Security & data handling
You are putting customer data in Relm. Here is exactly how we hold it - written plainly, not as legalese.
Isolation
Every record - contacts, companies, deals, activities - is scoped to your workspace. Queries are filtered by workspace on every request, and API keys are workspace-bound, so one tenant can never read or write another's data. References are integrity-checked: you cannot link a deal to a company in someone else's workspace.
Test and live are separate
Every object carries a mode. A relm_test_ key writes to an isolated test dataset that never mixes with live data, never appears in your live dashboard, and is never billed. Build and demo without risk to real records.
Secrets and keys
- API keys are shown once and stored only as a SHA-256 hash. We cannot recover a key - if you lose it, you rotate it.
- Connected credentials (for example your Resend key for sending email) are encrypted at rest with AES-256-GCM, per workspace.
- Webhooks are signed with an HMAC so your endpoint can verify each delivery came from Relm and was not tampered with.
We never train on your data
Relm does not use your CRM data to train any model, and does not sell or share it. Your data is yours. The agents that drive Relm are the ones you connect with your key.
Delete anytime
Records support soft-delete and restore through the API, and you can permanently remove your workspace and its data on request. There is no lock-in: everything you put in is available back out through the same API you put it in with.
Transport
All traffic is over HTTPS. The API and MCP server sit behind a CDN edge; the origin is not exposed directly.
Honest status
Relm is an early-stage, independently built product shipping in public. We are deliberate about the security basics above, and we are not going to claim certifications we do not yet hold (no SOC 2 badge theatre). If your use case needs a specific control or a data-processing agreement, email us and we will tell you straight where we stand.
Responsible disclosure
Found a vulnerability? Please report it to [email protected]. See /.well-known/security.txt. We will acknowledge and work with you in good faith.