careers icon
SECURITY

Enterprise-grade encryption and authentication


At Reelay, we understand that trust and security are paramount when managing and processing your meetings. Our commitment to safeguarding your data is at the core of everything we do. This page provides an overview of the measures we take to ensure the highest levels of security, privacy, and compliance.

Download 1 Pager
careers icon
OVERVIEW
100% remote icon

Users

- Secure logins using one-time passcodes (OTP)
- SSO via Microsoft Entra ID

unlimited pto icon

Infrastructure

- Secure Cloud based infrastructure
- Data stored in multiple avail zones
- Point in time data recovery
- SOC2 Compliance

flexible hours icon

Operational Controls

- Encryption at rest
- 99.9% SLA
- Secure Software Development Lifecycle

medical insurance icon

Application

- Vulnerability scanning of core applications and dependencies
- Anomaly Detection during development
- Client/Server Security validations

career growth icon

Training

Our internal datasets are not used for external LLM learning models, and we do not use external datasets for internal learning purposes

great culture icon

Content

Role Based Access Control (RBAC)Secure sharing via token based links enterprise-grade Data Management Policy

100% remote icon

Infrastructure security

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

Encryption key access restricted
The company restricts privileged access to encryption keys to authorized users with a business need.

Unique account authentication enforced
The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

Production application access restricted
System access restricted to authorized access only

Access control procedures established
The company's access control policy documents the requirements for the following access control functions:adding new users;modifying users; and/orremoving an existing user's access.

Production database access restricted
The company restricts privileged access to databases to authorized users with a business need.

Production OS access restricted
The company restricts privileged access to the operating system to authorized users with a business need.

Production network access restricted
The company restricts privileged access to the production network to authorized users with a business need.

Unique network system authentication enforced
The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Remote access MFA enforced
The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Remote access encrypted enforced
The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Intrusion detection system utilized
The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

Log management utilized
The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

Network segmentation implemented
The company's network is segmented to prevent unauthorized access to customer data.

Network firewalls utilized
The company uses firewalls and configures them to prevent unauthorized access.

Network and system hardening standards maintained
The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.

unlimited pto icon

Organizational security

Asset disposal procedures utilized
The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Portable media encrypted
The company encrypts portable and removable media devices when used.

Anti-malware technology utilized
The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

Employee background checks performed
The company performs background checks on new employees.

Code of Conduct acknowledged by contractors
The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

Code of Conduct acknowledged by employees and enforced
The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

Confidentiality Agreement acknowledged by contractors
The company requires contractors to sign a confidentiality agreement at the time of engagement.

Confidentiality Agreement acknowledged by employees
The company requires employees to sign a confidentiality agreement during onboarding.

Performance evaluations conducted
The company managers are required to complete performance evaluations for direct reports at least annually.

Password policy enforced
The company requires passwords for in-scope system components to be configured according to the company's policy.

Data encryption utilized
The company's datastores housing sensitive customer data are encrypted at rest.

Control self-assessments conducted
The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

Penetration testing performed
The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Vulnerability and system monitoring procedures established
The company's formal policies outline the requirements for the following functions related to IT / Engineering:vulnerability management;system monitoring.








flexible hours icon

Product security

Data encryption utilized
The company's datastores housing sensitive customer data are encrypted at rest.

Control self-assessments conducted
The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

Penetration testing performed
The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Vulnerability and system monitoring procedures established
The company's formal policies outline the requirements for the following functions related to IT / Engineering: Vulnerability management; system monitoring.

medical insurance icon

Data and privacy

Data retention procedures established
The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Customer data deleted upon leaving
The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

Data classification policy established
The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.







career growth icon

Internal security

Continuity and Disaster Recovery plans established
The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Continuity and disaster recovery plans tested
The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

Cybersecurity insurance maintained
The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

Configuration management system established
The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Development lifecycle established
The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Whistleblower policy established
The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

Board oversight briefings conducted
The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

Board charter documented
The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

Board expertise developed
The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

Board meetings conducted
The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

Backup processes established
The company's data backup policy documents requirements for backup and recovery of customer data.

System changes externally communicated
The company notifies customers of critical system changes that may affect their processing.

