Security & trust.

Last updated: 12 June 2026

Nitrosend sends email on behalf of businesses that trust us with their most valuable asset: their customer relationships. This page explains exactly how we protect that data, what we're certified for, what's in progress, and how to run your own security review of us.

We're a young company (founded in 2026, backed by Archangel and East End Ventures) built by a team with a long track record in email. Our founders previously built SmartrMail, an ESP that served 28,000+ businesses before being acquired. We've been responsible for other people's customer data for over a decade, and we built Nitrosend with that experience baked in from day one.

Compliance at a glance

FrameworkStatus
GDPR (EU)Compliant. DPA and SCCs available.
Australian Privacy Act 1988 & APPsCompliant.
Anti-spam law (Spam Act, CAN-SPAM, CASL)Enforced platform-wide: consent records, sender identification, one-click unsubscribe.
PCI DSSPayments handled end-to-end by Stripe (PCI DSS Level 1). We never store card numbers.
SOC 2 Type IIIn progress. All our cloud infrastructure providers are already SOC 2 certified.

Where is your data stored?

All customer data lives on Amazon Web Services in the United States (us-east-1), inside a private network. AWS holds SOC 2, ISO 27001, and ISO 27017 certifications. Data is encrypted in transit with TLS and encrypted at rest. Backups are automated and encrypted.

How is the platform secured?

What happens to your data with AI?

Nitrosend is an AI-native platform, so we hold ourselves to a strict line here:

Subprocessors

We keep our vendor list short and certified. Every subprocessor that touches customer data:

SubprocessorPurposeCertifications
Amazon Web ServicesHosting, primary email delivery (SES)SOC 2, ISO 27001
Mailgun (Sinch)Secondary email deliverySOC 2
TwilioSMS deliverySOC 2
StripePaymentsPCI DSS Level 1, SOC 2
CloudflareDNS, WAF, DDoS protectionSOC 2, ISO 27001
VercelFrontend hostingSOC 2
OpenAIAI features (API, no training)SOC 2
AnthropicAI features (API, no training)SOC 2
SentryError monitoringSOC 2
PostHogProduct analyticsSOC 2

Running a security review of Nitrosend

If your security or compliance team needs to assess us before you migrate, we make that easy:

Responsible disclosure

Found a vulnerability? Email [email protected]. We respond within 2 business days, we won't take legal action against good-faith research, and we credit researchers who report responsibly.

Dig deeper

Frequently asked questions

Is Nitrosend SOC 2 certified?

Certification is in progress. All of our cloud infrastructure is already SOC 2 certified, and we complete vendor questionnaires and sign DPAs in the meantime. Full detail on our SOC 2 page.

Is Nitrosend GDPR compliant?

Yes. You stay the data controller, we process on your behalf, and we support the full set of data subject rights. Full detail on our GDPR page.

Where is my data hosted?

On AWS in the United States (us-east-1), encrypted in transit and at rest, with Standard Contractual Clauses covering international transfers.

Is my data sold or used to train third-party AI models?

No. Your data is never sold and never shared with third parties to train their models. Our AI providers (OpenAI and Anthropic) access data via their APIs under no-training terms.

Can I get a DPA?

Yes. Email [email protected].

Contact

Nitrosend Pty Ltd
Security & compliance: [email protected]
General: [email protected]