BackOps AI
Vendor security review

Relay runs in a single-customer boundary. Your data stays yours.

Data leaves your firewall only through configured integrations, is encrypted in transit and at rest, is retained on schedules you control, and is never used to train models for other customers.

AICPA SOC for Service Organizations ISO 27001 Information Security Management, certified SOC 2 GDPRSupported

Risk and evidence

  • Single-customer isolated environment; no shared compute or data plane, so blast radius stays contained.
  • Customer data is never used for cross-customer model training.
  • Encrypted in transit and at rest, with traceable, auditable outcomes.
  • SOC 2 Type II and ISO 27001, GDPR support, and a maintained subprocessor list.
Data boundary

Where your data goes

Follow a request through Relay's pipeline. Each stop is labeled with where it runs; the AI model call is a single scoped step, and nothing acts until it clears the QA and approval gate. Select a stop for detail.

Architecture

The platform, mapped

The same pipeline as a system map: channels enter, the supervisor routes work to specialist agents inside your isolated environment, connected systems are reached through scoped integrations, and every task lands as a delivered response, an executed action, or a human escalation.

Request security review
Platform architecture map. Email, voice, chat, and SMS channels feed the Supervisor Agent, which classifies work and routes it, with SOP knowledge, to example specialist agents inside the isolated Relay platform. Agents exchange scoped data with connected systems: TMS/WMS, carrier portals, and customer data. Agents deliver customer responses, execute actions, or escalate to a human queue with full context.
Data and retention

What persists, for how long, under which controls

Request security review

Source systems stay customer-owned; Relay receives only the operational data a configured workflow needs. Default retention is 365 days and is configurable by request, including shorter windows such as 30 days.

Data class Examples Persists Default Configurable Protection
Customer messages Email, chat, SMS, voice transcript, ticket thread Yes 365 days Custom, incl. 30-day windows TLS in transit, AES-256 at rest, isolated environment
SOP knowledge Escalation rules, workflows, account-specific handling Yes Customer term Custom by agreement Customer-specific only; not used for cross-customer training
Operational telemetry Inquiry class, route, action result, resolution path Yes 365 days Custom by request PII masked before observability; least-privilege access
AI traces LLM call trace, agent input/output, prompt version Yes 365 days Custom by request Queryable audit trail, scoped prompts, output filtering
Approvals and feedback Dry-run approval, QA result, human rating, rejection reason Yes 365 days Custom by request Human review, version history, controlled channels
Isolation

One customer boundary, not a pooled plane

Each customer runs in a dedicated, isolated deployment. There is no shared customer data plane between deployments.

  • Dedicated compute and storage per customer
  • Allowlisted paths, least privilege, SSO/MFA
  • Action approval thresholds before high-impact work
AI processing

Model calls are scoped to the task

OpenAI, Anthropic, Gemini, and BackOps self-hosted models are used for scoped reasoning and drafting as part of service delivery.

OpenAI Anthropic Gemini BackOps Self Hosted
  • Customer data is not sold, licensed, or used to train models for other customers.
Controls

Technical controls for IT review

Encryption

TLS in transit, AES-256 at rest. Applied across the isolated customer environment.

Identity

Customer-controlled. SSO/MFA and least-privilege access to systems and actions.

Network

Configured egress only. Allowlisted network paths and per-workflow integration scoping.

Retention

365-day default. Configurable by request down to 30-day windows.

Hosting

US by default. EU region available for GDPR-sensitive deployments.

Governance

Dry-run and QA gates. Human approval thresholds with full audit traces.

Evidence

What a reviewer can verify

SOC 2 Type II

Certified for security, availability, and confidentiality controls.

ISO 27001

Information security management certification for vendor review.

GDPR support

US default hosting, EU region, and GDPR-aligned handling where applicable.

Subprocessors

Current list and details maintained for vendor-risk review.

Vulnerability program

Remediation SLAs, continuous dependency scanning, third-party pen testing.

AI governance

Model evaluation, monitoring, incident response, and human review thresholds.

Summary for your security team
Copied

BackOps Relay runs as a single-customer isolated environment. Data leaves the customer firewall only through configured integrations, is encrypted in transit and at rest, and is retained on a 365-day default schedule with custom retention available by request. OpenAI and Anthropic are used for scoped service delivery, never for cross-customer model training. Relay provides audit traces, QA gates, and action-approval thresholds, and holds SOC 2 Type II, ISO 27001, GDPR support, and a maintained subprocessor list.