Management roles and responsibilities defined
The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

Organization structure documented
The company maintains an organizational chart that describes the organizational structure and reporting lines.

Roles and responsibilities specified
Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

Security policies established and reviewed
The company's information security policies and procedures are documented and reviewed at least annually.

Support system available
The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

System changes communicated
The company communicates system changes to authorized internal users.

Access requests required
The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

Incident response plan tested
The company tests their incident response plan at least annually.

Incident response policies established
The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

Incident management procedures followed
The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

Physical access processes established
The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.

Data center access reviewed
The company reviews access to the data centers at least annually.

Company commitments externally communicated
The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

External support resources available
The company provides guidelines and technical support resources relating to system operations to customers.

Service description communicated
The company provides a description of its products and services to internal and external users.

Risk management program established
The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

Third-party agreements established
The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Vendor management program established
The company has a vendor management program in place. Components of this program include:critical third-party vendor inventory; vendor's security and privacy requirements; and review of critical third-party vendors at least annually.

great culture icon

Resources and Subprocessers

Access Control Policy:
The organization’s access control policy defines how access to systems and data is managed, including user permissions, authentication, and monitoring to ensure only authorized access.

Asset Management Policy:
The organization’s asset management policy defines how assets are tracked and protected, including inventory management, ownership, and secure use and disposal.

Data Management Policy:
The organization’s data management policy defines how data is handled, stored, and protected, including classification, retention, and secure disposal practices.

Code of Conduct:
The organization’s code of conduct defines expected standards of behavior, ensuring employees act ethically, professionally, and in compliance with policies and laws.

Operations Security Policy:
The organization’s operations security policy defines procedures for secure system operations, including monitoring, change management, and protection of operational processes.

Human Resource Security Policy:
The organization’s human resource security policy defines security practices related to employees, including onboarding, training, and termination procedures.

Physical Security Policy:
The organization’s physical security policy defines how facilities and equipment are protected from unauthorized access, damage, or theft.

Risk Management Policy:
The organization’s risk management policy defines how risks are identified, assessed, and mitigated to protect business operations and information assets.

Information Security Policy (AUP):
The organization’s information security policy defines acceptable use of systems and data, ensuring users follow security requirements and best practices.

Third-Party Management Policy:
The organization’s third-party management policy defines how external vendors are evaluated and monitored to ensure they meet security and compliance standards.

Information Security Roles and Responsibilities:
The organization defines roles and responsibilities to ensure accountability for maintaining and enforcing information security across all functions.

Cryptography Policy:
The organization’s cryptography policy defines how encryption is used to protect data, including key management and secure implementation practices.

Secure Development Policy:
The organization’s secure development policy defines practices for building secure software, including coding standards, testing, and vulnerability management.

Business Continuity and Disaster Recovery Plan:
The organization’s business continuity and disaster recovery plan defines how critical operations are maintained and restored during disruptions or disasters.

Incident Response Plan:
The organization’s incident response plan defines how security incidents are identified, managed, and resolved to minimize impact and ensure recovery.

Amazon Web Services (AWS):
Provides cloud infrastructure and hosting services for storing and processing application data.

GitHub:
Provides version control and code repository services for managing and collaborating on software development.

Google Workspace:
Provides identity management and productivity tools, including email, authentication, and document collaboration.

Linear:
Provides issue tracking and project management tools for internal collaboration and workflow management.

Internal Ticket Solution:
Provides an internal system for tracking, managing, and resolving support and operational requests.

Slack:
Provides a communication platform for internal messaging, collaboration, and team coordination.

Vanta:
Provides continuous security and compliance monitoring to help maintain and demonstrate adherence to security standards.

















































From our Security Officer

Data Protection
Our platform is built to scale across global networks. We apply data protection based on best practices aligned with a common controls framework. Any data security threat is immediately thwarted by our detections program. Our network infrastructure relies on a secure cloud service platform with flexible capacity to ensure best-in-class protection and reliability. We also maintain a secure software development process and industry-recognized operational practices.

