---
title: Security architecture
description: Relpin security boundaries for tenant isolation, secrets, auth, and audit trails.
section: Trust
sidebarLabel: Security architecture
order: 150
updated: "2026-06-11"
status: beta
llms: true
keywords:
  - security
  - tenant isolation
  - secrets
  - audit
---

Relpin is designed around private internal apps, tenant isolation, server-side secret handling, and auditable release paths.

## Tenant isolation

Tenant data access is scoped by organization and environment. App code should reach data through governed server-side paths, not by receiving raw credentials in browser or user-code surfaces.

## Secrets

Secrets, connector tokens, database credentials, and `secret_ref` values must stay out of browser-facing surfaces. App code can request governed actions; Relpin resolves the sensitive material server-side.

## Auth and permissions

Runtime access should require verified identity and explicit permission checks. Standard roles are presets, not the final authorization boundary for sensitive product surfaces.

## Audit

Important platform actions should be explicit, scoped, and auditable. Release promotion, app access, sensitive data actions, and admin operations should leave reviewable history.

## Open beta status

Relpin is in open beta. The security model is architecture-first, but public certifications are not claimed yet.