Security

Relay is hosted on Vercel. Authentication, Postgres, and file storage run on Supabase. Relay's Supabase project is currently in AWS sa-east-1, the Sao Paulo region.

Relay connects to managed providers over encrypted HTTPS/TLS. Vercel documents AES-256 encryption at rest for platform data, and Supabase documents encryption at rest by default for projects.

Relay uses Google OAuth through Supabase Auth. Users sign in with a Google account instead of creating a separate Relay password.

API access for the Relay MCP server uses per-user API keys. Keys are validated server-side and are not accepted as proof of identity in browser code.

Every published page has a stable URL and an access mode: public, password-protected, or invite-only. Public pages are link-only: anyone with the URL can open them, but Relay sends noindex signals so search engines should not include them in search results.

Password-protected and invite-only pages use the same noindex behavior plus their access gate. Noindex is not a permission system; the access mode is what controls whether a viewer can open the content.

Relay stores published HTML in Supabase Storage, not directly in Postgres columns. HTML is sanitized before storage and again before rendering. Full HTML documents render inside a sandboxed iframe so generated scripts can run without taking over the Relay application shell.

Relay also sends security headers including HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. The published-page policy is tuned for generated HTML compatibility while still isolating the Relay app frame.

Users can delete published pages from the dashboard. For account-level deletion or export requests, contact support or the security address below. Relay aims to delete or anonymize requested account data within 30 days unless limited retention is required for legal, abuse, or payment-record reasons.

Report suspected vulnerabilities or security concerns to security@viarelay.app.

Relay also publishes a security.txt file for automated security contact discovery.

Relay has not completed SOC 2, ISO 27001, SAML SSO, SCIM, or a formal third-party penetration test. Those are intentionally deferred until a customer requires them.