Keeping your Relay account secure

Keeping your money and data safe is our top priority. We’ve put together this list of security best practices for you, so you’re equipped to protect yourself online. Our Security team also works on security behind the scenes, and we would like to give you some peace of mind by sharing what we’re doing to protect your Relay account.

What you can do to improve account security

1. Create a different, strong password for every site you use, including Relay, and do not use the same (or a similar) format when creating a new password for other apps. A unique password is especially important for your banking app, and any other app used to manage money.
2. Two-factor authentication (2FA) is required for Relay accounts. If you have not logged in to Relay since 2FA was enforced, you will be prompted to do so the next time you log in. More details are here.
3. Set up biometric authentication (face/fingerprint ID), following the instructions outlined here, to further secure access to Relay from your mobile device.
4. Consistently review transactions and other account activity, like debit card creation, to identify unusual activity quickly. If you notice something suspicious, please reset your password and report it to our Customer Support Team at 1-888-205-9304 ASAP.
5. Set up email notifications to be alerted to account activity, like payments being sent. To set up notifications, in your Relay account go to Settings > Notifications. If you notice something suspicious, please reset your password and report it to our Customer Support Team at 1-888-205-9304 ASAP.
6. Regularly review your account sessions to identify any logins from unfamiliar devices or locations. Go to Settings > Session Activity to do so. If you notice suspicious activity,  please reset your password and report it to our Customer Support Team at 1-888-205-9304 ASAP.
7. Be vigilant against phishing attempts to access your Relay account. In a phishing attack, a hacker might pose as Relay to try and get you to share your login information. Relay will never ask you to share your phone number, password or 2FA code over social media. Our only login URL is https://app.relayfi.com/login. We’re @bankwithRelay and @relay.hq on Instagram, and we’re @bankwithrelay on Twitter, LinkedIn and Facebook. All other Relay accounts on these platforms are unauthorized and not managed by our team. And, we will only send you emails from @relayfi.com and @bankwithrelay.com domains.

How Relay keeps your account safe

1. Encryption. Relay employs industry-standard encryption to ensure secure and protected transmission of data. An AES-256-GCM encryption algorithm is used for data-at-rest encryption. We enforce TLS 1.2 or better, with Forward Secrecy for in-transit encyption.
2. State-of-the-art infrastructure. We consistently monitor our platform and log all points of access using CloudWatch and CloudTrail. Our Security team is immediately alerted to unusual behavior, and they follow an established, industry-standard procedure when responding to potential incidents.
3. Employee security. All Relay employees undergo background checking before joining the team, and they are required to complete security training after joining the team. Employee access to internal systems is managed through zero-trust tunnels, and all activity is logged and monitored. Additionally, we follow best security practices, such as the principle of least privilege, when it comes to employee mobile device management, virus protection and disk encryption.
4. Regular penetration tests. Relay regularly audits its systems to identify potential vulnerabilities. This is in addition to our vulnerability disclosure program, managed by HackerOne, that is continuously working to help us identify potential vulnerabilities. Learn more about this program below.

How Relay responds to and protects against fraud

1. Transaction monitoring. Relay locks accounts and notifies users when our transaction monitoring systems identify unusual or suspicious transactions that are outside of an account’s normal spending activity.
2. FDIC insurance. The Federal Deposit Insurance Corporation is a US government corporation that provides deposit insurance to commercial banks. Relay customers are ensured up to $250k per business through the FDIC.
3. Debit card controls. If a physical or virtual debit card is suspected to be compromised customers can immediately freeze and terminate the card in just a few seconds by logging into Relay and navigating to the Cards section. 

How to report a potential vulnerability

Relay partners with HackerOne to offer a vulnerability disclosure program. The invite-only program provides individuals with monetary rewards for safely disclosing potential privacy vulnerabilities in non-production environments. Our Security team follows an established procedure when responding to potential vulnerabilities disclosed through this program.

If you would like to join Relay’s vulnerability disclosure program, please let us know at security@relayfi.com.