Last updated July 2026
Security
AuditRelay stores security and compliance evidence, so the product itself has to be trustworthy. This page describes what we do today — plainly, without overclaiming — and where we're still early.
Authentication
Accounts sign in with email and a password. Passwords are never stored in plaintext — they are hashed with bcrypt. Sessions are signed tokens; we don’t expose credentials to the browser.
Organization isolation
Every workspace’s data belongs to one organization. Reads and writes are scoped to the signed-in user’s organization at the database query level, so one customer cannot see or modify another’s requests, evidence, or files. A request for a resource outside your organization returns “not found.”
Evidence integrity
Every uploaded evidence file is fingerprinted with a SHA-256 hash computed from the file’s actual bytes. That hash travels in the export manifest, so anyone can re-hash a file and confirm it wasn’t altered after it was collected.
Evidence storage & access control
Evidence files are held in private storage (local disk or an S3-compatible private bucket). Files are never served from public URLs — every download is streamed through an authenticated, organization-scoped endpoint. Auditor share links are the only way evidence leaves the workspace, and only when you enable them.
Encryption of secrets
Third-party integration access tokens (for example, a connected GitHub account) are encrypted at rest with AES-256-GCM. In production, a dedicated encryption key — separate from the session-signing secret — is required.
Share links
Read-only auditor packages are shared through links that use 256-bit random tokens. We store only a SHA-256 hash of each token, never the token itself. Links can be given an expiry, revoked at any time, and configured to allow or disallow file downloads. Views and downloads are logged.
Roles & separation of duties
Workspaces use owner, admin, and member roles. Members can only contribute evidence to requests assigned to them. You cannot approve evidence you uploaded yourself, and only an owner can grant the owner role.
Abuse protection
Sensitive endpoints — sign-in, sign-up, invite acceptance, and public share access — are rate-limited to slow brute-force and enumeration attempts.
Data processing (DPA)
AuditRelay processes the evidence and account data you provide in order to deliver the product. During the pilot program we handle data processing agreements individually. If your organization requires a signed DPA before uploading evidence, email [email protected] and we’ll put one in place before you start.
What we do not claim
AuditRelay is an early-stage product. We are not claiming any third-party certification or attestation — AuditRelay is not itself SOC 2, ISO 27001, or otherwise certified today, and we will say so clearly if and when that changes. AuditRelay helps you organize and deliver your evidence; it is not a substitute for your auditor’s judgment.
Current limitations we want to be upfront about:
- GitHub is the only live automated evidence collector today; other integrations are on the roadmap and are handled as manual uploads for now.
- Abuse protection is currently per-instance (single-node); a shared store is planned before horizontal scale.
- SSO, customer-managed encryption keys, and a formal audit-log export are Enterprise roadmap items, not shipped yet.
Reporting a vulnerability
Found a security issue? Please email [email protected]. We’ll acknowledge your report and work with you on a fix.