share it with, and the things we do not yet do. Written for procurement and security reviewers; useful for anyone deciding whether to give Thomas authority to email their team.
What you're trusting Relay with
When you connect Relay to your team, you give Thomas authority to read meeting transcripts, see who is responsible for which task, and send email on your behalf. That is meaningful trust. This page describes the people, processes, and infrastructure that earn it, and the things we have not yet built so you can decide with accurate information.
Relay is a Dutch company headquartered in Rotterdam. We are subject to the GDPR and the ePrivacy Directive. Our data processing is governed by Dutch law and disputes are heard in Rotterdam.
Where Relay runs
Relay is a thin layer over a small set of vetted, well-known infrastructure providers. We build on infrastructure we trust so we can spend our security effort on the parts we built ourselves.
- Application hosting: Cloudflare Workers (global edge). Static assets cached at the edge; secrets stored in Cloudflare's encrypted secret store.
- Database, authentication, file storage: Supabase (Postgres + Row-Level Security). Database is hosted in the EU (Frankfurt) by default for new projects.
- AI reasoning: Anthropic (Claude API). Used only for Thomas's reasoning, drafting, and review steps. Anthropic does not train on data submitted via their commercial API.
- Email send + receive: Resend. Outbound kickoff and follow-up emails, and the inbound reply pipeline that Thomas uses to update task state.
- Payments: Stripe (when paid plans launch). Card data never touches Relay's servers; we receive only the last four digits and a token.
Where your data lives and where it travels
Your workspace data, task content, and meeting transcripts are stored in Supabase's Frankfurt region (EU) by default. Authentication metadata is stored in the same region.
Two categories of data leave the EU during normal operation:
- Reasoning prompts to Anthropic (USA). When Thomas reasons about a task or drafts an email, the relevant context is sent to Anthropic's API. Transferred under the European Commission's Standard Contractual Clauses (SCCs).
- Email send via Resend (USA). Outbound mail transits Resend's US infrastructure. Same SCC mechanism.
All transfers are encrypted in transit (TLS 1.2+). Anthropic and Resend are both contractually bound, via signed data-processing agreements, to use the data only to provide the service we purchased from them.
How we protect data in practice
In transit: TLS 1.2 or higher on every connection. HSTS enforced. We do not accept unencrypted traffic.
At rest: AES-256 on the database, on file storage, and on backups. Passwords are hashed with bcrypt; we never store plaintext.
Access control: Postgres Row-Level Security enforced at the database layer. A workspace can only read its own rows, and the enforcement is in the database, not in application code. Production database access is limited to the engineers who need it, logged, and reviewed quarterly.
Authentication: Email + password (with bcrypt hashing), plus federated sign-in with Google, Apple, and Microsoft via Supabase Auth. Sessions stored as HTTP-only cookies. Tokens refreshed automatically; explicit sign-out revokes them immediately.
Email authentication: Outbound mail from Thomas is signed with SPF, DKIM, and DMARC so recipients can verify it really came from your workspace.
Build hygiene: Automated dependency and vulnerability scans run on every build. Secrets never enter the source repository; we use Cloudflare's secret store and Supabase's vault.
How long we keep your data
Pulled forward from the Privacy Policy so it lives next to the rest of the security story:
- Active accounts: workspace content stays available until you delete it or close the workspace.
- Closed accounts: 30 days after you close your account, all personal data and workspace content is permanently deleted from our production database. Backups age out within a further 60 days.
- Invoices and tax records: 7 years, as required by Dutch tax law.
- Telemetry and operational logs: 90 days, then irreversibly aggregated.
What we do if something goes wrong
If we discover a personal-data breach that is likely to result in a risk to your rights, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours, and notify affected workspace owners without undue delay.
Notification will include what happened, what data was affected, what we have done to contain and remediate, and what you should do next. We will not bury bad news in a status page; we will write to you directly.
What Thomas refuses to do
Thomas is autonomous within bounds. The bounds matter as much as the autonomy.
- Second-agent review before send. Every outbound email is scored 1–10 by a separate reviewer agent against the project's context. Drafts scoring below 7 are rewritten before send, not after.
- No cold outreach. Thomas only emails people who appear in the meeting transcript you uploaded or whom you explicitly added to the project. He does not enrich contacts, scrape LinkedIn, or use any third-party data source.
- No legally binding language. Thomas will not draft contracts, sign agreements, or commit you to financial terms.
- Escalation has a human-readable reason. Every escalation Thomas sends is paired with reasoning the project manager can see in the Command Center, so you can override before it lands if needed.
- You can pause Thomas at any time. One click in the Command Center halts all outbound mail for that project; nothing else changes.
What we have and what we don't yet have
Honest accounting. We will update this section as our certifications progress.
- GDPR compliant. See the Privacy Policy for the full lawful-basis and data-subject-rights story.
- DPA available on request. If your organisation requires a signed Data Processing Agreement before purchase, email security@tryrelay.techand we will send our standard DPA.
- SOC 2 Type I: not yet pursued. Planned for late 2026 once we have a year of revenue runway to fund the audit.
- SOC 2 Type II: not yet pursued. Follows Type I.
- ISO 27001: not yet pursued. Will reconsider if requested by enterprise customers.
- Sub-processor change notice: 30 days before adding or replacing a sub-processor, with the right of objection for paid plans.
Found a security issue?
If you discover a vulnerability in Relay, email security@tryrelay.tech with a description, reproduction steps, and the impact you believe it has. We acknowledge within two business days, investigate, and credit responsible disclosures in our public changelog (with your permission).
We do not yet run a paid bug-bounty programme, but we will honour reasonable expenses for serious, responsibly-disclosed issues.
Please do not test against other customers' workspaces, attempt denial-of-service, or use social engineering against our team.
Who to reach for security and trust questions
Security questions, DPA requests, and vulnerability reports: security@tryrelay.tech.
Privacy questions and data-subject requests: privacy@tryrelay.tech (also covered in our Privacy Policy).
General enquiries: hello@tryrelay.tech.