Security FAQ

Written By Simon from Replaiy

Last updated About 1 month ago

Replaiy B.V.
Last updated: May 7, 2026
Version 1.1

1. Introduction

This Security FAQ describes the technical and organizational measures Replaiy B.V. ("Replaiy") applies to protect Customer Data and the integrity of the Services. It is intended to give Customers, prospects, and security teams a clear overview of how we operate.

This FAQ supplements our Privacy Policy, Data Processing Agreement (Annex II), and Subprocessors page. For specific questions not covered here, please contact dpa@replaiy.ai.

2. Hosting and Infrastructure

Where is Replaiy hosted?

Replaiy's application and database are hosted on Railway, in the EU-West region (Amsterdam, the Netherlands). Profile pictures and company logos are stored on Cloudflare R2 in the WEUR region (typically Amsterdam, Frankfurt, or Paris). All primary data processing takes place within the European Union.

Where are backups stored?

Backups are stored within the European Union, with redundancy across availability zones. Backup data is retained for up to 35 days following the deletion of primary data.

Do you use any non-EU infrastructure?

Operational data is processed in the EU. Specific Subprocessors (e.g., AI Providers, LinkedIn) may process data outside the European Economic Area under SCCs and supplementary safeguards. See our Subprocessors page for details.

3. Encryption

Is data encrypted in transit?

Yes. All data exchanged between clients (browsers, mobile devices) and our Services is encrypted using TLS 1.2 or higher with industry-standard cipher suites.

Is data encrypted at rest?

Yes. Customer Data, including conversation content and authentication tokens, is encrypted at rest using AES-256.

How are LinkedIn authentication tokens protected?

LinkedIn authentication tokens (managed via Unipile) are stored encrypted at rest. Access is restricted to the application services that need them, with audit logging.

4. Access Control

Who has access to Customer Data inside Replaiy?

Access is granted on a strict need-to-know basis using role-based access control (RBAC). Only a limited number of authorized personnel have production access, and that access is logged and reviewed.

Do employees use multi-factor authentication?

Yes. Multi-factor authentication is mandatory for all employee accounts that have access to production systems, code repositories, or business-critical tools.

Can Users enable multi-factor authentication?

Yes. Multi-factor authentication is available to all Users and is strongly recommended.

What is your password policy?

We enforce a strict password policy, including minimum length and complexity requirements, secure hashing using industry-standard algorithms, and protections against credential stuffing and brute-force attacks.

5. AI and Data Handling

Which AI Providers do you use?

We access large language models exclusively through OpenRouter. Current providers are Anthropic (Claude), xAI (Grok), and Google (Gemini). The full list is maintained on our Subprocessors page.

Do AI Providers train on our data?

No. Replaiy configures its OpenRouter integration with Zero Data Retention (ZDR) for all AI Provider calls. Prompts and outputs are not retained or used for training by AI Providers.

Does Replaiy train on our data?

Only when a User has explicitly opted in (per LinkedIn account) and the workspace administrator has not disabled the feature. Even then, personal identifiers (names, emails, employer names, phone numbers, URLs) are stripped before any data enters the training pipeline. The opt-in is off by default. See our AI Policy for details.

Where is AI inference performed?

Inference requests are routed via OpenRouter to AI Providers. Specific provider locations are listed on the Subprocessors page. Transfers outside the EEA are governed by SCCs and supplementary measures.

Does Replaiy train AI models on Google Workspace user data?

No. Replaiy does not train, fine-tune, or otherwise improve any AI model using Google Workspace user data, including data accessed through Google Workspace APIs such as Google Calendar. Google Workspace data is processed solely to provide the requested integration functionality (e.g., scheduling) and is excluded from the AI Model Improvement opt-in described in our AI Policy.

6. Application Security

How is your code reviewed?

All code changes are subject to peer review before merging into production branches. Security-relevant changes receive additional review.

Do you scan for vulnerabilities?

