ShySend
Log in Sign up free
Security & compliance

Your customer data is a vault. Not a marketing asset.

SOC 2 Type II, GDPR-ready, ISO 27001, CCPA. Encrypted everywhere, access controlled, and stored under the laws you operate in. This page is the long version — short version: we treat data the way our enterprise customers' security teams expect.

Talk to security Download the overview
SOC 2 Type II
Audited annually
GDPR-ready
DPA available
ISO 27001
Certificate on request
CCPA / CPRA
California compliant
Encryption everywhere

TLS 1.3 in transit. AES-256 at rest.

Every byte of customer data is encrypted on the wire and on disk. Keys are rotated on a fixed schedule, managed in a dedicated key-management service, and never co-located with the data they protect.

  • TLS 1.3 for all client and server traffic
  • AES-256 for data at rest across primary and backup storage
  • Per-tenant encryption keys, rotated every 90 days
  • HSM-backed key management, dual-control rotation
  • Encrypted, geographically replicated backups
How a campaign's data is protected
a
In transit
TLS 1.3 · perfect forward secrecy
b
In memory
Process-isolated · zeroed on release
c
In the database
AES-256-GCM · per-tenant keys
d
In backup
Geo-replicated · 30d retention · encrypted
e
On key rotation
90 days · zero-downtime · audit-logged
Granular access

Who can do what, on the record.

SSO, 2FA, role-based permissions, and an audit log for every action — including admin reads. Compliance reviewers can pull a full team activity export on demand.

a

SAML & OIDC SSO

Okta, Azure AD, Google Workspace, Auth0, and any SAML 2.0 / OIDC provider. SCIM for auto-provisioning.

b

Required 2FA

TOTP, hardware key, or recovery code. Admins can enforce 2FA across the workspace.

c

RBAC roles

Owner, admin, marketer, developer, viewer — or custom permission sets on Scale.

d

IP allow-listing

Restrict admin access to office or VPN ranges. Available on Growth and Scale.

Audit log — live preview
14:32 UTC send.start · campaign "Spring drop" amelia@
14:18 UTC list.export · list_id=lst_3kQ · 12,408 rows jordan@
13:51 UTC user.role_change · ruth@ → admin amelia@
13:44 UTC api_key.create · key_id=key_7XPQ · scope=send jordan@
12:09 UTC sso.login · idp=okta · ip=203.0.113.42 amelia@
11:48 UTC data_export.request · subject=cust_8zT4 support@
Data rights

Right to delete. Right to export. No questions asked.

Customers (yours or ours) can request a full data export or deletion at any time. We honor every request within 30 days.

1

Request

Submit a request via the API, dashboard, or DSAR endpoint. Identity verification handled automatically.

Same-day acknowledgement
2

Process

We gather every record tied to the subject across primary, backup, and search indexes. Audit-logged the whole way.

≤ 30-day SLA
3

Deliver

Export → encrypted bundle with manifest. Deletion → cryptographic wipe + suppression to prevent re-import.

Signed receipt
Always watching

24/7 monitoring, documented incident response.

Our infrastructure runs on hardened, dedicated servers with end-to-end isolation per tenant. Health checks, anomaly detection, and brute-force monitoring run continuously. Status and incidents are published in real time.

Uptime SLA
99.95%
On Growth and Scale plans, measured monthly.
Backup retention
30 days
Geo-replicated, encrypted, restorable in < 4h.
Incident page
< 15 min
From detection to public status update.
Pen testing
Annual
Third-party penetration tests + ongoing scanning.
Resources for reviewers

Everything your security team will ask for.

Standard documents, available on request after an NDA is in place. Reach out and we'll send everything in a single package.

Document

Security overview (PDF)

Architecture, controls, sub-processors, data flows — the one-stop overview most reviewers start with.

Request
Document

SOC 2 Type II report

Most recent audited report. Sent under NDA — request via the contact form and we'll route it.

Request
Document

Data processing addendum

GDPR Article 28-aligned DPA, pre-signed. Add your details and counter-sign.

Request

Have a tougher question? Ask it.

We answer security questionnaires from real humans, usually within one business day.

Talk to security