Compliance

Our approach

Relentify handles business-critical data: invoices, contracts, customer conversations, payroll, timesheets. We take the responsibility seriously. This page sets out the standards we work to, the controls we have in place, and where we are on the path to formal certification.

Data protection (UK GDPR)

• We process personal data only for the purposes you signed up for, as set out in our Privacy Policy.
• You can export or delete your data at any time from Settings. Deletion completes within 30 days.
• Data subject requests (access, correction, deletion, portability) can be made via the app or by emailing [email protected].
• A Data Processing Agreement is available for business customers on request.

Where your data is stored

All customer data is hosted in the European Union on servers operated by Hetzner. Database backups stay within the EU. We don't transfer personal data outside the UK or EU except where a specific service you've connected requires it (for example, third-party integrations you've authorised).

Security controls

• Encryption in transit - TLS 1.2+ for every connection, HSTS enabled.
• Encryption at rest - database volumes are encrypted; backups are encrypted.
• Access control - per-user authentication, tenant isolation on every query, role-based permissions inside each product.
• Monitoring - continuous error monitoring, login-anomaly detection, automated vulnerability scans against our dependencies.
• Backups - automated daily backups with point-in-time recovery; restoration tested.

Payments (PCI DSS)

Card payments are handled entirely by Stripe, a Level 1 PCI DSS certified payment provider. Card numbers never touch our servers.

E-Sign compliance (eIDAS / UK equivalents)

Our E-Sign product produces legally binding electronic signatures under UK and EU eIDAS regulations. Every signed document carries a tamper-evident audit trail showing signer identity, timestamp, IP address, and signature method. Signatures are cryptographically hashed and the audit certificate is retrievable at any time.

Accounting (HMRC Making Tax Digital)

Our Accounting product supports UK Making Tax Digital for VAT. Digital record keeping, bridging, and direct submission to HMRC are included in the product. Records are retained in line with HMRC requirements.

Sub-processors

We work with a short list of sub-processors, each with their own compliance programme:

• Hetzner - infrastructure hosting (EU).
• Stripe - payments processing.
• PostHog - product analytics.

Incident response

If we detect a security incident that affects your data, we'll notify you by email within 72 hours, in line with UK GDPR requirements. We maintain incident runbooks and exercise them regularly.

Certification roadmap

We are actively working toward SOC 2 Type II and ISO 27001 certification. While those audits are in progress, the controls above are operational and documented. Enterprise customers can request a current security questionnaire, penetration test summary, or a bespoke Data Processing Agreement.

Contact

Questions about compliance, or want to request our security documentation? Email [email protected].