← Home

Security & data handling

You are putting customer data in Relm. Here is exactly how we hold it - written plainly, not as legalese.

Isolation

Every record - contacts, companies, deals, activities - is scoped to your workspace. Queries are filtered by workspace on every request, and API keys are workspace-bound, so one tenant can never read or write another's data. References are integrity-checked: you cannot link a deal to a company in someone else's workspace.

Test and live are separate

Every object carries a mode. A relm_test_ key writes to an isolated test dataset that never mixes with live data, never appears in your live dashboard, and is never billed. Build and demo without risk to real records.

Secrets and keys

We never train on your data

Relm does not use your CRM data to train any model, and does not sell or share it. Your data is yours. The agents that drive Relm are the ones you connect with your key.

Delete anytime

Records support soft-delete and restore through the API, and you can permanently remove your workspace and its data on request. There is no lock-in: everything you put in is available back out through the same API you put it in with.

Transport

All traffic is over HTTPS. The API and MCP server sit behind a CDN edge; the origin is not exposed directly.

Honest status

Relm is an early-stage, independently built product shipping in public. We are deliberate about the security basics above, and we are not going to claim certifications we do not yet hold (no SOC 2 badge theatre). If your use case needs a specific control or a data-processing agreement, email us and we will tell you straight where we stand.

Responsible disclosure

Found a vulnerability? Please report it to [email protected]. See /.well-known/security.txt. We will acknowledge and work with you in good faith.

Questions about data handling?

Email [email protected] - a human answers.

Start free →