Privacy & Hosting
As a SaaS solutions provider, we integrate security and ease of implementation into all our proprietary applications. At the data level, we only access internal information that is fully manageable by you. Our secure meeting attendant sits alongside your current video conferencing solutions. So, there is no need to integrate complex software programs with inherent security risks. We host our applications on the AWS cloud platform.

Integrations
Reelay employs a private virtual network of secured microservice using AWS Compute Engine nodes. AWS also provides a comprehensive list of compliance and regulatory assurances including SOC 1-3 and ISO 27001.

Product Architecture
Our application software complies with the latest industry security practices, which includes the ASVS 4.0.2 standard defined by OWASP. Internally, we utilize CI/CD pipelines such as Embold to perform security reviews and rapidly identify any potential issues within our development phase.

Synk.io and Dependabot are also deployed to provide vulnerability detection and detailed security audits. In addition, we maintain separate production and development environments to guarantee stability and safekeeping.

Data Security
All data-in-transit delivered through our applications is encrypted using the most up-to-date version of SSL or RTMPS. In addition, your data-at-rest is encrypted using Advanced Encryption Standard. Cryptographic encryption keys are maintained through AWS. Disk storage is also fully encrypted and utilizes AWS key management. An Advanced Encryption Standard(AES) algorithm with a key size of 256 bits and a unique encryption key rotation policy is maintained to ensure your data stays yours.

Data Protocol
We monitor all access attempts into our company resources. We also enable full backups of your data across multiple locations. This ensures your data can be retrieved within a standard recovery time objective in the unlikely event of failure. Your meeting information can be deleted through data erasure requests to our security team. Encryption-at-rest and encryption-in-transit are maintained at all times via secure data channels.

App Security
Reelay maintains a continuous integration and software delivery pipeline that utilizes security tools such as Git, Jenkins, and Snykto identify issues throughout our development phase. In addition, our security team performs regular penetration tests to address issues that may occur in later SDLC phases. All software patches and updates are installed as soon as available, and all vulnerabilities are tracked in our project security system.

Frequently Asked Questions

People are standing by to help you. Email, call us, or click the chat button in the bottom of you screen and a Reelay team member will get back to you during normal business hours (8am to 8pm EST).

email icon
Send us an email
support@reelay.com
01

What data does Reelay receive, record and/or process?

Reelay has access to the video/audio of the meeting that it is invited to along with the the participants, and possible calendar event that is associated with it.

The two options that lead to Reelay’s involvement are Record and Recap. These two options will take the video recording, transcribe it, and then scan that transcript for key moments from the call while summarizing the event for it’s owner.

When the Don't Join option is selected Reelay still has access to the users calendar event but marks it to not be recorded. No additional data is collected.

02

Where is the raw data stored?

Reelay stores it’s raw data within Amazon Web Services. We use a secure and redundant database service managed by Amazon called RDS. Frequent backup are made along with Point-in-time recovery. Data is stored across multiple availability zones to ensure it’s safety.

03

Who has access to the raw data?  / Does Relay have access to it?

The raw data is accessible by authorized members of Reelay’s Engineering team on a Need-to-access basis. Requests to access are made directly to the CTO and access is granted at the finest level possible to ensure data security for our customers.

04

What are the outputs from Reelay?

There are two ways to receive a Reelay asset (recordings & minutes). These are distilled and concise overviews of the meeting. They hold the following - Short Summary, Synopsis, Topics, Moments (Actions, Highlights, Questions), Transcription, Agenda, and Attendee list.

The Recording which is offered in the Application experience contains the recording along with all these things listed above. The Minutes document holds all of the information minus the transcription and the recording.

Users are given the option of how what asset they would like to receive post meeting.

05

Who receives these outputs?

This is determined at an organizational level. The following options exist:

A) Only the Meeting Host
B) All Verified Reelay users who were invited or attended
C) All users on the event or in attendance
D) Anyone who has been invited to view

06

What personal data will the outputs contain?

This can vary heavily. Reelay has access to email addresses through calendar events, and names through the meeting attendance. Various amounts of information can be shared within the context of a meeting and should be done with discretion by the customers. Reelay will transcribe what is spoken so it is up to the customer to establish and follow rules for their own meetings.

Cut meeting
costs by 68%  

ROI Story