SOC 2
Controls operated in line with the SOC 2 Trust Services Criteria. An independent audit is planned — until it completes, we don’t claim certification.
Security · Reliability · Privacy · Compliance
Proof you can verify — and an honest map of what's next.
Our controls are built and operated in line with the SOC 2 Trust Services Criteria. We show what we already do, and what we're pursuing — never more than we can prove.
SOC 2 — Common Criteria
Two-factor authentication is mandatory on every account. Passwords use a modern hashing scheme, sessions expire on idle, and trusted devices are limited.
Project keys are hashed at rest and shown once. They rotate automatically with an overlap window, and stored outbound secrets are always returned masked — never in plaintext.
Owner, editor and viewer roles are enforced on every action. Access to another tenant’s data is denied by construction, not by convention.
Sensitive configuration values are sealed with authenticated encryption under a versioned, rotatable key.
Automated secret-detection runs in our build pipeline, and a published vulnerability-disclosure policy gives researchers a clear, safe channel.
SOC 2 — Availability & Processing Integrity
Daily encrypted backups, a restore that is exercised end-to-end against a defined recovery objective, and a loud alert if a backup is ever missed.
Redundant EU infrastructure with automatic failover and autoscaling. Releases roll out surge-first, with no downtime window.
A continuously probed public status page, hosted separately from the service it watches, so an outage can’t take its own monitor down.
Automatic retries, a dead-letter queue, and idempotency support so a transient failure is retried — never silently dropped.
Every configuration, key and billing change is recorded with who made it, when, and from where.
SOC 2 — Confidentiality & Privacy
All customer data is stored and processed entirely within the EU.
Encryption in transit on every connection, and at rest across data stores and backups.
GDPR data export (including the audit log) and erasure on request, a signed DPA, a maintained subprocessor list, and defined retention windows.
Configurable field masking keeps sensitive values out of API reads and logs.
Standards & certifications
The honest status of each standard today — self-assessed and automated checks are labelled as such, never as an independent audit.
Controls operated in line with the SOC 2 Trust Services Criteria. An independent audit is planned — until it completes, we don’t claim certification.
A self-assessment against the Cloud Controls Matrix, to be published in the public STAR registry.
EU data residency, a signed Data Processing Agreement, and a documented data-subject-request process.
Card payments are handled entirely by our PCI-DSS-compliant payment provider. EchoRelay never sees or stores card numbers.
Roadmap
Our direction, not a dated commitment — we ship in priority order and keep this page current.
Last reviewed: 2026-06-14
Stay in the loop
Email [email protected]. The machine-readable policy is at security.txt.
Real-time and historical uptime at status.echorelay.dev.
Full security overview · Privacy Policy · DPA.