Built to be trusted
Data security and compliance aren't features—they're foundations. Here's how we protect your business and your tenants.
Data Encryption
All data transmitted between your browser, our servers, Twilio's SMS infrastructure, and Stripe's payment infrastructure is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256, provided by our infrastructure layer (Supabase for our Postgres database and file storage, Railway for backend hosting). This includes conversation records, tenant contact information, and payment-related metadata. Cardholder data is held by Stripe; RentalRelay does not store card numbers.
Payment Card Security
Cardholder data is collected, transmitted, and stored exclusively by Stripe, which is PCI DSS Level 1 certified. RentalRelay does not store, process, or transmit cardholder data on its own systems. Our PCI scope is limited to SAQ A.
Authentication & Access Control
RentalRelay uses organization-scoped access control. Each account owner has full access to their organization's data.
All authentication routes are rate-limited. Password reset and signup flows include abuse prevention controls.
SMS Compliance (TCPA / CTIA)
RentalRelay supports two consent paths: (1) explicit written consent collected by the landlord via our SMS Opt-In Form, and (2) implicit consent established when a tenant initiates contact by texting their property management number. We implement the following safeguards:
- Every tenant conversation thread tracks opt-in status
- STOP, UNSUBSCRIBE, CANCEL, QUIT, and END keyword handling is automatic and immediate
- HELP and START/UNSTOP/HELLO keywords are also handled
- Every consent change is written to an immutable activity log with timestamp
- Message logs retain sender, recipient, timestamp, direction, and consent status
- You remain responsible for obtaining initial consent in your lease agreements or via our opt-in form—we provide the infrastructure to honor and document it
RentalRelay is not a law firm and this does not constitute legal advice. We recommend consulting a housing attorney for jurisdiction-specific compliance guidance.
Records & Documentation
Every message, approval decision, and system action is logged with a timestamp and actor identity. These records are immutable at the database layer (enforced by Postgres triggers) and available to you for export. They are designed to support:
- Security deposit disputes
- Maintenance response timelines
- Vendor approval chains
- Habitability documentation
RentalRelay does not currently hold a SOC 2 or ISO 27001 attestation. We rely on the SOC 2 / ISO 27001 attestations of our infrastructure sub-processors (Supabase, Railway, Stripe, Twilio, Anthropic) for the security of the underlying systems.
Infrastructure & Availability
RentalRelay runs on managed cloud infrastructure — Supabase for our database and Railway for our backend. We rely on those providers' built-in backup and availability behavior at the tier we operate on; we do not currently publish a contractual uptime SLA. To catch outages quickly, we run an internal synthetic monitor that probes critical production endpoints every 10 minutes and alerts account administrators via SMS when probes fail.
Vendor & Third-Party Services
We use a defined set of third-party services to operate RentalRelay. Each is subject to its own privacy and security commitments. The complete list — including Twilio, Stripe, Supabase, Anthropic, and others — is published in our Privacy Policy. We do not sell or share your data with advertisers. Where available, we accept each sub-processor's standard data processing agreement and operate within the terms of their published privacy and security commitments.
Responsible Disclosure
If you discover a security vulnerability in RentalRelay, please report it to hello@rentalrelay.io. We will acknowledge reports within 48 hours and work to resolve confirmed issues promptly.