Security
Conversations are
private by default,
shareable on purpose.
Reline's permission model, encryption, and audit log are designed around a single rule: nobody sees what you record unless you grant access — and every grant is logged.
Pillars
Six pillars, one promise.
Encryption in transit & at rest
TLS 1.2+ on every request. AES at rest in the Convex database. Audio archive blobs are stored in Convex storage with the same posture.
SSO with Google & Microsoft
Convex Auth provides Google OAuth and Microsoft Entra ID out of the box. Okta and generic SAML are on the enterprise roadmap.
Five-level permission model
Workspace · teamspace · folder · note. Each level has owner / admin / editor / viewer roles, and every note can also carry per-user, per-teamspace, or per-workspace overrides.
Append-only audit log
Every share, edit, restore, and access grant writes a row in noteActivity. The log is append-only — past events cannot be edited or removed.
No silent training
Your audio and transcripts are never used to train third-party models. AI providers receive prompts via the AI SDK gateway and return completions — no upstream retention beyond their own policies.
Multi-region backend
Convex serves the database and storage with regional locality. Region-aware deployments are available for enterprise on request.
Posture
What's live, what's in progress, what's next.
A live posture matrix. We update it the moment status changes — no embellishment.
| Control | Status |
|---|---|
| Encryption in transit (TLS 1.2+) | Live |
| Encryption at rest (Convex) | Live |
| SSO — Google · Microsoft Entra ID | Live |
| Audit log (append-only) | Live |
| Per-note access requests with expiry | Live |
| SAML SSO (generic / Okta) | Planned |
| Outbound webhook signing | Planned |
| SOC 2 Type II | Planned |
| GDPR data subject access (DSAR) | Planned |
| SCIM provisioning | Planned |
| HIPAA BAA | Planned |
We don't claim certifications we don't have. The matrix above is the source of truth — if a row flips to "Live", we publish a changelog entry and update this page the same day.
Report a vulnerability
Coordinated disclosure. Email security@reline.so with a description and a way to reach you. Bounties for high- and critical-severity reports.
Documentation
Privacy policy, sub-processors list, data processing addendum, and our incident response playbook.
Workspace controls
As an admin, configure SSO, manage member roles, audit access events, and rotate workspace tokens — all without a CSM.
Need a signed DPA or to discuss security before procurement?
SOC 2 is on the roadmap — happy to walk you through current controls under NDA.