Leading the charge:
Sendmarc security and privacy

Security is at the core of what we do. Helping our partners and customers improve their security and compliance starts with solidifying our own.

Governance

Sendmarc’s security and privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

We base Sendmarc’s security policies on these foundational principles

Security and compliance at Sendmarc

Sendmarc is currently undergoing SOC 2 Type II attestation and an ISO 27001 compliance. These certificates will be available soon.

Data protection

 

Data at rest

All datastores and databases are encrypted at rest using AES-256. Sensitive collections and tables also use row-level encryption.  

Customer data is backed up in real-time to a secondary, geo-redundant location.  

 

Data in transit

Sendmarc uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit.  

Product security

Penetration testing

Sendmarc engages external, independent consulting firms to perform annual penetration testing.
All areas of the product and cloud infrastructure are in scope for assessment. Both black- and white-box assessments are performed.
A summary of penetration testing is available on request.

Vulnerability scanning

Sendmarc requires vulnerability scanning at key stages of our Software Development Life Cycle (SDLC), including:

Enterprise security

 
Endpoint protection

All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.

 
Secure remote access

Sendmarc secures remote access to internal resources using Zero-Trust Architecture (ZTA) and least-privilege, Role-Based Access Control (RBAC).

 
Security education

Sendmarc provides security training to all employees upon onboarding and annually through an educational module within our compliance management platform. All new engineers are taken through our secure development principles as well as quality and security assurance guidelines.

 
Identity and access management

Sendmarc uses a secure identity and access management system. We enforce the use of Multi-Factor Authentication (MFA) on all critical platforms.

Our employees are granted access to applications based on their roles and are automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.

 
Vendor security

Sendmarc assesses the security risk of all vendors. Vendors need to meet minimum security requirements based on access to customer and corporate data and integration levels with production environments.

Is your domain safe and compliant?
Find out today.