Yes. We monitor dependencies for known vulnerabilities and apply updates promptly. We perform regular vulnerability scans of our infrastructure and address findings according to severity.

Do you perform penetration tests?

Replaiy conducts internal security reviews and engages third-party assessments for major releases or upon Customer request. Summary findings can be made available under NDA.

How do you handle secrets and API keys?

Secrets and API keys are stored in dedicated secrets managers, encrypted at rest, never committed to source control, and rotated periodically.

7. Network and Infrastructure Security

How do you segment environments?

Production, staging, and development environments are isolated. Production access is restricted to authorized personnel and audited.

Do you monitor for abnormal activity?

Yes. We have continuous monitoring and alerting for unusual access patterns, error rates, and potential security incidents.

Do you perform backups and disaster recovery testing?

Yes. Automated backups run on a regular schedule, retained within the EU, and disaster recovery procedures are documented and tested.

8. Personnel and Organizational Security

Are employees trained in data protection and security?

Yes. All employees with access to Customer Data complete onboarding training in data protection, security, and confidentiality. Training is refreshed periodically.

Do employees sign confidentiality agreements?

Yes. All employees and contractors are bound by confidentiality obligations, both during and after their engagement with Replaiy.

How do you handle offboarding?

Access is revoked promptly upon termination of employment or contract. Devices are wiped or returned, and credentials are rotated where applicable.

9. Incident Response

What is your incident response process?

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review.

How quickly do you notify Customers of a Personal Data Breach?

We notify affected Customers without undue delay, and where feasible within 72 hours, of becoming aware of a Personal Data Breach. Notifications include known facts about the breach, likely consequences, and mitigation measures, in line with Article 33 GDPR.

Do you cooperate with supervisory authorities?

Yes. Where required, we cooperate with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and other competent supervisory authorities.

10. Compliance and Certifications

Are you GDPR-compliant?

Yes. We are established in the Netherlands and operate in compliance with the GDPR and the Dutch Implementation Act (Uitvoeringswet AVG).

Are you AI Act-compliant?

Yes. The Services are designed as a limited-risk AI system under the EU AI Act. We implement applicable transparency obligations and prohibit high-risk and prohibited use cases. See our AI Policy.

Do you have ISO 27001, SOC 2, or similar certifications?

We are progressing toward formal information security certifications. In the meantime, our security controls are aligned with industry best practices, and we make documentation available to Customers under NDA.

Do you sign DPAs?

Yes. Our standard DPA is published and incorporated by reference into our Terms of Service. A signed counterpart is available on request to legal@replaiy.ai.

11. Data Lifecycle

Where can Customers find data retention information?

Detailed retention periods are set out in Section 7 of our Privacy Policy.

How can Customers export their data?

Export tools are available within the Services. Upon termination, Customers have a 30-day window to export data before deletion or anonymization.

How is data deleted?

After the applicable retention period or upon termination, data is deleted or irreversibly anonymized, except where retention is required by law (e.g., billing records under Dutch tax law).

12. Customer Responsibilities

Customers play a critical role in keeping data secure. We strongly recommend:

  • Enabling multi-factor authentication for all Users.

  • Using strong, unique passwords.

  • Limiting User access to those who need it.

  • Reviewing audit logs and account activity.

  • Reporting suspicious activity to dpa@replaiy.ai immediately.

13. Reporting Security Issues

If you believe you have discovered a security vulnerability in the Services, please report it to dpa@replaiy.ai. We appreciate responsible disclosure and will respond promptly.

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

14. Updates to This FAQ

We may update this Security FAQ from time to time as our practices evolve. The "Last updated" date at the top reflects the most recent revision.

15. Contact

Replaiy B.V.
Bovenkamp 7A
1391 LH Abcoude
The Netherlands
Email: dpa@replaiy.ai (data protection and security), legal@replaiy.ai (contractual matters)
Web: https://replaiy.ai