Compliance & Data Governance
Relay Cloud includes built-in tools for SOC2, GDPR, and enterprise compliance requirements.
Audit Logging
Every action in Relay is logged with:
- Who — User ID and name
- What — Action type (e.g.,
key.rotated,member.invited) - When — Timestamp
- Where — IP address
- Context — Related resource and properties
View audit logs in Organization → Activity.
Immutable Audit Trail
Audit log entries are cryptographically chained using SHA-256 hashing. Each entry includes the hash of the previous entry, creating a tamper-evident Merkle chain.
Verify chain integrity:
php artisan relay:verify-audit-chain
SOC2 Controls
Track SOC2 compliance from the admin dashboard:
| Control | Description | Automated Check |
|---|---|---|
| CC6.1 | Logical access controls | User roles and permissions |
| CC6.2 | Authentication mechanisms | 2FA enforcement check |
| CC6.6 | Encryption in transit | TLS/HTTPS verification |
| CC6.7 | Encryption at rest | Laravel encryption check |
| CC7.1 | Monitoring | Anomaly detection status |
| CC7.2 | Incident response | Incident workflow check |
| CC8.1 | Change management | Change request workflow |
GDPR Compliance
Data Subject Requests
Handle GDPR data subject requests:
- Export — Download all data for a user/connection identifier
- Delete — Remove all data for a subject
- Restrict — Limit processing of a subject's data
All requests have a 30-day deadline tracker.
Data Retention Policies
Configure per-data-type retention:
event_logs: orders-* → 90 days, delete
event_logs: analytics-* → 7 days, delete
traces: * → 30 days, archive
audit_logs: * → 365 days, archive
Retention policies run daily at 3:00 AM.
Compliance Event Tagging
Tag events with compliance classifications:
pii— Personally Identifiable Informationphi— Protected Health Informationpci— Payment Card Industry data
Tagged events get stricter retention and access controls.
Organization Policies
Set security baselines across all apps:
| Policy | Description |
|---|---|
| Minimum key rotation | Require keys rotated every N days |
| Require 2FA | All team members must enable 2FA |
| Require IP allowlist | All apps must have IP restrictions |
| Max token lifetime | API tokens expire after N days |
| Require schemas | All apps must have channel schemas |
| Session timeout | Auto-logout after N minutes |
Break-Glass Access
For emergency situations, authorized users can activate break-glass access:
- Provide mandatory justification
- Access is time-limited (default 60 minutes)
- All actions are logged
- Post-access review is required
Only Owner role can activate break-glass access.
Change Approval Workflow
Require two-person approval for destructive actions:
- Key rotation
- App deletion
- Plan downgrade
- Member removal
- Secret export
- Disabling 2FA
The requester submits a change request; a second admin must approve before the action is executed.
Data Export
Export all data for external analysis or compliance:
| Destination | Format |
|---|---|
| AWS S3 | JSON, Parquet, CSV |
| Google BigQuery | JSON |
| Snowflake | JSON |
| Kafka | JSON, Avro |
| Elasticsearch | JSON |
Configure export pipelines in app settings → Data Export.