Security

1. Infrastructure Security

Relvara is built on Supabase and deployed via Vercel, two industry-leading platforms with robust security practices.

• Encryption in transit: All data is encrypted using TLS 1.2+ between your browser and our servers. No exceptions.
• Encryption at rest: Database storage is encrypted using AES-256. Backups are encrypted with the same standard.
• Network isolation: Our database is hosted in a private network with no direct public access. All communication occurs through authenticated API gateways.
• Edge deployment: The application is served from Vercel's global edge network with automatic DDoS protection and rate limiting.

2. Application Security

Our application is designed with security-first principles at every layer.

• Row-Level Security (RLS): Every database table enforces row-level security policies. Users can only access data they are authorized to see — enforced at the database level, not just the application level.
• Authentication: We use Supabase Auth with support for email/password, magic links, and OAuth 2.0 providers. Passwords are hashed using bcrypt with appropriate cost factors.
• Session management: Sessions are managed via secure, HTTP-only cookies with short expiration windows and automatic refresh token rotation.
• Input validation: All user input is validated and sanitized on both client and server to prevent injection attacks (SQL, XSS, CSRF).
• API security: All API endpoints require authentication. Edge functions validate JWT tokens on every request.

3. Data Protection

Your data is yours. We implement strict controls to ensure it stays that way.

• Data isolation: Each brokerage's data is logically isolated. Cross-tenant access is prevented at the database policy level.
• Role-based access control: Administrators, agents, and team leads each have different permission levels. Access is granted on a least-privilege basis.
• Audit logging: Critical actions (data exports, permission changes, login attempts) are logged for accountability and compliance.
• Data portability: You can export your data at any time. We do not lock you in.
• Data deletion: Upon account termination, all personal data is deleted within 30 days in accordance with our Privacy Policy.

4. AI & Third-Party Security

Relvara uses AI to power features like lead scoring, content generation, and the AI receptionist. Here is how we keep that secure:

• No training on your data: Your data is never used to train AI models. Conversations and data sent to AI providers are not retained beyond the immediate request.
• Minimal data exposure: AI features send only the minimum data required for the specific task. Full database contents are never sent to external providers.
• Vetted providers: We use Anthropic (Claude) as our AI provider, chosen for their industry-leading safety practices and data handling policies.

5. Compliance

• SOC 2: Our infrastructure providers (Supabase, Vercel) are SOC 2 Type II certified. We are working toward our own SOC 2 certification.
• GDPR readiness: We support data subject access requests, data portability, and the right to deletion.
• Real estate regulations: Relvara is designed to help brokerages maintain compliance with state and federal real estate regulations, including record retention requirements.

6. Responsible Disclosure

We value the work of security researchers. If you discover a vulnerability in Relvara, please report it to us responsibly.

Contact us at security@relvara.com. We aim to acknowledge reports within 48 hours and will work with you to understand and resolve the issue promptly.

7. Questions

If you have questions about our security practices, please contact us at sales@relvara.com.