Data Protection
Encryption, security policies and sensitive data management
Settings & Security
The Settings section centralizes all platform adjustments that control how Rela AI works for your organization: who can do what, how external systems connect, and how secure your account is. It is the system administrator's control panel.
What is it for?
Without proper role and permission configuration, any user could modify agent settings, delete assets, or change escalation rules — which can have serious operational consequences. The security configuration allows the administrator to define exactly what each person can do in the system.
Additionally, the integrations and API keys section is where external systems (ERPs, control systems, third-party platforms) connect securely.
Roles and permissions system
Rela AI uses a system of predefined roles with incremental permissions:
| Role | Access level |
|---|---|
| viewer | Read-only access to all modules. Ideal for managers who review reports but do not modify configuration. |
| operator | Everything in viewer + task and event management. For technicians and operators who work with daily tasks. |
| member | Everything in operator + agent, tool, and data management. For coordinators and advanced technicians. |
| admin | Everything in member + user and system configuration management. For platform administrators. |
| owner | Everything in admin + billing and advanced configuration. The primary account owner. |
Principle of least privilege
Assign each user the lowest role they need to do their job. A maintenance technician who only needs to view and update tasks should have the "operator" role, not "admin." This reduces the risk of accidental changes to critical configurations.
Granular permissions
Each role has specific permissions per module in read (view_*) and write/delete (manage_*) format:
| Module | Read permission | Write permission |
|---|---|---|
| Agents | view_agents | manage_agents |
| Tools | view_tools | manage_tools |
| Data | view_data | manage_data |
| Tasks | view_tasks | manage_tasks |
| Assets | view_assets | manage_assets |
| Users | view_users | manage_users |
| Settings | view_settings | manage_settings |
User management
To manage your organization's users:
- Go to Settings > Users (requires admin role or higher).
- View the list of all users with their current role.
- To change a user's role, click their name and select the new role.
- To deactivate a user, disable their account — the user cannot access the platform but their records and tasks are preserved.
- To invite a new user, click Invite User and enter their email. They will receive an invitation link.
API Keys — Integration with external systems
API Keys allow external systems (SCADA, ERP, custom applications) to connect to Rela AI without using a username and password.
Create an API Key
- Go to Settings > API Keys.
- Click New API Key.
- Assign a descriptive name (e.g., "SCADA North Plant," "SAP ERP Integration").
- Define the key's permissions — only those necessary for the integration.
- Copy the generated key and store it in a safe place. It cannot be viewed again after closing the window.
API Keys have the same permissions as a platform user. Never share an API Key with administrator permissions for integrations that only need to read data.
Revoke an API Key
If an API Key was compromised or is no longer needed, revoke it immediately:
- In the API Keys list, find the key to revoke.
- Click Revoke.
- The key is deactivated immediately — any system using it will no longer be able to connect.
Outgoing webhooks
Rela AI can send notifications to external systems when events occur (new alarm, task created, status changed):
- Go to Settings > Webhooks.
- Click New Webhook.
- Enter the destination URL of your system.
- Select the event types that will trigger the webhook.
- Define authentication headers if your system requires them.
Account security
Two-factor authentication (2FA)
Rela AI supports authentication with OTP codes (one-time codes) for added security. Configured at Settings > Security > Two-Step Verification.
SSO (Single Sign-On)
On Enterprise plans, it is possible to configure SSO with corporate identity providers (Okta, Azure AD, Google Workspace). Users access with their corporate credentials without creating an additional password. See SSO Configuration.
Session timeout
Configure how much inactivity time closes the session automatically. Recommended for shared workstations in industrial plants where screens may be left unattended.
Secure credential storage
Sensitive credentials (MQTT broker passwords, external API tokens, email service keys) are stored encrypted, never in plain text in the database. Encryption keys are automatically rotated every 90 days.
Key benefits
- Granular control of who can do what in each module
- Predefined roles that cover the most common use cases in industrial plants
- API Keys with limited permissions for secure integrations with external systems
- Immediate revocation of access when needed
- Complete record of all access and changes in the system audit trail
- SSO for companies with centralized identity management
Common use cases
Scenario 1: Initial role setup for a maintenance team When implementing Rela AI, the administrator assigns roles according to job functions: the 8 technicians receive the "operator" role (can view and update tasks), the 3 coordinators receive "member" (can configure agents and tools), the maintenance manager receives "admin" (can manage users), and management receives "viewer" (only consults reports and dashboard). Each person sees exactly what they need, without confusion or risk of accidental changes.
Scenario 2: Secure SCADA integration The plant's SCADA system needs to send events to Rela AI via API. An API Key is created with permissions only to write events (manage_events) and read assets (view_assets). The key is configured in the SCADA. If the SCADA is compromised, the API Key only has limited access — it cannot change configurations or delete data.
Scenario 3: Technician leaving the company A maintenance technician leaves the company. The administrator immediately deactivates their account in Rela AI. The technician can no longer access the platform, but all tasks and records of their work remain intact in the history — no information is lost, only access.
Session Inactivity Timeout
Authenticated sessions in conversations automatically expire after a period of inactivity and have an absolute 24-hour limit. This prevents a session from remaining open indefinitely.
Billing & Subscriptions
Rela AI plans, what each includes, how monthly usage is measured, and when it is time to move to a higher plan.