Legal

Security

Last updated: April 24, 2026

The short version

relly records meetings and handles team knowledge. We treat that data like it's the crown jewels: end-to-end encrypted, access-controlled, never used for public model training. Found a vulnerability? Tell us and we'll credit you.

Encryption

  • All data in transit is encrypted with TLS 1.3.
  • All data at rest (recordings, transcripts, artifacts, backups) is encrypted with AES-256.
  • Encryption keys are managed via a dedicated KMS, rotated regularly.
  • Command customers can bring their own keys (BYOK) for full control.

Access control

  • Customer content is never accessed by relly staff as a matter of normal operation.
  • Employees follow least-privilege principles, with all production access logged and reviewed.
  • Single sign-on (SAML) and user provisioning (SCIM) are available on the Command plan.
  • Session tokens expire and refresh on a short interval.

Infrastructure

  • Hosted on a major cloud provider with SOC 2, ISO 27001, and GDPR-compliant regions.
  • Separate production, staging, and development environments. No customer data flows into non-production.
  • Private networking for internal services; public endpoints only where necessary.
  • Automated backups with 30-day retention, tested quarterly.

Application security

  • All code is peer-reviewed before merge.
  • Dependencies are scanned daily for known vulnerabilities.
  • Static analysis runs on every pull request.
  • Third-party penetration testing is conducted annually; findings are remediated before public launch.

Meeting consent

relly announces itself when joining any meeting and is visible to all participants. The host is responsible for ensuring participants understand and consent to recording in line with local law. An optional in-app consent step is available for regulated environments.

Privacy and training

Your content is used only to run the service for you. We do not use customer content to train public models or share content with third parties for training. See the Privacy Policy for details.

Compliance

relly is building toward SOC 2 Type II, ISO 27001, and HIPAA-ready configurations. We will publish certification status as audits are completed. For due diligence questionnaires, contact us.

Incident response

If an incident affects customer data, we will:

  • Contain the issue and assess scope within 24 hours.
  • Notify affected customers within 72 hours of confirmation.
  • Publish a post-incident report within 30 days, including root cause and remediation.

Responsible disclosure

If you find a vulnerability, please report it to hykim@permissionlabs.com with:

  • A clear description of the issue.
  • Steps to reproduce.
  • Your name and preferred credit (public / private).

We commit to acknowledge within 48 hours, investigate quickly, and credit researchers in our security hall of fame. Please do not test against production accounts you do not own.

Contact

Security questions, audit requests, or disclosures: hykim@permissionlabs.com