Conversations are
private by default,
shareable on purpose.
Reline’s permission model, encryption, and audit log are designed around a single rule: nobody sees what you record unless you grant access — and every grant is logged.
Six pillars, one promise.
Encryption in transit & at rest
TLS 1.2+ on every request. AES at rest in the database. Audio archive blobs are stored in Cloudflare R2, also encrypted at rest.
SSO via WorkOS
Auth ships Google and Microsoft OAuth out of the box, and SSO (Google + Microsoft) is available on request for Enterprise organizations.
Five-level permission model
Workspace · teamspace · folder · note. Each level has owner / admin / member roles, and every note can also carry per-user, per-teamspace, or per-workspace overrides.
Append-only audit log
Per-note activity (share, edit, restore, access grant) is logged on every plan in `noteActivity`. On Enterprise, a workspace-scoped audit log adds membership, settings, teamspace, and policy-decision events. Both logs are append-only.
No silent training
Your audio and transcripts are never used to train third-party models. AI providers receive prompts via the AI SDK gateway and return completions — no upstream retention beyond their own policies.
Multi-region backend
The database is served and storage with regional locality. Region-aware deployments are available for enterprise on request.
What’s live, what’s in progress, what’s next.
A live posture matrix. We update it the moment status changes — no embellishment.
| Control | Status |
|---|---|
| Encryption in transit (TLS 1.2+) | |
| Encryption at rest | |
| SSO via WorkOS — Google · Microsoft | |
| SAML SSO (generic / Okta) — on the roadmap | |
| Audit log: per-note (all plans) + workspace-scoped (Enterprise) | |
| Per-note access requests with expiry | |
| Outbound webhook signing | |
| SOC 2 Type II — on the roadmap | |
| GDPR data subject access (DSAR) | |
| SCIM provisioning — on the roadmap | |
| HIPAA BAA — not currently available |
We don’t claim certifications we don’t have. The matrix above is the source of truth — if a row flips to “Live”, we publish a changelog entry and update this page the same day.
Report a vulnerability
Coordinated disclosure. Email security@reline.so with a description and a way to reach you. Bounties for high- and critical-severity reports.
Workspace controls
As an admin, configure SSO, manage member roles, audit access events, and rotate workspace tokens — all without a CSM.
Need a SOC report or signed DPA before procurement?
We share preliminary reports under NDA today.