Trust Center
Security, compliance, and data handling at SpoofSentry. We build enterprise-grade controls so you can trust us with your email security.
System Status
Real-time component health and uptime
Procurement Pack
DPA, security overview, and questionnaires
Report a Vulnerability
Responsible disclosure program
Security Controls
Encryption
- TLS 1.3 for all data in transit
- AES-256 encryption at rest (GCP managed keys)
- Fernet encryption for sensitive fields
- Channel binding on database connections
Authentication
- OIDC and SAML 2.0 SSO
- SCIM 2.0 automated provisioning
- MFA / TOTP with recovery codes
- WebAuthn / passkey support
- Magic link passwordless login
- IP allowlist per tenant
Authorization
- 127 granular RBAC permissions
- 51 row-level security (RLS) policies
- API key scoping with rate limits
- Privileged access management (PAM)
- Two-person approval for critical actions
Audit & Monitoring
- 60+ audit event types
- Tamper-evident audit trail
- SIEM integration (Splunk, Elastic, Sentinel, Datadog)
- Real-time security event forwarding
- Exportable audit logs for compliance
Tenant Isolation
- Row-level security at database layer
- Tenant-scoped API keys and sessions
- Cross-tenant protection middleware
- VPC-scoped network egress
- Separate MSSP/customer RBAC roles
Infrastructure
- Google Cloud Run (serverless, auto-scaling)
- Cloudflare WAF with OWASP ruleset
- DDoS protection at edge
- Non-root containers with read-only filesystem
- Secret Manager for all credentials
- Automated secret rotation monitoring
Compliance Frameworks
SpoofSentry generates compliance evidence bundles for these frameworks. Enterprise customers can export evidence directly from the platform.
1
SOC 2 Type II
Evidence available
2
ISO 27001
Evidence available
3
NIST CSF
Evidence available
4
PCI-DSS v4.0
Evidence available
5
HIPAA
BAA available
6
CISA BOD 18-01
Evidence available
7
NIS2
Evidence available
8
Australia SMB1001
Evidence available
Data Handling
Primary RegionUS (GCP us-central1, Neon us-east-1)
Data at RestAES-256 encrypted (Google-managed keys)
Data in TransitTLS 1.3 with channel binding
Retention (Free)7 days
Retention (Protect)30 days
Retention (Enforce)90 days
Retention (Enterprise)365 days
Data ExportFull account export via API (GDPR Art. 15/20)
Data DeletionAccount deletion with audit log preservation
BackupNeon 7-day PITR + GCS object versioning
Subprocessors
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Application hosting, compute, storage | US (us-central1) |
| Neon | PostgreSQL database | US (us-east-1) |
| Cloudflare | CDN, DDoS protection, WAF | Global edge |
| Stripe | Payment processing | US |
| Resend | Transactional email delivery | US |
| Anthropic | AI-powered sender classification (optional) | US |
Last updated: April 2026. Changes to this list are communicated to affected customers 30 days in advance.
Security Contact
To report a vulnerability or request security documentation:
[email protected]