Security

How your Rezlynx token stays safe.

How Rezlynxpms handles the API tokens that authorise access to your Rezlynx tenancy, the encryption in transit and at rest, and the incident-response process behind the on-call rota.

1. Token handling

Your Rezlynx API token is stored in an AWS KMS-backed encrypted store. Only the modules on your account can decrypt it at runtime. Tokens rotate on your schedule; revoking the token in the Rezlynx portal takes every Rezlynxpms module offline within one minute.

2. Encryption

In transit: TLS 1.3 on every leg — user browser to Rezlynxpms, Rezlynxpms to Rezlynx API, Rezlynxpms to third-party integrations. Any leg that falls back to TLS 1.2 is logged and alerted; TLS below 1.2 is refused.

At rest: AES-256 for anything containing a Rezlynx token, guest identifier or payment reference. Backups in the Manchester warm-standby region encrypted with a separate KMS key.

3. Hosting

Production in AWS London (eu-west-2), warm standby in AWS Manchester (eu-west-2b), no data leaving the United Kingdom. Rezlynxpms Retail Ltd is registered with the Information Commissioner’s Office under reference ZB593471.

4. Incident response

The on-call rota is Ellie and Priya, paged via Opsgenie. Median acknowledgement 90 seconds, median mitigation 12 minutes. A public status page at status.rezlynxhub.co.uk lists every incident with acknowledgement, mitigation and resolution timestamps. Post-mortems for P1 incidents published within seven working days.

5. Vulnerability reporting

Please email security@rezlynxhub.co.uk with a short description. Response within one working day. No bug bounty in force, but a mention on the credits page for reproducible findings.