Infrastructure
Relayion runs on managed infrastructure providers with industry-standard physical, network, and platform security controls. All services operate behind a TLS-terminating reverse proxy. Physical access controls and core infrastructure protections are provided by our infrastructure providers. We supplement these with service-level monitoring and operational controls. We do not operate our own data centres.
Databases are encrypted at rest. Backups are encrypted and stored separately from primary storage within our hosting infrastructure.
Data in Transit
All communication between your application and the Relayion API is encrypted using industry-standard TLS. The same applies to the WebSocket connection between the API and paired Android devices. HTTP connections are redirected to HTTPS.
API Key Security
API keys are hashed before storage. We never store the plaintext key. The full key is shown exactly once at creation and is never retrievable afterward. Only the key prefix (e.g. rlyn_ab12cd34) is retained for identification in the Relayion Console.
Each key can be scoped to a specific device and SIM slot, limiting its blast radius if compromised. Keys can be rotated or revoked at any time from the Relayion Console with immediate effect.
Webhook Signature Verification
Every webhook request includes an X-Relayion-Signature header containing the HMAC-SHA256 of the raw request body, signed with your webhook secret. Always verify this signature before processing the payload.
Verify against the raw body bytes before JSON parsing. Re-serialising parsed JSON may alter whitespace or key order and produce an incorrect hash. See the Webhooks section of the API docs for a verification code example.
Webhook secrets are shown exactly once at creation and never returned again. Store them immediately in an environment variable.
Message Storage
Outbound message bodies and recipient numbers are stored in the database to support delivery status tracking and the message history API. Inbound message bodies are stored for retrieval via the inbound API. Message records are retained until you configure an automatic deletion window in account settings, or until your account is closed.
We do not analyse message content for advertising purposes or share it with third parties except as required to deliver the Service.
Logging and Data Handling
API request logs capture metadata only: HTTP method, path, status code, IP address, and response time. Request bodies, response bodies, message content, and recipient phone numbers are not written to application logs or monitoring systems. Logs are retained for 30 days.
Webhook delivery attempts are tracked by event type, target URL, delivery status, and timestamp, for retry and audit purposes. Webhook payloads are not written to application logs.
Android Device Data
When a device is paired with Relayion, the Android app transmits and we store: Android ID, device name, SIM slot index, and SIM phone numbers. All transmissions occur over TLS. This data is used solely for device identification and message routing.
We do not collect or store IMEI, ICCID, battery level, signal strength, or IP address from Android devices.
Account Security
Passwords are hashed using bcrypt. We enforce email verification at registration. Authentication endpoints are rate-limited to prevent brute force attempts.
If you suspect your account has been compromised, revoke all API keys and webhooks immediately from the Relayion Console, then contact us at hello@relayion.com.
Responsible Disclosure
If you discover a security vulnerability in Relayion, please report it to security@relayion.com with a description of the issue and steps to reproduce it. We will acknowledge receipt within 3 business days and aim to resolve confirmed vulnerabilities promptly.
We do not currently operate a paid bug bounty programme. We ask that you give us reasonable time to address an issue before public disclosure.
Security Roadmap
Relayion is not currently certified under SOC 2 or ISO 27001. Formal security assurance is part of our longer-term roadmap as the service scales. We are committed to maintaining and improving our security practices over time.