Security
Last Updated · June 10, 2026
Relvara, a product of Zensen Media LTD, holds your clients’ data — contacts, transactions, financial records. This page says exactly how we protect it.
Infrastructure Security
Relvara runs on enterprise-grade cloud infrastructure. The specifics:
- Encryption in transit: All data is encrypted using TLS 1.2+ between your browser and our servers. No exceptions.
- Encryption at rest: Database storage is encrypted using AES-256. Backups are encrypted with the same standard.
- Network isolation: Our database is hosted in a private network with no direct public access. All communication occurs through authenticated API gateways.
- Edge deployment: The application is served from a globally distributed edge network with automatic DDoS protection and rate limiting.
Application Security
What the application itself enforces:
- Row-Level Security (RLS): Every database table enforces row-level security policies. Users can only access data they are authorized to see — enforced at the database level, not just the application level.
- Authentication: We use industry-standard authentication with support for email/password, magic links, and OAuth 2.0 providers. Passwords are hashed using bcrypt with appropriate cost factors.
- Session management: Sessions are managed via secure, HTTP-only cookies with short expiration windows and automatic refresh token rotation.
- Input validation: All user input is validated and sanitized on both client and server to prevent injection attacks (SQL, XSS), with CSRF protection on all state-changing requests.
- API security: All API endpoints require authentication. Edge functions validate JWT tokens on every request.
Data Protection
Your data is yours. We implement strict controls to ensure it stays that way.
- Data isolation: Every account’s data is isolated at the organization level — cross-tenant access is blocked by database policy. On Team plans, seats within one team share their team’s book by design; no one outside the team can reach it.
- Role-based access control: Administrators, agents, and team leads each have different permission levels. Access is granted on a least-privilege basis.
- Audit logging: Critical actions (data exports, permission changes, login attempts) are logged for accountability and compliance.
- Data portability: You can export your data at any time. We do not lock you in.
- Data deletion: Upon account termination, all personal data is deleted within 30 days in accordance with our Privacy Policy.
AI & Third-Party Security
Relvara uses AI to power features like lead scoring, content generation, and AI Reception. Here is how we keep that secure:
- No training on your data: Your data is never used to train AI models. Information sent to our AI provider is processed for inference only to generate your result, and is retained by them only briefly for security and abuse prevention, never for model training, under their commercial data-processing terms.
- Minimal data exposure: AI features send only the minimum data required for the specific task. Full database contents are never sent to external providers.
- Vetted providers: We use Anthropic (Claude) as our AI provider, chosen for their industry-leading safety practices and data handling policies.
Compliance
- SOC 2: Our infrastructure providers are SOC 2 Type II certified. We are working toward our own SOC 2 certification.
- GDPR readiness: We support data subject access requests, data portability, and the right to deletion.
- Real estate regulations: Relvara is designed to help brokerages maintain compliance with state and federal real estate regulations, including record retention requirements.
Responsible Disclosure
We value the work of security researchers. If you discover a vulnerability in Relvara, please report it to us responsibly.
Contact us at security@relvara.ai. We aim to acknowledge reports within 48 hours and will work with you to understand and resolve the issue promptly.
Questions
If you have questions about our security practices, write to security@relvara.ai.