Underwriters bet their books on the data we return. We built Relativity6 so sensitive business information is encrypted, access-controlled, and monitored—from the API request to long-term storage.
How we think about security
Four principles behind every control
01
Least privilege
People and systems only get the access they need to do their job—and nothing more.
02
Defense in depth
Identity, network, application, and data controls stack together so one gap does not become a breach.
03
Same rules everywhere
Security expectations are consistent across production, staging, and development—with rigor scaled to risk.
04
Always improving
We monitor, test, and tighten controls as the platform grows and the threat landscape shifts.
What we do in practice
How we protect your data end to end
From encryption and infrastructure hardening to how we write code and respond when something breaks—the details matter when you are putting underwriting decisions on our platform.
data protection
Data protection
Your data is encrypted on the wire and on disk, with secrets locked down outside application code.
TLS 1.2+ protects every customer-facing API, admin surface, and internal service call.
Databases, object storage, and backups are encrypted at rest by our cloud providers.
Credentials and API secrets live in managed secret stores—never in source code or browser bundles.
Modern API keys are verified with strong hashing; sensitive values are encrypted before they are stored.
Request and usage records are treated as confidential and restricted to authorized systems.
infrastructure
Infrastructure
Production runs on hardened cloud infrastructure with audit trails you can stand behind.
Core services run on AWS with network segmentation, security groups, and private connectivity.
Infrastructure ships through version-controlled pipelines—not ad hoc console changes.
Cloud audit logging and VPC flow logs preserve evidence for investigations.
Databases that hold customer data use backups and point-in-time recovery.
Latency, errors, and health signals feed centralized alerting so we catch issues early.
access control
Access control
Every human and machine identity is authenticated, authorized, and easy to revoke.
Platform sign-in uses enterprise-grade identity with organization roles and permissions.
API access is scoped to your organization, with quotas and usage tracking on every key.
Production cloud and code access follows least-privilege policies for Relativity6 staff.
Access is removed when roles change or people leave the company.
Administrative actions on organizations and keys are logged for accountability.
secure development
Secure engineering
Security is part of how we design, review, test, and ship—not a checklist at the end.
Code changes require peer review and automated checks before they merge.
We monitor dependencies for known vulnerabilities and patch on a defined cadence.
Secrets never belong in git; configuration is injected per environment at deploy time.
Production releases promote through controlled pipelines with environment isolation.
Customer APIs return only what underwriters need—no internal paths, vendor names, or debug noise.
incident response
Incidents & availability
When something goes wrong, we detect it fast, fix it, and tell you what happened.
Critical production alarms route to on-call engineers through our incident workflow.
Live service health and incident history are published on our public status page.
Security events are investigated with preserved logs and audit trails.
Reach us anytime at security@relativity6.com with concerns or responsible disclosure.
compliance
Compliance & privacy
A formal program keeps our controls current, evidenced, and ready for customer diligence.
Our security program is built around SOC 2 Trust Services Criteria.
Controls are monitored continuously and backed by policy, training, and evidence collection.
We handle personal and business data according to applicable privacy laws, including GDPR.
Need a security pack for procurement? Contact us—we can share documentation under NDA.
Get in touch
Questions about security?
Whether you need a security questionnaire answered, documentation under NDA, or want to report a vulnerability—we are here.
