The boring parts, done well.

All customer data is stored in Supabase's Sydney (ap-southeast-2) region. Backups are encrypted and stay in region. Some sub-processors (the speech-to-text and AI providers) process data in the United States during the request lifecycle — we're tracking customer demand for stricter regional pinning.

In transit: TLS 1.2+ everywhere. HSTS enabled. No plaintext anywhere on the public internet.

At rest: Supabase Postgres uses transparent full-disk encryption for everything stored. On top of that, third-party credentials (CRM OAuth tokens, dialler API keys) are encrypted at the column level with a per-org key before being persisted — even if someone got the raw database dump, your credentials are useless without the encryption key.

Every tenant-scoped row in our database carries an org_id column. Every API request runs through a typed middleware that scopes queries to the authenticated user's org. On top of that, PostgreSQL Row-Level Security (RLS) policies enforce the same isolation at the database layer — even a worker process can't accidentally read another tenant's data.

Two layers of defence, by policy. Adding a third layer of isolation (per-tenant database schemas) is on the roadmap for enterprise customers.

Every privileged action — integration connects/disconnects, user invites, role changes, extraction-target edits, workflow edits, manual action approvals — is written to an immutable audit log scoped to your org. You can browse it from the Audit Log page in-app.

For extraction, classification, and summary generation, the AI model receives the call transcript and your org's extraction targets / signal taxonomy. It does not receive: your CRM credentials, your other customers' data, or anything outside the single call being processed.

Anthropic (the Claude API provider) contractually does not train on data sent through their API. We never write call content into model training datasets ourselves.

We don't sell your data. Not to advertisers, not to data brokers, not to anyone.

We don't train models on your calls. Period.

We don't cross-pollinate customers. Your extracted values, your transcripts, your workflows — they inform only your org's downstream behaviour.

We don't ask for more than we need. If a field isn't required to deliver the service, we don't collect it.

If we discover or are notified of a breach, we investigate within 24 hours, contain the impact, notify affected customers, and (where required by law) report to the Office of the Australian Information Commissioner within 72 hours.

To report a vulnerability: security@userelay.com.au.

We're an early-stage company. SOC 2 Type II is on the roadmap and gated by customer demand. We currently operate under the Australian Privacy Principles (Privacy Act 1988) and design with GDPR principles in mind.

We don't claim certifications we don't have. If a procurement team asks for a security questionnaire, email legal@userelay.com.au and we'll respond honestly.

Full details on what we collect and why: Privacy Policy.