Security
How we secure your data
- Encryption at rest (AES-256), in transit (TLS 1.2+).
- Argon2id (m=64MiB, t=3, p=1) for passwords.
- HIBP k-anonymity check at signup; minimum strength score.
- TOTP (RFC 6238) + WebAuthn passkeys for MFA.
- RBAC, principle of least privilege, audit log on sensitive actions.
- Quarterly third-party penetration test.
- Continuous Snyk + Trivy scanning.
- Vendor security reviews; sub-processor list at relayly.io/sub-processors.
Responsible disclosure
We welcome reports from security researchers. Please email security@relayly.io with technical details. We will acknowledge within 24 hours and aim to fix critical issues within 7 days.
Scope
In-scope: relayly.io, app.relayly.io, api.relayly.io, smtp.relayly.io, t.relayly.io, status.relayly.io.
Out-of-scope: third-party services (Cloudflare, Stripe), social-engineering attacks against staff, denial-of-service, automated scanner output without proof of impact.
Hall of fame
Researchers who reported valid issues will be listed here.
PGP key
Encrypted submissions: PGP key (coming soon).