Security built to clear enterprise SAP procurement.
FileRelay is on-prem across every operating model — never multi-tenant SaaS. Document content stays inside your network on Self-hosted and Managed on-prem, or inside a dedicated single-tenant environment we host for you. Credentials are encrypted per customer, every action is auditable, and our compliance roadmap is transparent.
Data residency
FileRelay is on-prem only — never multi-tenant SaaS. Document content stays within a single tenant: yours (Self-hosted, Managed on-prem) or a dedicated tenant we provide (FileRelay-hosted).
Per-customer encryption
Connector credentials and SAP passwords use envelope encryption with KMS-backed data keys, scoped per customer. Keys rotate without downtime.
Stateless routing
Document content is forwarded in-memory to your destinations. No durable copies on FileRelay nodes — only metadata and audit records persist.
Audit trail
Every document, routing decision, and credential change is logged with actor, timestamp, and outcome. Exportable for security and compliance reviews.
Security model by operating model
All three are on-prem — never multi-tenant SaaS. What differs is who owns the perimeter, who holds the keys, and who has runtime access. Use this when filling in your security questionnaire.
Self-hosted
Maximum control- Network boundary
- Your perimeter only
- Runtime operators
- Your ops team only
- Secret management
- Your KMS / Vault
- Audit log ownership
- You own and retain
Managed on-prem
Your perimeter · we operate- Network boundary
- Your VPC / cloud account
- Runtime operators
- Your team + named FileRelay SRE
- Secret management
- Your KMS / Vault (BYOK)
- Audit log ownership
- You own; we receive ops-only events
FileRelay-hosted
Dedicated single-tenant- Network boundary
- Dedicated infra we provide
- Runtime operators
- Named FileRelay SRE only
- Secret management
- FileRelay KMS, BYOK supported
- Audit log ownership
- You own; full export available
Same product, same isolation, same audit surface across all three. Choose the operator that matches your security policy and ops capacity — the threat model below applies to all of them.
Certifications & Standards
Click any cert to see what it is, who needs it, and where we stand.
GDPR
General Data Protection Regulation · European Union
What it is
EU regulation on lawful processing of personal data — covers data subject rights, breach notification, cross-border transfers, and lawful basis for processing.
Who cares
Any organisation processing personal data of EU residents — which in the SAP ArchiveLink context usually means HR documents, customer invoices, or supplier records.
Where we stand
GDPR-aligned data handling in place across all operating models. Data Processing Agreement (DPA) and Technical & Organisational Measures (TOMs) document available on request.
Placeholder set — final certifications will be confirmed before public launch.
Procurement & security review
FileRelay runs on-prem across every operating model, so the heavy lifting on encryption, threat boundaries, and incident response lives in the environment you (or we) operate. We share the rest under NDA.
Available on request, signed NDA:
- ·Threat model with in-scope / out-of-scope boundaries
- ·Encryption architecture (KMS choices, key rotation, BYOK)
- ·Incident response runbook + SLA targets
- ·DPA, TOMs, sub-processor list
- ·Security questionnaire (CAIQ-Lite or your template)
Contact [email protected] — we turn these around in 24-48h. PGP key on request.
Procurement or security review?
Send your security questionnaire or DPA template — we'll turn it around in 24-48 hours, including any deployment-specific details your team needs.