01
Encryption everywhere
TLS 1.2+ in transit and AES-256 at rest. DKIM signing keys and secrets are encrypted and never exposed.
02
Scoped access & least privilege
API keys are scoped to specific permissions, hashed at rest, instantly revocable, and rate-limited per key. MFA (TOTP) protects accounts.
03
Resilient infrastructure
Monitored infrastructure with automated backups and isolated, per-tenant data separation.
04
Compliance & privacy
GDPR, CCPA, and CAN-SPAM ready, with a Data Processing Addendum (DPA), suppression handling, and one-click unsubscribe built in.
05
Signed webhooks
Outbound events are HMAC-SHA256 signed and timestamped so you can verify authenticity and prevent replay.
06
Responsible disclosure
Found a vulnerability? Email security@relayly.io. We investigate promptly and credit responsible researchers.