Sendmarc is ISO 27001 compliant.
All datastores and databases are encrypted at rest using AES-256. Sensitive collections and tables also use row-level encryption.
Customer data is backed up in real-time to a secondary, geo-redundant location.
Sendmarc uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit.
Sendmarc engages external, independent consulting firms to perform annual penetration testing.
All areas of the product and cloud infrastructure are in scope for assessment. Both black- and white-box assessments are performed.
A summary of penetration testing is available on request.
Sendmarc requires vulnerability scanning at key stages of our Software Development Life Cycle (SDLC), including:
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
Sendmarc secures remote access to internal resources using Zero-Trust Architecture (ZTA) and least-privilege, Role-Based Access Control (RBAC).
Sendmarc provides security training to all employees upon onboarding and annually through an educational module within our compliance management platform. All new engineers are taken through our secure development principles as well as quality and security assurance guidelines.
Sendmarc uses a secure identity and access management system. We enforce the use of Multi-Factor Authentication (MFA) on all critical platforms.
Our employees are granted access to applications based on their roles and are automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Sendmarc assesses the security risk of all vendors. Vendors need to meet minimum security requirements based on access to customer and corporate data and integration levels with production environments.
