Security
You're Handing Us the Keys to Your Carrier Portals. Here's How We Protect Them.
The first question every agency asks: 'What are you doing with my data?' Here's exactly what we do, and what we don't.
Carrier compliance
Carrier compliance
Security is about protecting your data. Carrier compliance is about making sure carriers never have a reason to flag us. Both matter. Here is how we handle the second part.
Human-in-the-loop by default
Nothing submits to a carrier portal without your team's review. Relay drafts the submission, surfaces it in the portal UI with an explicit approval step, and waits for your agent to press approve. Every run generates an audit trail with timestamps and the reviewing agent's name, so you can prove the human chain of custody at any time.
Your credentials, your agency
Relay runs inside your own portal sessions using credentials you provision and control. There are no shared Relay accounts, no API scraping, and no back-channel access to carrier systems. Credentials are stored in an encrypted vault (AES-256, SOC 2 practices in progress) and you can revoke any carrier at any time with a single click.
Rate-limited and respectful
We throttle submissions per carrier based on historical agency baselines, so carriers see the same kind of traffic pattern a working team would generate. Rate limits are configured per-carrier and tuned over time. Relay never fires hundreds of concurrent submissions at a single portal, which is the behavior that gets real agencies flagged.
Self-healing, not brittle
When a carrier changes its portal UI, Relay's models detect the change and adapt the same day. No flaky scripts firing against a changed page. No broken runs piling up in carrier logs. No support tickets for your team to field. Self-healing is why carriers never see the same script hammering a dead selector over and over.
Credential Storage
How We Store Your Credentials
AES-256 Encryption
All carrier portal credentials are encrypted at rest using AES-256, the same standard used by banks and government agencies.
Zero Human Access
Your credentials are accessed only by our automation system. No Relay employee can view or retrieve your passwords.
Secure Credential Vault
Credentials are stored in an isolated vault with access logging. Every access is audited and traceable.
MFA Handling
How We Handle Multi-Factor Authentication
Many carrier portals require MFA. Our system handles MFA prompts programmatically where supported, and coordinates with your team for portals that require manual MFA approval. We never store MFA tokens beyond their valid session window.
Client Data Handling
How We Handle Your Client Data
Data in Transit
All data is encrypted in transit using TLS 1.2+. No client data is ever transmitted in plaintext.
Data at Rest
Client data processed during automation runs is encrypted at rest and retained only as long as needed to complete the workflow.
Data Minimization
We only access the data fields required for your specific automation workflows. No bulk data extraction, no data mining.
Data Deletion
When you offboard, all your data (credentials, client records, workflow configurations) is permanently deleted within 30 days.
Compliance
Standards & Compliance
SOC 2 Practices
We follow SOC 2 Type II security practices across our infrastructure, access controls, and monitoring.
HIPAA Awareness
For agencies handling health insurance, we maintain HIPAA-aware data handling practices.
State Regulations
We're built to support compliance with state-level insurance data handling requirements.
Regular Audits
Our security practices are regularly reviewed and updated to address emerging threats.
Cyber Liability Insurance
We carry comprehensive cyber liability insurance. Documentation available upon request.
Due Diligence
Questions to Ask Any Vendor
If you're evaluating any automation vendor, including us, ask these questions:
- Where are my credentials stored, and who can access them?
- Is my data encrypted at rest and in transit?
- What happens to my data if I cancel?
- How do you handle carrier portal MFA?
- Do you have a security incident response plan?
- Can you provide documentation of your security practices?
Satisfied with the security?
Let’s talk.
FAQ
Frequently Asked Questions
Can Relay employees see my carrier passwords?
No. Credentials are encrypted and accessed only by the automation system. No human can view them.
What happens if there's a security breach?
We have an incident response plan that includes immediate credential rotation, client notification within 24 hours, and full forensic investigation.
Do you sell or share my client data?
Never. Your data is yours. We don't sell, share, or use it for anything other than running your automations.
How do you handle carrier portal changes?
We monitor portals continuously. When changes occur, we update automations and re-validate security configurations.
What certifications do you have?
We follow SOC 2 Type II practices and maintain comprehensive security documentation available upon request.
Can I get a copy of your security documentation?
Yes. Contact us at hello@relayins.com and we'll share our security overview and practices documentation.
Will carriers block our agency for using Relay?
No. Relay runs inside your own portal sessions using your credentials. Carriers see normal agency traffic patterns because Relay is rate-limited to match how your team actually works. We have never had a portal lock out an agency using Relay.
Does Relay scrape carrier portals?
No. Relay does not scrape. It uses authenticated sessions in the same portal UIs your team uses, driven by a human-in-the-loop approval step. Nothing submits without your agent reviewing it first.
What happens if a carrier changes its portal UI?
Relay adapts automatically. Our self-healing models detect UI changes and adjust the same day, so there are no broken runs cluttering carrier logs and no support tickets for your team to handle.
Early access
Second cohort. Limited spots.
First cohort's running. We're onboarding a small group of agencies next. Drop your email and we'll see if you're a fit.
Month-to-month. No contract.