Leading the charge:
Sendmarc security and privacy
Security is at the core of what we do. Helping our partners and customers improve their security and compliance starts with solidifying our own.
Governance
Sendmarc’s security and privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
We base Sendmarc’s security policies on these foundational principles
- Access should only be granted to individuals with a genuine business requirement, following the principle of granting the least privilege necessary.
- Security measures should be implemented and layered according to the principle of defense-in-depth.
- Consistent application of security measures is essential across all areas of the organization.
- The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Security and compliance at Sendmarc
Sendmarc is ISO 27001 compliant.
Data protection
Data at rest
All datastores and databases are encrypted at rest using AES-256. Sensitive collections and tables also use row-level encryption.
Customer data is backed up in real-time to a secondary, geo-redundant location.
Data in transit
Sendmarc uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit.
Product security
Penetration testing
Sendmarc engages external, independent consulting firms to perform annual penetration testing.
All areas of the product and cloud infrastructure are in scope for assessment. Both black- and white-box assessments are performed.
A summary of penetration testing is available on request.
Vulnerability scanning
Sendmarc requires vulnerability scanning at key stages of our Software Development Life Cycle (SDLC), including:
- Static Application Security Testing (SAST) of code during pull requests and on an ongoing basis.
- Dependency vulnerability scanning to identify known vulnerabilities in our software supply chain.
- Network vulnerability scanning on a periodic basis.
- Azure Defender for Cloud monitors security posture, regulatory compliance, workload protections, data security, and DevOps security.
Enterprise security
Endpoint protection
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
Secure remote access
Sendmarc secures remote access to internal resources using Zero-Trust Architecture (ZTA) and least-privilege, Role-Based Access Control (RBAC).
Security education
Sendmarc provides security training to all employees upon onboarding and annually through an educational module within our compliance management platform. All new engineers are taken through our secure development principles as well as quality and security assurance guidelines.
Identity and access management
Sendmarc uses a secure identity and access management system. We enforce the use of Multi-Factor Authentication (MFA) on all critical platforms.
Our employees are granted access to applications based on their roles and are automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Vendor security
Sendmarc assesses the security risk of all vendors. Vendors need to meet minimum security requirements based on access to customer and corporate data and integration levels with production environments.
Information Security Policy
This document presents Sendmarc’s Information Security Policy and governs all information security procedures & processes.
Cybersecurity Control Audit
CY3Rn enables organizations to evaluate, handle, and supervise their cybersecurity risks and threats based on global control standards. An evaluation of the controls in place (such as NIST, ISO, and CSF) produces a report on compliance with these standards.
Sendmarc performed a cybersecurity controls review, where forty foundational controls are assessed by the quality and maturity in which they are applied. The company thereby has a measured result of the effectiveness of mitigation against threats and vulnerabilities.
Cy3rⁿ measured result: High resilience – all controls applied and/or scoring predominantly high quality and maturity on most/all applied controls.
Most recent review: March 2023
Find out today.
