Security & Compliance

Our Commitment to Security

At RelayOps, security is not an afterthought—it's a fundamental pillar of our platform. We understand that you're entrusting us with sensitive business data, customer information, and courier credentials. This document outlines the comprehensive security measures we've implemented to protect your data.

We employ industry-standard security practices and continuously update our security posture to defend against emerging threats.

1. Data Encryption

1.1 Encryption at Rest

All data stored in our databases is protected using AES-256 encryption:

• Courier Credentials: API keys, usernames, and passwords for TCS, Leopards, and BlueEx are encrypted using AES-256 before storage
• Store Credentials: Shopify and WooCommerce API access tokens are encrypted at rest
• Sensitive Data: Customer addresses, phone numbers, and payment information are encrypted in our database
• Encryption Keys: Encryption keys are managed separately from encrypted data and rotated regularly

1.2 Encryption in Transit

All data transmitted between your browser and our servers uses:

• TLS 1.3: Latest Transport Layer Security protocol for secure communication
• HTTPS Only: All connections are encrypted; insecure HTTP is never used
• Secure API Calls: All communication with courier APIs and e-commerce platforms uses encrypted channels

2. Database Security (Row-Level Security)

2.1 Row-Level Security (RLS)

We implement Row-Level Security policies in our database to ensure complete data isolation:

• User Isolation: Each user can only access their own data—no user can view or modify another user's records
• Database-Level Enforcement: RLS policies are enforced at the database layer, not just in application code
• Multi-Tenancy: Despite sharing infrastructure, your data is logically isolated from all other users
• Query Filtering: All database queries are automatically filtered to return only your data

2.2 Access Controls

• Principle of Least Privilege: Database connections have minimal permissions necessary
• No Direct Access: Production databases are not accessible directly from the public internet
• Secure Connections: All database connections use SSL/TLS encryption

3. Authentication and Access Control

3.1 User Authentication

• Secure Password Storage: Passwords are hashed using bcrypt with strong salt values
• Session Management: Secure, HTTP-only cookies with short expiration times
• Token-Based Auth: JWT tokens for API authentication with expiration and signature verification
• Account Lockout: Automatic lockout after multiple failed login attempts

3.2 Role-Based Access Control (RBAC)

Team member access is controlled through role-based permissions:

• Owner: Full access to all features, settings, and billing
• Manager: Can manage orders and shipments but cannot access sensitive settings
• Packer: Limited to printing labels and viewing order details

4. Infrastructure Security

4.1 Hosting and Infrastructure

• Supabase (Database): Enterprise-grade PostgreSQL hosting with built-in security features
• Vercel/Cloud Hosting: Distributed infrastructure with DDoS protection
• Geographic Redundancy: Data is replicated across multiple availability zones
• Auto-Scaling: Infrastructure scales to handle traffic spikes and maintain availability

4.2 Network Security

• Firewall Protection: Cloud firewalls restrict access to critical infrastructure
• DDoS Mitigation: Protection against distributed denial-of-service attacks
• Rate Limiting: API rate limiting prevents abuse and brute force attacks
• IP Whitelisting: Restricted access to admin and internal tools

5. Data Backup and Disaster Recovery

5.1 Automated Backups

• Daily Backups: Complete database backups performed daily
• Point-in-Time Recovery: Ability to restore data from any point in the last 30 days
• Encrypted Backups: All backups are encrypted at rest
• Geographic Distribution: Backups are stored in multiple locations

5.2 Disaster Recovery Plan

We maintain a disaster recovery plan to ensure business continuity:

• Recovery Time Objective (RTO): Target restoration within 4 hours
• Recovery Point Objective (RPO): Maximum 24 hours of data loss
• Failover Systems: Redundant systems to maintain availability during outages

6. Security Monitoring and Incident Response

6.1 Continuous Monitoring

• Intrusion Detection: Automated monitoring for suspicious activity
• Login Monitoring: Tracking and alerting on unusual login patterns
• Error Logging: Comprehensive logging of system errors and security events
• Audit Trails: Detailed logs of all critical actions (shipment bookings, data access)

6.2 Incident Response

In the event of a security incident, we follow a structured response process:

• Immediate Containment: Isolate affected systems to prevent spread
• Investigation: Determine the scope and impact of the breach
• User Notification: Notify affected users within 72 hours if personal data is compromised
• Remediation: Implement fixes to prevent recurrence
• Post-Incident Review: Analyze root causes and improve security measures

7. Application Security Best Practices

• Input Validation: All user inputs are validated and sanitized to prevent injection attacks
• SQL Injection Prevention: Parameterized queries and ORM usage to prevent SQL injection
• XSS Protection: Content Security Policy (CSP) and output encoding to prevent cross-site scripting
• CSRF Protection: Anti-CSRF tokens on all state-changing requests
• Dependency Management: Regular updates and vulnerability scanning of third-party libraries
• Secure Coding Practices: Code reviews and security testing before deployment

8. Third-Party Service Security

We carefully vet all third-party services we integrate with:

• Supabase: SOC 2 Type II certified, GDPR compliant, enterprise-grade database hosting
• Courier APIs: We only connect to official courier APIs over secure HTTPS channels
• E-Commerce Platforms: OAuth 2.0 authentication with Shopify/WooCommerce for secure access
• Payment Processors: PCI DSS compliant payment processing (we do not store credit card numbers)

9. Compliance and Certifications

9.1 Data Protection Regulations

We are committed to compliance with applicable data protection regulations:

• GDPR Considerations: While primarily serving Pakistani merchants, we implement GDPR best practices
• Data Minimization: We only collect data necessary to provide our services
• User Rights: Users can access, export, and delete their data
• Privacy by Design: Security and privacy are built into our platform from the ground up

9.2 Industry Standards

• OWASP Top 10: We follow OWASP guidelines to protect against common web vulnerabilities
• Secure Development Lifecycle: Security is integrated into every stage of development

10. Your Security Responsibilities

11. Reporting Security Vulnerabilities

We take security vulnerabilities seriously. If you discover a potential security issue:

We will acknowledge receipt within 48 hours and work to resolve critical issues as quickly as possible. We appreciate responsible disclosure and may recognize security researchers who help improve our platform.

12. Continuous Improvement

Security is an ongoing commitment. We continuously monitor the threat landscape, update our security practices, and invest in new technologies to protect your data. This document will be updated periodically to reflect our evolving security posture.

13. Contact Us

For questions about our security practices: