Log in

We carry the traffic. You ship.

Security · Reliability · Privacy · Compliance

Trust Center

Proof you can verify — and an honest map of what's next.

Our controls are built and operated in line with the SOC 2 Trust Services Criteria. We show what we already do, and what we're pursuing — never more than we can prove.

SOC 2 — Common Criteria

Security

Strong account security

Two-factor authentication is mandatory on every account. Passwords use a modern hashing scheme, sessions expire on idle, and trusted devices are limited.

Keys protected by default

Project keys are hashed at rest and shown once. They rotate automatically with an overlap window, and stored outbound secrets are always returned masked — never in plaintext.

Least-privilege access

Owner, editor and viewer roles are enforced on every action. Access to another tenant’s data is denied by construction, not by convention.

Encrypted secrets

Sensitive configuration values are sealed with authenticated encryption under a versioned, rotatable key.

Secure development

Automated secret-detection runs in our build pipeline, and a published vulnerability-disclosure policy gives researchers a clear, safe channel.

SOC 2 — Availability & Processing Integrity

Reliability

Tested recovery

Daily encrypted backups, a restore that is exercised end-to-end against a defined recovery objective, and a loud alert if a backup is ever missed.

Built to stay up

Redundant EU infrastructure with automatic failover and autoscaling. Releases roll out surge-first, with no downtime window.

Independent status page

A continuously probed public status page, hosted separately from the service it watches, so an outage can’t take its own monitor down.

Delivered, or retried

Automatic retries, a dead-letter queue, and idempotency support so a transient failure is retried — never silently dropped.

Full audit trail

Every configuration, key and billing change is recorded with who made it, when, and from where.

SOC 2 — Confidentiality & Privacy

Privacy

EU data residency

All customer data is stored and processed entirely within the EU.

Encrypted everywhere

Encryption in transit on every connection, and at rest across data stores and backups.

Your data, your rights

GDPR data export (including the audit log) and erasure on request, a signed DPA, a maintained subprocessor list, and defined retention windows.

You control exposure

Configurable field masking keeps sensitive values out of API reads and logs.

Standards & certifications

Where each standard stands

The honest status of each standard today — self-assessed and automated checks are labelled as such, never as an independent audit.

Aligned

SOC 2

Controls operated in line with the SOC 2 Trust Services Criteria. An independent audit is planned — until it completes, we don’t claim certification.

In progress

CSA STAR Level 1

A self-assessment against the Cloud Controls Matrix, to be published in the public STAR registry.

In place

PCI

Card payments are handled entirely by our PCI-DSS-compliant payment provider. EchoRelay never sees or stores card numbers.

Roadmap

Where we're headed

Our direction, not a dated commitment — we ship in priority order and keep this page current.

  1. Shipped

    In place
    • Encryption at rest and in transit
    • Mandatory two-factor authentication on every account
    • Role-based access control
    • Audit logging of every configuration, key and billing change
    • Daily encrypted backups with a tested restore
    • EU-only data residency
    • Published vulnerability-disclosure policy
    • DPA, Privacy Policy and Terms of Service
    • Independently hosted public status page
  2. Now

    Building
    • Trust Center launch
    • Published TLS and security-header grades
  3. Next — this quarter

    Committed
    • Public subprocessor list with change notifications
    • CSA STAR Level 1 self-assessment
    • Public service-level targets and uptime history
    • Quarterly access reviews
    • Expanded automated dependency scanning
  4. On the horizon

    Direction
    • Independent penetration test
    • SOC 2 examination
    • Further certifications as we grow

Last reviewed: 2026-06-14

Stay in the loop

Report something — or watch it live

Found a vulnerability?

Email [email protected]. The machine-readable policy is at security.txt.

Live service status

Real-time and historical uptime at status.echorelay.dev.

Go deeper

Full security overview · Privacy Policy · DPA.

Currency: