Security & trust.
Nitrosend sends email on behalf of businesses that trust us with their most valuable asset: their customer relationships. This page explains exactly how we protect that data, what we're certified for, what's in progress, and how to run your own security review of us.
We're a young company (founded in 2026, backed by Archangel and East End Ventures) built by a team with a long track record in email. Our founders previously built SmartrMail, an ESP that served 28,000+ businesses before being acquired. We've been responsible for other people's customer data for over a decade, and we built Nitrosend with that experience baked in from day one.
Compliance at a glance
| Framework | Status |
|---|---|
| GDPR (EU) | Compliant. DPA and SCCs available. |
| Australian Privacy Act 1988 & APPs | Compliant. |
| Anti-spam law (Spam Act, CAN-SPAM, CASL) | Enforced platform-wide: consent records, sender identification, one-click unsubscribe. |
| PCI DSS | Payments handled end-to-end by Stripe (PCI DSS Level 1). We never store card numbers. |
| SOC 2 Type II | In progress. All our cloud infrastructure providers are already SOC 2 certified. |
Where is your data stored?
All customer data lives on Amazon Web Services in the United States (us-east-1), inside a private network. AWS holds SOC 2, ISO 27001, and ISO 27017 certifications. Data is encrypted in transit with TLS and encrypted at rest. Backups are automated and encrypted.
How is the platform secured?
- Encryption everywhere. TLS for every connection, encryption at rest for databases and backups.
- Scoped API keys. Every API key is scoped to a single account and can be revoked instantly.
- OAuth 2.0. AI agent connections (MCP) authenticate via OAuth or scoped API keys, never shared passwords.
- Least-privilege access. Production access is restricted to the engineers who need it, with audit logging.
- Edge protection. All traffic passes through Cloudflare's WAF and DDoS mitigation.
- Continuous monitoring. Errors and anomalies are tracked in real time with alerting to the engineering team.
What happens to your data with AI?
Nitrosend is an AI-native platform, so we hold ourselves to a strict line here:
- Your data is never sold and never used for advertising.
- Your data is never shared with third parties to train their AI models.
- Our AI features call OpenAI and Anthropic through their APIs, which contractually do not train on API data. Both providers are SOC 2 certified.
Subprocessors
We keep our vendor list short and certified. Every subprocessor that touches customer data:
| Subprocessor | Purpose | Certifications |
|---|---|---|
| Amazon Web Services | Hosting, primary email delivery (SES) | SOC 2, ISO 27001 |
| Mailgun (Sinch) | Secondary email delivery | SOC 2 |
| Twilio | SMS delivery | SOC 2 |
| Stripe | Payments | PCI DSS Level 1, SOC 2 |
| Cloudflare | DNS, WAF, DDoS protection | SOC 2, ISO 27001 |
| Vercel | Frontend hosting | SOC 2 |
| OpenAI | AI features (API, no training) | SOC 2 |
| Anthropic | AI features (API, no training) | SOC 2 |
| Sentry | Error monitoring | SOC 2 |
| PostHog | Product analytics | SOC 2 |
Running a security review of Nitrosend
If your security or compliance team needs to assess us before you migrate, we make that easy:
- Vendor security questionnaires. Send yours to [email protected] and we'll complete it properly.
- Data Processing Agreement. We sign DPAs covering GDPR and Australian Privacy Act obligations.
- Direct access. For deeper reviews, we'll put our engineering team in front of yours.
Responsible disclosure
Found a vulnerability? Email [email protected]. We respond within 2 business days, we won't take legal action against good-faith research, and we credit researchers who report responsibly.
Dig deeper
- GDPR compliance: how we meet GDPR obligations and help you meet yours
- SOC 2: where our certification is up to and what's true today
- Privacy policy: the full legal detail
- Terms of service
Frequently asked questions
Is Nitrosend SOC 2 certified?
Certification is in progress. All of our cloud infrastructure is already SOC 2 certified, and we complete vendor questionnaires and sign DPAs in the meantime. Full detail on our SOC 2 page.
Is Nitrosend GDPR compliant?
Yes. You stay the data controller, we process on your behalf, and we support the full set of data subject rights. Full detail on our GDPR page.
Where is my data hosted?
On AWS in the United States (us-east-1), encrypted in transit and at rest, with Standard Contractual Clauses covering international transfers.
Is my data sold or used to train third-party AI models?
No. Your data is never sold and never shared with third parties to train their models. Our AI providers (OpenAI and Anthropic) access data via their APIs under no-training terms.
Can I get a DPA?
Yes. Email [email protected].
Contact
Nitrosend Pty Ltd
Security & compliance: [email protected]
General: [email protected]