Security
Your data. Your infrastructure. No exceptions.
RelayData is built from the ground up for regulated industries. Every component runs entirely within your environment — no data ever leaves your infrastructure, no exceptions.
Data Sovereignty
Self-hosted. Your data, your infrastructure.
RelayData is a genuinely self-hosted product. The entire application — AI intelligence layer, database, and orchestration engine — runs within your environment. No component phones home.
No SaaS component.
Unlike Fivetran, Weld, or Airbyte Cloud, RelayData does not send your data to third-party cloud platforms for processing or storage. Everything runs in your environment.
No telemetry or phone-home.
RelayData does not transmit usage metrics, error logs, or pipeline data to RelayData servers. Version update checks can be disabled if required.
Designed for regulated industries.
The architecture is compliant by design with GDPR, HIPAA, SOX, and data residency requirements — not through bolt-on configuration, but through how the product is built.
GDPR and Data Residency
Because all data processing happens in your own infrastructure, RelayData is GDPR-compatible by design. You retain full control over data location, retention, and processing.
Encryption
Encrypted at every layer.
From credentials at rest to data in transit, RelayData applies encryption consistently across all storage and communication paths.
At Rest — AES-256-GCM
All stored credentials — database passwords, API keys, tokens, and connection secrets — are encrypted at rest using AES-256-GCM (Galois/Counter Mode). This is NIST-approved and suitable for protecting sensitive data. Key rotation is supported.
In Transit — TLS 1.2+
All communication between clients and RelayData, and between RelayData and external systems, uses TLS 1.2 or higher. HTTP is disabled in production deployments.
Sessions — Signed Cookies
Session authentication uses iron-session, which creates cryptographically signed (HMAC) and encrypted session cookies. Cookies are marked httpOnly and Secure. Session secrets are server-side only and never transmitted to clients.
Database SSL
When connecting to external databases, RelayData supports full certificate validation against a trusted CA, hostname verification, and custom CA certificates for organizations using internal PKI.
Authentication & Access Control
Role-based access for every team.
Multi-User RBAC
| Role | Permissions |
|---|---|
| Admin | Full access — create, modify, and delete pipelines; manage users; configure settings and integrations |
| Editor | Create and edit pipelines; trigger runs; view audit logs. Cannot manage users or system settings |
| Viewer | Read-only access — view pipelines, runs, and logs. Cannot make changes |
API Keys with Scoped Permissions
Programmatic access via API keys with fine-grained scopes and optional expiry dates. Create separate keys per application to limit blast radius if a key is compromised.
OIDC SSO with JIT Provisioning
Integrate with Okta, Azure AD, Ping Identity, or any OpenID Connect provider. Just-in-time provisioning automatically creates user accounts on first login.
Configure OIDC in Settings > Authentication
Users authenticate via your identity provider (Okta, Azure AD, Ping Identity, etc.)
Accounts are automatically provisioned on first login with the appropriate role
Session tokens are validated on every request
Self-Service Password Reset
Users reset their own passwords via email. Reset tokens are designed to prevent account takeover even if email is intercepted.
Cryptographically secure (128-bit random) tokens
Single-use only — invalidated after successful reset
Valid for 1 hour from issuance
Users self-serve via email — no admin intervention needed
Rate Limiting
Protection against abuse at every endpoint.
All API endpoints are rate-limited to prevent abuse, brute-force attacks, and denial-of-service. The default limit is 10 requests per 15-minute window per API key. High-risk endpoints apply stricter controls.
Login endpoint
Limits password guessing and brute-force attacks
Password reset
Prevents email flooding and account takeover attempts
API key creation
Prevents key farming and unauthorized access escalation
AI endpoints
Rate-limited by AI model limits and cost protection policies
Security Headers
Standard HTTP security headers, out of the box.
