Security at send0

Security is not a page.
It's the product.

We store raw customer messages — you deserve honesty about what we do with that access. Here's how send0 is architected, audited, and operated.

Last updated · April 2026

Practices

Eight things we do
without being asked.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Every API request, every webhook, every database connection is encrypted end-to-end. No plaintext, no exceptions.

API keys are hashes

We never store raw API keys. Every key is hashed with SHA-256 the moment it's created — we can authenticate it, but we can't recover it. Rotate freely.

Role-based access

Workspace roles, scoped API keys (sk_live_, sk_test_, sk_restr_), IP allowlists, and two-factor authentication available for every user.

Isolated infrastructure

Per-tenant network segmentation, automated patching, continuous dependency scanning, and least-privilege IAM on every service account.

Audit log on every action

Every API call, dashboard change, and team membership change is logged. Exportable via API for customers who need to feed it into a SIEM.

Signed webhooks

Every webhook payload is signed with HMAC-SHA256 using a per-endpoint secret. Timestamps prevent replay. The SDK verifies it for you.

Data minimization

Message content is retained for delivery + telemetry then aged out. Hard caps and per-workspace retention controls available on every plan.

Responsible disclosure

Active bug bounty. We respond within 48 hours, fix within agreed SLAs, and credit researchers publicly in the changelog (with permission).

Compliance

Certifications
on a realistic schedule.

We publish where we are, not where we wish we were. If your procurement team needs a specific control, email security@send0.dev.

SOC 2 Type II
In progress · 2026
GDPR
Compliant
HIPAA BAA
On request · Scale+
PCI DSS
Not in scope

Subprocessors

Every vendor who touches your data.

We notify you 30 days before adding or changing a subprocessor. No surprises, no quiet expansions.

AWS
Primary compute + storage
us-east-1, eu-west-1
Cloudflare
DNS, CDN, DDoS protection
Global
Upstash
Redis cache + job queues
us-east-1, eu-west-1
Amazon SES
Upstream email transit (Phase 1)
us-east-1
Stripe
Billing and payments
Global
Sentry
Error tracking (redacted)
us-east-1
Responsible disclosure

Found something broken?
Tell us before the internet.

We run an active bug bounty, respond within 48 hours, and publicly credit responsible reporters in the changelog.

security@send0.devPGP key available on request.