Security & Trust

Every firm's data lives in a shared database but is rigorously partitioned. We use PostgreSQL Row-Level Security (RLS), enabled and forcedon every table that holds firm data, with policies anchored to the signed-in member's firm. A request can only ever read or write rows belonging to its own firm — cross-firm access is impossible at the database layer, not merely hidden in application code.

Within a firm, access is further narrowed: staff see only the clients they're assigned, and a client login sees only the specific entities it has been granted. These boundaries are verified by an automated test suite that attempts cross-tenant and cross-client access and confirms it is denied.

All traffic is served exclusively over HTTPS/TLS. Data at rest — including the database and stored report files — is encrypted by our infrastructure providers using industry-standard AES-256.

Notifications are secure nudges that link back to the portal — the report itself is never attached to an email. Files are served only after a user signs in, through short-lived, single-use signed links that expire within minutes. Clients can only open the current, published version of reports for entities they've been granted.

Clients sign in with a password or a passwordless email magic link. Sessions are validated on every request. Access is role-based: staff capabilities (prepare, approve, publish, manage) are granted explicitly, and a separate platform layer is isolated from firm data.

Reports are versioned: new versions can be routed through an approval workflow before a client ever sees them, and prior versions are retained. Key actions — publishing, revising, archiving, deliveries, and views — are recorded in a per-firm audit trail.

Relayward runs on Vercel (application) and Supabase (PostgreSQL database, authentication, and file storage), hosted in the United States. Privileged service credentials are used only by server-side code and are never exposed to browsers.

We're continually hardening the platform. Planned enhancements include optional two-factor authentication for staff and formal third-party security assessments. We'll describe new capabilities here as they ship — and we won't claim controls we haven't implemented.

If you believe you've found a security issue, please contact security@relayward.com. We take every report seriously and will respond promptly.