RelayData sends HTTP security headers on every response to prevent common web-layer attacks — no configuration required.
| Header | Purpose |
|---|---|
| Content-Security-Policy | Prevents XSS and injection attacks |
| X-Frame-Options | Prevents clickjacking attacks |
| X-Content-Type-Options | Prevents MIME type sniffing |
Audit Logging
Every administrative action, permanently recorded.
All administrative actions are logged with full user attribution. The audit log is searchable, filterable, and exportable for compliance reporting.
Actions tracked
User management — invite, deactivate, role changes
Connection CRUD — create, test, update, delete
Pipeline CRUD and trigger actions
API key generation and deletion
Settings changes — authentication, security, rate limiting
Every entry includes
Timestamp (ISO 8601, UTC)
User who performed the action (email and user ID)
Action type — created, updated, deleted, etc.
Entity type and ID
Change details — what was modified
Searchable and exportable
Filter the audit log by:
Date range
User
Action type
Entity type
Export to CSV or JSON for external compliance systems or long-term archival.
PII Detection & Masking
Built-in PII detection that runs with every pipeline.
RelayData scans data during pipeline runs and flags sensitive fields automatically. Configure handling per pipeline — no third-party DLP tool required.
Detected automatically
Social Security Numbers (SSN)
Email addresses
Phone numbers
Credit card numbers
Passport and driver's license numbers
Handling options per pipeline
Highlighted in data quality reports for review — no automatic action taken
Automatically obscured in destination systems (e.g., email becomes u***@example.com)
Not written to the destination at all — the field is dropped before the write
Infrastructure Security
Kubernetes hardening, included in the Helm chart.
The RelayData Helm chart ships with security best practices enabled by default. No post-install hardening needed.
Non-root user
Containers run as UID 1001 by default — no root privileges.
Read-only root filesystem
The container filesystem is read-only except for /tmp and /var/log.
Dropped capabilities
All Linux capabilities are dropped to prevent privilege escalation.
Seccomp profile
RuntimeDefault seccomp profile enforces system call filtering.
Network Policies
NetworkPolicy resources restrict all traffic to and from RelayData pods. Ingress is allowed only on port 3000 from specified sources. Egress is allowed only to necessary services — database, Redis, and external APIs.
Pod Disruption Budget
A PodDisruptionBudget ensures at least one replica is always running, protecting against voluntary disruptions such as node drains and cluster upgrades.
Analytics Database Isolation
Container-level database isolation.
The analytics database runs in a completely separate Postgres container from the application database. This provides container-level isolation — significantly stronger than schema-level separation within a single instance.
Resource isolation.
A heavy BI query cannot consume CPU, memory, or I/O bandwidth needed by the pipeline engine. Each container has its own Postgres process, connection pool, and resource limits.
Credential isolation.
The read-only analytics user exists only on the analytics container. Pipeline configurations, encrypted credentials, and user accounts are stored in a completely separate database process.
Connection limits.
The analytics read-only role is limited to 10 concurrent connections with a 30-second statement timeout and 32 MB work_mem, preventing resource abuse from BI tools.
Failure isolation.
If the analytics database container crashes or is restarted, pipeline operations continue unaffected on the application database container, and vice versa.
Compliance
Designed to meet the requirements of regulated industries.
Compliance is built into the architecture — not bolted on. For certifications such as SOC 2 and ISO 27001, contact your sales representative.
By-design compliance through self-hosting and data residency control. No data leaves your infrastructure.
Suitable for healthcare organizations. BAA available for enterprise deployments.
Audit logging and access controls support SOX compliance requirements for financial data governance.
Deploy in your country or region. Data never leaves your infrastructure regardless of where RelayData servers are located.
Responsible Disclosure
Found a vulnerability? Report it responsibly.
We treat all security reports seriously and will acknowledge receipt within 24 hours. Please do not post vulnerabilities publicly until a patch has been released.
Ready to deploy with confidence?
Start with the free Community tier. Self-hosted on your infrastructure from day one. No credit card, no registration, no license key required.