Security & compliance

SIMRelay handles verification codes, account-recovery messages, and other sensitive SMS. The security model is built around the assumption that one of these messages leaking is a breach. Here's what's in place.

Encryption

All traffic between you, our infrastructure, and our SMS providers is TLS-encrypted. SMS bodies are encrypted at rest in the database. Webhook payloads are signed (HMAC-SHA256) so your endpoint can verify they came from us. API keys are stored as hashes — we can't read your secret after you generate it, only verify it.

Two-factor authentication

Built-in TOTP-based 2FA, enforceable on a per-user basis. Recovery codes are issued at enrollment. Admin-level operations (changing organization settings, removing teammates, releasing numbers) require recent 2FA verification even if you're already signed in.

Role-based access

Organizations have owners, admins, and members. Within an organization, teams scope access to specific hosted numbers. A teammate on the "support" team only sees the messages on numbers assigned to that team — they don't see traffic on the "finance" numbers, even if they're in the same organization.

Audit logging

Every SMS received, every lock acquired or released, every integration created, every team membership change, and every plan modification is captured in the audit log with the actor, target, and timestamp. Organization admins can browse the log in the dashboard or export it via API for compliance review.

SSO / SAML

Enterprise plans support SAML-based SSO. We support Okta, Microsoft Entra (Azure AD), Google Workspace, and any other IdP that speaks SAML 2.0. Domains can be verified and locked so that anyone signing up with an email at your domain is routed through your IdP automatically.

GDPR & data handling

SIMRelay is operated from the EU. SMS content is retained only as long as necessary to deliver and audit; you can configure shorter retention per organization. Data subject requests (export, deletion) are handled within statutory deadlines. We sign DPAs with paying customers on request. For specifics, see our privacy policy.