// SECURITY

Security is not a feature.
It's the architecture.

Relynt exists to govern AI agent write actions. Security isn't bolted on — it's the reason the product exists. Every design decision starts with the question: how do we keep our customers safe?

// TRUST PRINCIPLES

╔═══╗ ║ ◈ ║ ╚═══╝

Zero-trust by default

Every agent request is authenticated, authorized, and audited. No implicit trust is ever granted — every write action requires an explicit policy match.

┌───┐ │ ✓ │ └───┘

Full observability

Every action produces a cryptographically signed receipt. Nothing happens in your infrastructure without a verifiable audit trail.

╭───╮ │ ★ │ ╰───╯

Defense in depth

Multiple independent layers of security — from network isolation and encrypted storage to application-level access controls and cryptographically signed receipts.

◉─◉─◉ │ │ │

Least privilege

Agents only get access to the specific actions their policy allows. Credentials are scoped, rotatable, and never stored in plaintext.

// SECURITY ARCHITECTURE

Built secure from the ground up

Security controls are enforced at every layer — from the database through the application layer to the API boundary. No single point of failure.

Multi-tenant isolation

Every query is scoped to the authenticated organization using database-level row isolation. Tenant data is logically isolated at the storage layer — no shared state, no cross-tenant leakage.

Credential security

Agent secrets are salted and hashed before storage. Plaintext secrets are shown exactly once at creation or rotation, then permanently discarded. API keys use cryptographically secure random generation.

Signed receipts

Every action produces an append-only, cryptographically signed receipt. Receipts include request hashes, policy version references, and timestamps — creating a tamper-evident, verifiable audit log.

Infrastructure

Managed infrastructure with automatic backups and encrypted storage at rest (AES-256). All traffic is encrypted in transit with TLS 1.2+. Backend deployed on isolated compute with no shared tenancy.

Network security

All API endpoints enforce HTTPS. CORS policies restrict origins to known domains. Rate limiting protects against abuse. Webhook signatures are verified on every callback to prevent spoofing.

Input validation

Every API input is validated against strict schemas before processing. Strong typing across the codebase prevents type-confusion vulnerabilities. SQL injection is eliminated through parameterized queries.

// POLICY ENGINE

Granular policy controls

Relynt's policy engine gives you fine-grained control over what your AI agents can and cannot do. Every decision is deterministic, auditable, and versioned.

1

Action allow-listing

Policies explicitly enumerate which actions an agent may perform. Any action not in the allow-list is denied by default.

2

Resource pattern matching

Wildcard patterns scope agent access to specific resources — e.g., crm:deal:* allows CRM deals but denies ticket operations.

3

Field-level deny rules

Sensitive fields can be blocked from agent modification. Even if an action is allowed, protected attributes cannot be changed.

4

Threshold enforcement

Numeric thresholds catch dangerous changes — like modifying a deal amount beyond a configured limit — before they reach your systems.

5

Human approval gates

High-risk actions can require human approval before execution. Approvals are tenant-scoped and produce their own audit receipts.

6

Default deny

When no policy rule matches a request, the action is denied. Relynt fails closed — never open.

// COMPLIANCE

Compliance posture

We are building toward industry-standard compliance certifications. Here is where we stand today.

Encryption at rest

AES-256 for all stored data

Encryption in transit

TLS 1.2+ on all endpoints

Audit logging

Append-only signed receipts for every action

Multi-tenant isolation

Database-level row isolation per organization

Credential hashing

Salted and hashed agent secrets, no plaintext storage

Idempotency controls

Idempotency keys prevent duplicate actions

Role-based access

Granular roles enforced server-side on every request

Webhook verification

Cryptographic signature validation on every callback

SOC 2 Type IIIn progress

Compliance program in progress

Penetration testingIn progress

Third-party assessment planned

// DATA HANDLING

Your data, your control

We handle your data with the care it deserves. Here's exactly what we store, how we store it, and what we never do.

What we store

  • Agent metadata (IDs, names, policy assignments)
  • Policy definitions and version history
  • Signed receipts of every action attempt
  • Organization configuration and team members
  • Integration tokens (encrypted at rest)

What we never do

  • Store agent secrets in plaintext
  • Log Authorization headers or API keys
  • Store secrets in browser storage
  • Weaken security policies for convenience
  • Return secrets after initial creation
  • Allow cross-tenant data access

Responsible disclosure

Found a vulnerability? We take security reports seriously and respond promptly. Please disclose responsibly.

contact@relyntpolicy.com

We aim to acknowledge reports within 24 hours and resolve critical issues within 72 hours.

Ready to secure your AI agents?

Get early access to the policy gateway that governs AI agent write actions with cryptographic receipts.

Request access