Security

Small data surface, by design.

Relayer serves decisions, not bytes. Your binaries never pass through us, and your end users are never identified to us. This page describes exactly what we hold, how it is protected, and how to reach us about security.

What we hold, and what we never hold

We hold. release metadata (versions, channels, markdown notes, artifact URLs and checksums), rollout configuration, anonymous device check-in rows, your organization's accounts and roles, and an append-only audit log of actions taken in your organization.

We never hold your binaries. artifacts stay on your storage (GitHub releases, S3, R2). Relayer stores their URLs and passes through the checksums and signatures you publish; devices download directly from you.

We never hold end-user PII. devices identify with anonymous UUIDs generated and persisted by your app. Device labels are opaque key/value strings that you control; Relayer stores and echoes them without interpreting them. Keep PII out of labels and no personal data about your users ever reaches us.

Product security controls

Role-based access. every resource is scoped to an organization; members hold owner, admin or member roles with server-side permission checks on every mutation.

Append-only audit log. who published, promoted, paused or rolled back, with actor, timestamp, IP and user agent. Audit rows are never updated or deleted by application code and survive the deletion of what they describe.

API keys are hashed. keys are shown once at mint time and stored as SHA-256 hashes. Keys can be revoked instantly and every use is attributable in the audit log.

Releases are immutable. a published version is never edited in place. Fixing a bad release means rolling back (permanent, audited) and publishing a new version, so what a device received is always reconstructable.

Webhooks are verified. inbound GitHub deliveries are HMAC-SHA-256 verified with timing-safe comparison; replayed deliveries are answered as duplicates, never double-ingested.

Rate limiting. management API and device endpoints are rate limited per key and per device.

Infrastructure

Hosting. the application runs on Vercel; data lives in a Supabase-managed Postgres instance co-located with the application region.

Encryption. TLS for all traffic in transit; storage encryption at rest is provided by the managed database platform.

Database posture. row-level security is enabled on every table and all access goes through the application's server-side connection; no table is reachable through client-side or auto-generated APIs.

Subprocessors. Vercel (hosting), Supabase (database), Resend (transactional email). We will update this list before adding any subprocessor that touches customer data.

Your compliance, our evidence

If your organization is audited (SOC 2, ISO 27001 or similar), your release process is part of your change-management story. Relayer's audit log and immutable releases give you evidence hand-rolled update feeds cannot: who shipped what, to which channel, at what rollout percentage, and when it was withdrawn.

Relayer itself does not currently hold SOC 2 or ISO 27001 certification. We would rather tell you that plainly than imply otherwise; if certification status matters for your procurement, contact us and we will walk you through our controls directly.

Data lifecycle

Deletion. deleting an app removes its releases, channels and device rows; deleting your organization removes everything it owns. For full account erasure requests, email us and we will confirm completion.

Retention. audit logs are retained for the life of your organization as tamper-evident history.

Reporting a vulnerability

Found something? Email support@relayercli.com with steps to reproduce. We read every report, respond as fast as we can, and will credit you if you want credit. Please avoid accessing data that is not yours; test against your own organization.

Questions a security review needs answered that this page does not cover? Email support@relayercli.com and we will answer them directly.