How your Rezlynx token stays safe.
How Rezlynxpms handles the API tokens that authorise access to your Rezlynx tenancy, the encryption in transit and at rest, and the incident-response process behind the on-call rota.
1. Token handling
Your Rezlynx API token is stored in an AWS KMS-backed encrypted store. Only the modules on your account can decrypt it at runtime. Tokens rotate on your schedule; revoking the token in the Rezlynx portal takes every Rezlynxpms module offline within one minute.
2. Encryption
In transit: TLS 1.3 on every leg — user browser to Rezlynxpms, Rezlynxpms to Rezlynx API, Rezlynxpms to third-party integrations. Any leg that falls back to TLS 1.2 is logged and alerted; TLS below 1.2 is refused.
At rest: AES-256 for anything containing a Rezlynx token, guest identifier or payment reference. Backups in the Manchester warm-standby region encrypted with a separate KMS key.
3. Hosting
Production in AWS London (eu-west-2), warm standby in AWS Manchester (eu-west-2b), no data leaving the United Kingdom. Rezlynxpms Retail Ltd is registered with the Information Commissioner’s Office under reference ZB593471.
4. Incident response
The on-call rota is Ellie and Priya, paged via Opsgenie. Median acknowledgement 90 seconds, median mitigation 12 minutes. A public status page at status.rezlynxhub.co.uk lists every incident with acknowledgement, mitigation and resolution timestamps. Post-mortems for P1 incidents published within seven working days.
5. Vulnerability reporting
Please email security@rezlynxhub.co.uk with a short description. Response within one working day. No bug bounty in force, but a mention on the credits page for reproducible findings.