RELATE AI
Legal

Security Policy

Last updated: March 2026

This Security Policy describes the technical and organisational measures Relate applies to protect personal data and business information processed through our services — RELATE AI, website development, and business advisory. These measures are designed to comply with the Privacy Protection Regulations (Data Security) 5777-2017 (Israel) and, where applicable, the security requirements of the GDPR. This policy supplements our Privacy Policy.

1. Scope

This policy applies to:

  • All systems, infrastructure, and software owned or operated by Relate.
  • Personal data and business data processed on behalf of clients through RELATE AI (conversation data, lead data).
  • Client data collected through our website (contact forms, scheduling, analytics).
  • Data handled by sub-processors acting under Relate’s instruction.

2. Data Classification

We classify data into three levels to apply proportionate controls:

LevelExamplesControls
PublicMarketing content, published pagesStandard availability controls
InternalProject files, client correspondence, invoicesAccess controls, encryption at rest
ConfidentialPersonal data, API keys, credentials, conversation logsEncryption in transit + at rest, strict access, audit logging

3. Technical Security Measures

3.1 Encryption

  • In transit: all data is transmitted over TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. WhatsApp Business API communications are end-to-end encrypted by Meta’s infrastructure.
  • At rest: sensitive data stored on our servers (databases, backups) is encrypted using AES-256 or equivalent.
  • Secrets management: API keys, credentials, and tokens are stored in environment variables or dedicated secret managers — never hardcoded in source code.

3.2 Access controls

  • Access to production systems is restricted to authorised personnel on a need-to-know basis.
  • All administrative access requires multi-factor authentication (MFA).
  • Passwords are hashed using bcrypt (minimum cost factor 12) or equivalent one-way algorithms. Plaintext passwords are never stored.
  • Access rights are reviewed and revoked promptly when a team member leaves or changes role.

3.3 Infrastructure

  • Servers are hosted with reputable cloud providers operating ISO 27001-certified data centres.
  • Firewall rules restrict inbound traffic to required ports and services only.
  • Automated vulnerability scanning is applied to dependencies and infrastructure.
  • Security patches are applied on a regular schedule; critical patches are applied as soon as practicable.

3.4 Application security

  • Web applications follow OWASP Top 10 secure coding practices, including protection against injection attacks, XSS, and CSRF.
  • Input validation and output encoding are applied at all user-facing interfaces.
  • Dependencies are kept up to date and audited for known vulnerabilities.
  • Session tokens are short-lived, stored in httpOnly cookies, and invalidated on logout.

3.5 Backups

  • Critical data is backed up automatically on a daily basis.
  • Backups are stored in a separate location from primary data, encrypted, and tested periodically for recoverability.
  • Backup retention periods are defined per service and aligned with our data retention policy.

4. Organisational Security Measures

  • Confidentiality obligations: all team members and contractors with access to client data are bound by confidentiality agreements.
  • Security awareness: team members handling personal data receive guidance on data protection and security practices.
  • Least-privilege principle: individuals are granted only the minimum access required to perform their role.
  • Sub-processor management: third parties who process personal data on our behalf are evaluated for security practices and are bound by data processing agreements with equivalent obligations.
  • Physical security: we do not operate physical server hardware; all infrastructure is hosted in professionally secured data centres.

5. RELATE AI — WhatsApp Security

RELATE AI processes customer conversations through the official WhatsApp Business API (Meta). The following additional considerations apply:

  • End-to-end encryption: WhatsApp messages are end-to-end encrypted by Meta’s platform between the end user and the WhatsApp Business API endpoint. Relate accesses message content only through the official API.
  • API credentials: WhatsApp Business API tokens and phone number IDs are stored as encrypted environment variables, never exposed in source code or logs.
  • Data minimisation: RELATE only stores the conversation data necessary to provide the service — customer messages, AI responses, and lead qualification data. Conversation data is retained per the terms agreed with each business client.
  • Human escalation: when conversations are escalated to a human agent, access is logged and limited to authorised team members of the business client.
  • Meta compliance: Relate operates in compliance with Meta’s WhatsApp Business API terms, including requirements around data handling, messaging policies, and opt-in practices.

6. Incident Response

6.1 Detection and response

We maintain procedures to detect, investigate, and respond to security incidents. Upon identifying a suspected breach, we will:

  1. Contain the incident to limit further exposure.
  2. Investigate the scope and nature of the breach.
  3. Remediate the root cause.
  4. Notify affected clients and, where required by law, the Privacy Protection Authority — within 72 hours where practicable.
  5. Document the incident, its impact, and corrective actions taken.

6.2 Notification obligations

Under the Privacy Protection Regulations (Data Security) 5777-2017, a personal data breach that is likely to pose a real risk of harm to individuals must be reported to the Privacy Protection Authority (PPA) and to affected individuals. We take these obligations seriously and will act promptly in such circumstances.

7. Vulnerability Disclosure

If you have discovered a security vulnerability in our services or website, we ask that you disclose it responsibly:

  • Email us at security@relate.co.il with a description of the issue.
  • Include sufficient detail to reproduce the vulnerability (steps, affected URL, screenshots or logs if available).
  • Do not access or modify data beyond what is necessary to demonstrate the issue.
  • Do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate (we aim to respond within 5 business days).

We appreciate responsible disclosure and will acknowledge your report. We do not currently operate a formal bug bounty programme.

8. Third-Party Sub-Processors

We use the following categories of sub-processors that may handle personal data:

  • Cloud infrastructure: hosting, compute, and storage providers operating in the EU or Israel.
  • WhatsApp Business API: Meta Platforms Ireland Limited — governed by Meta’s data processing terms.
  • Email delivery: transactional email services for sending notifications and onboarding emails.
  • Analytics: website analytics tools (cookieless or consent-gated where required).
  • Scheduling: meeting booking tools that may process name and email.

All sub-processors are selected based on their ability to meet security and data protection standards consistent with this policy. A full list of sub-processors is available on request.

9. Security Reviews

We conduct periodic reviews of our security posture including:

  • Review of access rights and permissions.
  • Dependency and vulnerability audits.
  • Review of incident logs and anomalies.
  • Assessment of sub-processor security practices.

This policy is reviewed at least annually or following any significant security incident or material change to our systems.

10. Contact

For security-related questions, vulnerability reports, or to request information about our security practices:

Relate

Israel

Email: security@relate.co.il